DirectAccess and the Branch Office

What about DirectAccess in the Branch Office?

That’s a good question and one I’ve been thinking about a bit lately. Since both Windows 7 Enterprise and Ultimate, as well as Windows Server 2008 R2 can be DirectAccess clients, I can imagine the following scenario:

• Windows 7 clients at the branch office
• A Windows Server 2008 R2 read-only domain controller
• A Windows Server 2008 R2 file server (using DFS)
• BranchCache enabled on the branch office network (either Hosted or Distributed Mode)
• No site to site VPN or Dedicated WAN link connecting the branch to the main office
• Branch office has a business level cable or FiOS Internet connection with 20-50Mbps down and 5Mbps up

With this scenario in place, there is no expensive dedicated WAN link, so you have money there. Also, there’s no site to site VPN link, so you don’t have to deal with the management hassle and Help Desk calls related to unable site to site VPNs. You should also be able to take advantage of BranchCache, either Hosted or Distributed Mode.

If you use Hosted Mode, you’ll need to configure Name Resolution Policy Table (NRPT) exemptions so that the BranchCache clients don’t try to connect to the BranchCache server over the DirectAccess connection. You can then configure local DNS or use local name resolution to resolve the name of the Hosted Mode BranchCache server.

If you use Distributed Mode, you don’t even need to configure NRTP exemptions, since the Distributed Mode BranchCache clients use WS-Discovery, which is a multicast based protocol to resolve the name of the local Windows 7 host with the desired content.

There you go. Significantly simplified infrastructure that gives branch office clients transparent access to corpnet resources without having to use VPN at all; no remote access client VPN connections and no site to site VPN connections.