Windows 7 Screencast on DirectAccess – the killer Enterprise feature

re: Windows 7 Screencast on DirectAccess – the killer Enterprise feature

Dhaval Brahmbhatt — Tue, 19 May 2009 17:06:00 GMT

Hi Keith

Really great stuff. I will go through the guide you mentioned in the demo but that these guides often ignore one important thing.

For the testing purposes as well as in small business environment, I want to try this with one server scenario where there is only one server in the whole network. Can you have a Windows 7 and that server (obviously W2K8 R2), working for Direct Access?

Microsoft guides usually have diagrams of like 5 servers for 5 different functions. Small business sometiems don't even make that much money if they wanted to deploy 5 servers, just to achieve DirectAcess for example. I know DirectAccess doesn't need 5 servers, but just taking an example.

Your blog is now in my favorites by the way, brilliant stuff.

re: Windows 7 Screencast on DirectAccess – the killer Enterprise feature

Malcolm McCaffery — Fri, 15 May 2009 01:15:52 GMT

Hi Dave,

By the way this direct access type configuration is possible with Windows XP (but painful) and easier with Vista & Server 2008. However it still requires a lot of complex configuration (for the average admin)

Windows 7 + Server 2008 R2 though make it simple to configure.

re: Windows 7 Screencast on DirectAccess – the killer Enterprise feature

The Dave — Thu, 09 Apr 2009 05:47:07 GMT

Right, so more like IPSec over HTTP then PPTP in terms of functionality, offering an always-on connection.

IPSec can be configured to allow certain subnets to be encrypted (and tunneled if necessary if they're private IPs), giving always-on two way communication between laptops and corporate devices, with non-VPN traffic bypassing the corporate VPN and going direct.

Even lowly PPTP lets you uncheck the "Use default gateway" on the VPN connection, allowing split routing with the VPN subnet going through the VPN, and all other user traffic going locally, the only big difference with PPTP is that the user needs to click one more button on the login screen before logging in to Windows (and/or a shortcut from the startup group can take care of it, if the user forgets) -- PPTP doesn't have an "always-on" mode before the initial user logs in, but that would be trivial for Microsoft to add.

As far as I can tell the only thing new here is tunneling over HTTP which is good and bad, good in the sense that it will get through hotspots that only allow HTTP and a few other selected protocols, but bad because it traverses corporate networks that have blocked all outbound VPN intentionally, and so will require modifications to whatever filtering solution is being used.

(As a network admin, I get very angry when I catch users bypassing intentional blocks that exist to enforce corporate policy. Not nearly as mad as the employee's wife though, when the guy gets to explain why he's not getting a paycheque anymore)

Don't get me wrong, handy feature? Yes. But at best evolutionary, certainly not revoluationary.

re: Windows 7 Screencast on DirectAccess – the killer Enterprise feature

David Nudelman — Sat, 28 Mar 2009 13:33:45 GMT

VPN reinvented...?

Hope to see an implementation and test demo soon. Post the link if you know any.

Regards

David Nudelman

re: Windows 7 Screencast on DirectAccess – the killer Enterprise feature

AndyCadley — Fri, 27 Mar 2009 02:06:19 GMT

@The Dave, DirectAccess even works when nobody is logged in, allowing IT Administrators to remotely connect and update/maintain a system regardless of where it is in the world. It goes way beyond what is possible with VPN technology.

Frankly it's probably the most awesome piece of sysadmin tech since the invention of AD. Now all I need is to persuade our network guys that it really is time to get IPv6 in place!

re: Windows 7 Screencast on DirectAccess – the killer Enterprise feature

Keith Combs — Thu, 26 Mar 2009 10:19:25 GMT

DirectAccess also integrates with other components like NAP. In other words, there is also a whole set of other stuff taking place around checkng the machine against the NPS policies, remediation, etc.

Are you using a quarantine process? Are you already doing a split network design like this?

Keep in mind the traffic is split. All traffic isn't sent across a VPN connection. Only the traffic destined for the corporate network is. The public internet traffic is kept out of the tunnel.

re: Windows 7 Screencast on DirectAccess – the killer Enterprise feature

The Dave — Wed, 25 Mar 2009 12:30:36 GMT

So I'm a bit confused... This is just a VPN-over-HTTP, no?

Don't get me wrong, having it built-in and able to connect seamlessly isn't a bad thing, but the whole "transparent to the user" thing can be accomplished with PPTP too if users smack the "Connect to VPN" button before logging in and/or use any sort of VPN endpoint that shares the user's AD credentials, avoiding the whole "login to the VPN" being a separate step, no?