DirectAccess?

snokerpokersnokerpoker Member Posts: 661 ■■■■□□□□□□
I am curious if anyone is actually using DirectAccess. it seems like an interesting technology just have yet to see it in a production environment.

Comments

  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    It sounded great when Microsoft announced it a while back, but likely they're the only major player to implement it. I have yet to hear anyone else actually using it. It's a neat idea (sort of like IPsec-based domain isolation policies) but in practice it's really meant for shops which have completely drank the Microsoft Kool-Aid and nothing else.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • LexluetharLexluethar Member Posts: 516
    Agreed neat idea but not the easiest to implement (also requires ipv6) and when I was researching it there was no redundancy built into a few of the pieces required for it.
  • sharansinghsharansingh Member Posts: 14 ■□□□□□□□□□
    DirectAccess, also known as Unified Remote Access, is a VPN-like technology that provides intranet connectivity to client computers when they are connected to the Internet.
  • poolmanjimpoolmanjim Member Posts: 285 ■■■□□□□□□□
    My company (large company 20k+ employees) uses it. I wasn't part of the actual implementation but I do know that we have a dedicated on-site Microsoft rep who very likely got us some help from Microsoft to actually do the implementation.
    2019 Goals: Security+
    2020 Goals: 70-744, Azure
    Completed: MCSA 2012 (01/2016), MCSE: Cloud Platform and Infrastructure (07/2017), MCSA 2017 (09/2017)
    Future Goals: CISSP, CCENT
  • VeritiesVerities Member Posts: 1,162
    The company I just left was using it. We used 2FA to access it (soft cert +PIN) and the worst part about it is if you were disconnected there was never a solid option available to reconnect (IIRC DA is managed through GPO). You had to wait until a DA pop up showed itself (random intervals) in the lower right "system tray" asking if you wanted to reconnect or reboot and wait for another random interval for DA to ask you if you wanted to reconnect.

    The main benefit of DA is the reduction of bandwidth, which if you use a VPN from outside of your work place office can make a huge difference in work productivity.
  • bettsy584bettsy584 Member Posts: 69 ■■□□□□□□□□
    It's horrible mate. I've led a number of projects with it and in the end it either gets shelved or something has to run in tandum with it due to it's limitations.

    Although the Server 2012 version is greatly enhanced from 2008 R2, there are still some very stupid limiting factors to it. Mainly around the client connectivity pieces. Basically DirectAccess clients have 3 protocol choices in which to connect to DirectAccess, these depend largely on how DA as been architected.

    The options are, 6to4, Teredo or IPHTTPS. Each of which are bad because;

    6to4 - requires the CLIENT device and the DA SERVERS to have direct public IP's, if you are clustering DA these IP's must be consecutive.
    Teredo - again two public IP's are required on the DA servers it must also be direct on the Internet, the client can be behind NAT. Who put Windows directly on the Internet?
    IPHTTPS - TCP protocol therefore it handshakes (connection oriented protocol), therefore it's show and performance is ****.

    DA Clients try to connect using the protocols in this order. One important thing to remember, although DA is now supported behind a NAT firewall, if you have it deployed like this IPHTTPS is the only connection protocol choice.
  • bettsy584bettsy584 Member Posts: 69 ■■□□□□□□□□
    Also be aware of the double encryption if you are using Windows 7. Interestingly enough, double encryption is also applied to Windows 8/8.1 clients if you have VPN RRAS server installed on the same server as DA. I've seen some places deploy VPN RRAS as a backup.

    In short wait until the next release, who ever said using Windows as a network appliance was a good idea anyway ;)
  • AndersonSmithAndersonSmith Member Posts: 471 ■■■□□□□□□□
    It's too much of a pain to put into production and VPN technologies are so much easier and not that difficult for end users to use. It's a cool thought but until MS gives me a better reason to actually use it I'll stick with VPN for now.
    All the best,
    Anderson

    "Everything that has a beginning has an end"
  • LexluetharLexluethar Member Posts: 516
    It's telling when a company of 20k require a Microsoft representative to properly implement the solution. That is when you know it's too complicated.

    We use Cisco AnyConnect - simple, clean and works. Tell-tale sign of a solution being too complicated is if requires the vendor to be on site to implement and support it.
  • snokerpokersnokerpoker Member Posts: 661 ■■■■□□□□□□
    Interesting feedback.

    I was really surprised to see how much it is covered it the 70-417 exam. Seems really lame to have to study it for exam when no one is really implementing it.
  • bettsy584bettsy584 Member Posts: 69 ■■□□□□□□□□
    That is like so many Microsoft technologies mate!

    It's only now (2016) technologies such as AD RMS,FS etc are being looked at as they become cloud-native. Microsoft NAP, IPAM, DAC and even Storage Spaces are not seen much in the wild (from my experience). That being said, in Server 2016 with Storage Spaces Direct I think that might change as it gets into the VSAN market.
  • LexluetharLexluethar Member Posts: 516
    +1 for the material the exams cover. Just like the MCSA requires you to setup a windows server as a router - something you will not see in a production environment.
  • bettsy584bettsy584 Member Posts: 69 ■■□□□□□□□□
    A Windows RRAS router is only good for a lab to bridge subnets ;)

    It's very handy for that as it's a two second job to configure.
  • ChinookChinook Member Posts: 206
    Interesting feedback.

    I was really surprised to see how much it is covered it the 70-417 exam. Seems really lame to have to study it for exam when no one is really implementing it.

    Isn't that the case with MS more often than not? They latch on to these new, untried technologies? In server 2008 you had to learn IPv6, then it was RemoteAccess & now PowerShell commands for things like Office 365 & Azure (because I'm going to type out 300 characters to create a server rather than point and click).

    Conceptually it's a great idea, but the execution was poor. But that seemed to be the hallmark of Microsoft under Steve Ballmer.
  • Ugly-051Ugly-051 Member Posts: 63 ■■■□□□□□□□
    I am curious if anyone is actually using DirectAccess. it seems like an interesting technology just have yet to see it in a production environment.

    I’ve implemented this before, it’s a very technical system and having good understanding of IPSEC and IPV6 tunnelling protocols is handy when doing the install.
  • 4_lom4_lom Member Posts: 485
    With the improvements made to DirectAccess in Server 2012, it is simple to get up and running. I implemented it at the last company I worked for and they are still using it to this day. Also implemented it for one of my clients, they are still using it as well. It makes managing remote users so much easier and also provides a more streamlined experience for the users.
    Goals for 2018: MCSA: Cloud Platform, AWS Solutions Architect, MCSA : Server 2016, MCSE: Messaging

Sign In or Register to comment.