Posts Tagged ‘DirectAccess’

This is part four in a series of questions related to DirectAccess and VPNs. Last week we addressed whether Microsoft can improve the implementation of DirectAccess under Windows Server 2012. Earlier in our series we examined the hardware requirements with DirectAccess and whether DirectAccess, in combination with Windows 8, supersedes VPNs. 

Question: Do networks that employ the Windows Server 2008 R2 and the Windows Server 2012 also feature the improved configuration and management features of DirectAccess?

Patrick Oliver Graf: No, they do not. The improvements for DirectAccess are only available for Windows Server 2012. It can be expected that users will slowly migrate their systems from Windows Server 2008 R2 to version 2012. This means, companies will have to continue living with the restrictions resulting from DirectAccess in a Windows Server 2008 environment for quite a time.

Question: Can companies use DirectAccess in combination with a VPN? For example can they use DirectAccess for computers running on Windows 7 and Windows 8 while they need an IPsec/SSL VPN for Windows XP, MacOS, iOS, Android or Linux at the same time?

Patrick Oliver Graf: Windows Server 2012 does not change anything in this scenario. DirectAccess can only be used for Windows 7/8 clients. Anybody who wants to use other clients (MacOS, iOS, Android, Linux, Unix) has to setup and operate a parallel VPN infrastructure. Although Windows Server 2012 offers the default setting of an additional installation of VPNs for non-Windows clients upon implementation of DirectAccess, two separate worlds remain if a user also uses clients with other operating systems, other than Windows 7 and 8. This naturally increases the installation, configuration and operating effort. And due to its high complexity, the system is more likely to be prone to vulnerabilities.

If you have any questions that you would like answered, send them to editor@vpnhaus.com. 

Patrick Oliver Graf is General Manager at NCP engineering.

Over the past week, we’ve featured a series of installments that answer your questions about VPNs and DirectAccess. Of particular interest to you were the hardware requirements for DirectAccess, if DirectAccess supercedes VPNs, and what issues Microsoft could improve or optimize. Before releasing Part 4 of the series, we want to know: How often do you actually use DirectAccess? As always, please elaborate in the comments.

This is part three in a series of questions related to DirectAccess and VPNs. Earlier this week we addressed the hardware requirements with DirectAccess and whether DirectAccess, in combination with Windows 8, supersedes VPNs.

Question: Its inflexible and complex implementation was one of the greatest weaknesses of DirectAccess in combination with Windows Server 2008 R2. Microsoft has improved Windows server 2012 in this regard. Are there still issues Microsoft could improve or optimize?

Patrick Oliver Graf: Microsoft has considerably improved the implementation of DirectAccess under Windows Server 2012. For example, users can now implement DirectAccess through a single console where they had to use several before. Network Access Translation (NAT) is now able to direct incoming remote access connections to a central DirectAccess Server. Through the new features, there is no need for several servers any more. The system furthermore supports global server load balancing. This means that now a Windows 8 client is easily able to log on to the closest network entry point.

However, there are still several unsolved issues. In Windows Server 2012 and DirectAccess, multi-site support still causes quite a bit of hassle. Apart from that, multi-site implementations strictly require a Public Key Infrastructure (PKI). This increases the users’ effort and contradicts Microsoft’s statement, maintaining that with Windows 8, setting up secure connections with DirectAccess and Windows Server 2012 has become easier than it is within a VPN infrastructure.

According to users’ experiences, it is essential to configure DHCP and DNS entries (Dynamic Host Configuration Protocol / Domain Name Server) of DirectAccess implementations with particular care. This, too, increases the implementation effort and makes the system prone to errors.

Stay tuned as Patrick addresses more questions related to DirectAccess and VPNs next week. If you have any questions that you would like answered, send them to editor@vpnhaus.com. 

Patrick Oliver Graf is General Manager at NCP engineering.

Today’s post kicks off a series of questions related to DirectAccess and VPNs that we’ll post over the next few weeks.

Question: Microsoft equipped Windows 8 with additional DirectAccess features. Why should companies that have deployed Windows 8, continue using VPNs?

Patrick Oliver Graf: At first glance, the reasons for implementing VPNs in a pure Windows environment with Windows 8 clients seem few and far between. After all, Windows 8 does not require the user to install a separate DirectAccess client – a task that was still required under Windows 7.

Windows 8, however, shows certain weaknesses in combination with DirectAccess. For example, only Windows 8 Enterprise supports the improved DirectAccess management features of Windows Server 2012. In fact, many users, including business, run their systems on Windows 8 Pro, which means they do not benefit from the new features.

A further, potentially problematic, issue is the close interlocking of DirectAccess and the Windows 8 operating system. This means security vulnerabilities or direct attacks on the operating system could also compromise DirectAccess connections.

Stay tuned as Patrick addresses more questions related to DirectAccess and VPNs next week. If you have any questions that you would like answered, send them to editor@vpnhaus.com. 

Patrick Oliver Graf is General Manager at NCP engineering.

Editor’s Note: To read part one of this series, click here.

By Nicholas Greene

Microsoft does have its own mobile solution, which integrates swimmingly with DirectAccess. Trouble is, in the world of enterprise…the Windows 7 Phone is a small fry- holding only around 6% of the market. The top dogs are: Android, Apple and Research In Motion, and Android. Yet DirectAccess doesn’t offer support for any of them.

With this in mind, the lack of support for non-Windows mobile devices seems a rather obvious crack in DA’s armor. This, perhaps more than anything else, is what marks DirectAccess as unfeasible when compared to a standard VPN setup. It’s simply foolish to assume that every single employee will be using the same mobile device, and even more-so to think that said device will run Windows.

While a traditional solution might be a little more complex than DirectAccess, it’s also considerably more flexible in its implementation. Take NCP Engineering’s suite of solutions, for example- users can connect from virtually any device, regardless of operating system. What’s more, their Secure Entry Client supports both IPv4 and IPv6.

It’s also worth considering the idea that, as IPv6 becomes more prevalent, traditional VPNs themselves might evolve to adapt to the new features. The reason many of our remote computing solutions have the potential to cause such headaches for IT lies in IPv4’s own disadvantages and failings. Since it’s currently the dominant protocol suite, it needs to be accommodated- regardless of how painful that accommodation might be for the end user.

There’s a fairly distinct possibility that, by the time IPv6 is common enough for DirectAccess to be a completely viable remote networking solution, other VPN providers may well have produced something similar. If Microsoft hasn’t expanded DA’s compatibility by then, it could well be those providers who put a nail in DirectAccess’s coffin- and not the other way around.