Client add-on to the Celestix Edge with Microsoft DirectAccess solution
Celestix SecureAccess is a client add-on to the Celestix Edge with Microsoft DirectAccess solution that expands automatic connectivity to Windows Professional and Mac OS X computers. Now organizations can take advantage of always-on connections and manage out functionality for previously unsupported clients.
Always-on connectivity simplifies access to resources for remote end users. With an Internet connection, they can access applications and data to work when and where they are most productive. Manage out improves security because assets get the latest updates whenever they connect.
With SecureAccess, there’s no need to upgrade asset infrastructure. It leverages current assets to improve productivity for remote workers while maintaining a strong organizational security posture.
- Streamlined setup
- Automatic SecureAccess client updates
- Remote autoconnect to corporate network
- Inside/outside network location-aware functionality
- HTTPS-based VPN
- Force tunneling allows monitoring and strict control of asset connectivity
- Split or force tunneling flexibility
- Push GPO and other updates to remote assets
- Split tunneling conserves bandwidth
How does SecureAccess work?
SecureAccess leverages the RRAS service VPN option configured on a Celestix Edge appliance to provide the secure connection from a remote computers. The client stores domain user credentials so that every time a client computer has access to the Internet it connects to the domain. See the diagram for a general overview:
- Mac OS X (10.10+)
- Windows 7+ (Professional and Home Edition)
Frequently Asked Questions:
Is SecureAccess the same as DirectAccess?
Celestix SecureAccess has similar functionality in that it provides an always-on, bidirectional, automatic connection between remote computers and a protected network. But DirectAccess is a proprietary Microsoft server/client product that supports Windows Enterprise computers, while SecureAccess is a proprietary Celestix client product that supports Windows Professional and Macintosh computers.
Are additional servers required to host SecureAccess?
No, SecureAccess is an add-on component for Celestix Edge appliances. Please contact us if you have a Windows Server 2012 R2 DirectAccess deployment. Additional software is required to use with such deployment.
Can SecureAccess replace DirectAccess?
No. It provides an experience similar to Direct Access for unsupported devices. It complements a DirectAccess setup for organizations that want to provide always-on access and manage-out capability to Windows Home/Professional and Mac computers.
Is DirectAccess required for the SecureAccess feature?
While SecureAccess doesn’t use DirectAccess to function, it does use some of the configuration. So it does require that DirectAccess be configured on the CelestixEdge server.
Does SecureAccess require Internet connectivity?
Yes, when a computer is remote it requires an Internet connection to reach internal network resources.
What happens if the computer doesn't have an Internet connection?
The client continues to run in the background and will periodically check for Internet or network connectivity.
Does SecureAccess automatically connect like DirectAccess?
Yes, it has logic to establish a VPN connection whenever the client is outside of the protected network.
What happens when the device is locally connected to the protected network?
The client indicates Internal Network and does not open the VPN connection.
What protocol is used for communication?
Secure Socket Tunneling Protocol (SSTP) is used for communication.
What firewall ports need to be opened for SecureAccess?
The client uses port 443 to connect and port 8098 to download configuration files.
What computer OS versions are supported for client software?
- Windows 7+ (Professional and Home edition)
- Mac OS X (10.10+)
Is an IPv6 address issued to the client?
No, an IPv4 address is provided.
Can we use IPv6 with SecureAccess?
Yes, if DHCP is configured with an IPv6 scope, clients can be assigned an IPv6 address.
Can SecureAccess clients be managed?
Yes, since there is an IPv4 address assigned to client computers, system administrators can perform management functions.
Does SecureAccess use traffic splitting?
SecureAccess supports split tunneling & force tunneling. A proxy server is recommended for force tunneling.
What is force tunneling?
Force tunneling routes all traffic from a SecureAccess client to go through the gateway on an organization’s network. The default configuration is split tunneling, which routes internal traffic to the organization’s network and Internet traffic to the ISP gateway where the remote computer is connected.
What are the pros and cons of enabling the force tunneling function?
Force tunneling extends control over Internet activity but increases bandwidth usage.
What's the workflow for employing SecureAccess?
- Configure DirectAccess/VPN on a Celestix Edge appliance.
- In SecureAccess settings, configure force tunneling, or leave the default split tunneling configuration.
- Download the SecureAccess client installer application from the administrative web UI.
- Provide the installer to end users.
- Run the installer on a remote computer connected to the Internet.
The installer package is preconfigured to connect to the Remote Access server.
- Enter credentials for a domain user.
Credentials for that user will be stored and used for subsequent connections to the protected network.
Can end users disable the client?
There is no direct way to turn off the client short of uninstalling it. But like DirectAccess, someone with technical skill could find ways to interfere with functionality.
What happens if server or network configuration changes?
Remote Access server configuration changes are uncommon, but in the event they become necessary, the Reconfigure SecureAccess tool updates the SecureAccess client installer and if possible will provide updates to existing clients the next time they connect.
What are the license requirements?
SecureAccess server is bundled with CelestixEdge products. SecureAccess clients are licensed per user device.
How are updates handled?
SecureAccess clients update automatically to avoid the need for administrators to reinstall/reconfigure apps.
What VPN authentication methods are supported? For example, machine certificates or two-factor authentication (2FA).
Currently, domain user credentials are required for authentication. Multifactor authentication, including RADIUS/2FA, are under consideration for future releases.
Does the client generate log files for troubleshooting?
Yes, logs are stored locally for diagnostics.
Can SecureAccess clients be deployed using GPOs?
No, they require the installer to be executed on computers individually. The client installer is automatically configured when the DirectAccess/VPN roles are configured in the Remote Access setup wizard. Moreover, in the default setup, clients automatically pull configuration updates once they have been installed.
What's the difference between deleting and blocking a client?
- The delete feature deregisters a client which frees up a license for another user. This feature does not stop a client from registering again if it has a valid application and unused licenses are available.
- The block feature stops a computer from accessing the network remotely through SecureAccess. Even if the computer has valid client software, the connection will be blocked. It will not impede the computer from accessing resources if it is connected to the network internally. Blocking also frees up a client license.