back to article Can DirectAccess take over the world?

Microsoft believes that DirectAccess is such a critical feature of Windows that we will soon wonder how we lived without this fundamental part of network infrastructure. Having played with it I think Microsoft is very close to being right, but there are some bugs to work out and misconceptions to dispel. Internet Protocol …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Thumb Up

Refreshing

Both the article as well as the development. Although I'm very sceptical about the continuous "we're running out of IPv4, the Internet blows up tomorrow" (and nothing happens the day after) I still think it's a good thing that some companies (and projects) started paying serious attention to IPv6.

I'm somewhat proud to say that very soon all of my customer websites (and my own of course!) will be accessible using both protocols.

Either way, I think it's quite refreshing to read a story which shares both the strong and weak points of a new development. I was especially interested in your (author) display of interest in the possible potential. Because in my opinion a lot of Microsoft developments show high potential, in a lot of cases its poor marketing (and "after-sales") which turn it into a disaster.

5
2
Silver badge
Boffin

Re: Refreshing

I think companies need to start considering it … throughout the software stack.

Last time I developed a SCADA driver, one of the early things to get baked into it was support for IPv6 … tested and verified using a NAT64 gateway. The extra effort involved was about 5 minutes, if that. Not significant, and not difficult.

That said, sometimes you need to cry out "The sky is falling!" before people will take notice. Trying to connect to an endpoint that's behind NAT is a royal pain in the arse. Great if the end user is capable of opening a port and forwarding it to their device — but not everyone can do that. Suppose the NAT device is owned and operated by your ISP?

The only sure fire way to get around that is for the client to make an outbound connection to a proxy which both endpoints can access. A common way to do this, is to have the device VPN back to a publicly-accessible hub — thus giving you an interface you can reach at the other end.

This is extra infrastructure that must be configured and maintained however. This costs real time and effort to co-ordinate. Skype gets around this by using publicly accessible clients to step into this proxy role, but as ISPs start all jumping on the CGN bandwagon, how long will this remain viable?

Dear grandma who just wants to have a Skype/FaceTime session with the grandkids isn't likely going to understand the need or procedure in setting such infrastructure up — and nor should they. That is why we need IPv6.

DirectAccess looks like a handy tool for network admins, however something more consumer oriented is what we really need to get the ball rolling.

1
0

This post has been deleted by a moderator

Anonymous Coward

Re: Windows on servers, how noughties!

Give it a rest. You clearly know nothing about Windows other than you hate it, we get it. Just. Give. It. A. Rest.

7
3
Anonymous Coward

Re: Windows on servers, how noughties!

Oh and, Get. Some. Sleep.

5
1

Re: Windows on servers, how noughties!

Perhaps because, whether you like it or not, sh*tloads of IT departments still use Windows, whether for internal or external services.

There is also a vast difference between running massively scalable internet services like the ones you listed, and a corporate IT infrastructure handling desktop management, intranets, etc.

Or maybe you conveniently forgot that?

5
1

This post has been deleted by a moderator

Anonymous Coward

Re: Windows on servers, how noughties! @Eadon 05:11

Not convinced by your inevitable lock-in argument. The quote you provided states that Linux, Unix and OSX can connect, albeit with third party software. The option is there, so no lock-in. Yes, it'd be nice is MS handed it to you on a platter, but in the real world any sensible business would balk at that.

"The only VPN competitor that is named is OpenVPN, but it is implied that OpenVPN is only for IPv4 systems, which is no longer true. "

Nope. It actually says that if you don't have IPv6, DirectAccess is of "questionable value", and that OpenVPN will do just as well with less hassle. They haven't implied - you're inferring and using that wishful thinking to attempt to discredit the article. And you accuse the writer of being disingenuous? I would be incredulous, but - look who I'm talking to ...

"The article also recommends sticking with the Windows stack for security reasons. Given that MS has the worst track record in security of all the major vendors and of open source combined, then I'd say that this is disingenuous."

Since we're talking about new stuff, it would be best to evaluate it and offer specific arguments based on that rather than talk about track records. FUD, my good man - akin to saying that you need compile anything you want to run on Linux, no?

"And that was before the news erupted that MS are in bed with the NSA."

Oh brother - another hobby horse you're going to run into the ground. We doesn't need your hyperbole to be worried about that, Eadon.

"As I say, this article is what I would expect from an advertorial"

People often say that sort of thing about an article that says something positive about anything from any commercial entity. Are you scared that actually calling the writer a shill will get you zapped? I note you seem to have shied away from that word of late. Perhaps since a warning to that effect was posted in one of the threads?

"and it is also misleading, to put it kindly. Why does it need me, a non-sys admin, to point this out?"

I don't see anything misleading, to be quite honest. You're presenting it as such because it doesn't say Microsoft is bad. You're pointing things out that you've pulled out of your own leanings, rather than the article.

Note - all this is simply a critique of your arguments, not of the article content. You have an unfortunate tendency to "point things out" based on what you want people to think an article means rather than what it says, and present that as a fact. As has been said, even when you do make a point, you spoil it by poor presentation. Then people start mocking you and you think that more of the same is going to win them over. It isn't.

9
2
Anonymous Coward

Re: Windows on servers, how noughties!

So Eadon, what is the open source alternative to ensure and manage that only fully patched desktop clients are connecting to the corporate structure and the right bits of it in a IP6 environment.

Even if you aren't using Windows that must still be a concern, or are non-MS clients immune to this issue.

1
1
Anonymous Coward

Re: Windows on servers, how noughties!

Eadon - this is for a secure requirement - access to corporate services from the Internet. Hardly suitable for Linux with it's vulnerabilities for enterprise distributions is running into thousands (I believe SUSE 10 is now on over 3,800!) and Linux's very poor record at security in internet facing environments. Just look at the statistics: http://www.zone-h.org/news/id/4737 - even adjusting for market share, you are several times more likely to be successfully attacked using Linux.

For 'black box' type solutions such as an Internet gateway (in this case for Direct Access), Windows Server is a much more secure option than Linux.

3
7
Stop

Re: Windows on servers, how noughties!

"Why the reg keeps posting advertorials for windows server operating systems and nokia phones when there are vastly superior - and lower TCO alternatives - is beyond me."

Perhaps you should stop reading the Register and go away and hang out somewhere with tastes more akin to your own?

Or are you like one of those prudes who go out of their way to watch a TV program with some nudity in it so that they can be offended and complain?

5
2
Gold badge

Re: Windows on servers, how noughties! @Eadon 05:11

"People often say that sort of thing about an article that says something positive about anything from any commercial entity. Are you scared that actually calling the writer a shill will get you zapped? I note you seem to have shied away from that word of late. Perhaps since a warning to that effect was posted in one of the threads?"

No, he's afraid he's look like fucking clownshoes for calling me - of all people in the universe - a shill for Microsoft. I have something of a reputation for publicly calling Microsoft out when it needs to be done. I am one of Microsoft's harshest critics whilst not being completely batshit bananas. A perusal of my posting history on The Register or on Trevorpott.com will bear that out in short order.

It is the reason I get assigned Microsoft articles. I am not afraid to tell Microsoft to eat a steaming pile of crap if they step out of line. When Microsoft does something good I say "hey guys, this is good, we should probably care!" When Microsoft does something bad I excoriate them and then spit on their remains.

I don't think you'll find many Microsoft articles of mine in which I universally praised a product or service. In fact, I think if you take a poke at this very one I pointed out where I had some squiggles about DirectAccess applicability and even mildly rebuked Microsoft for not having ported the Windows 8 client to Windows 7. (Which I find ridiculous for purely pragmatic reasons; it would have driven adoption of the technology which in turn would ultimately have led to dependence and One More Reason for customers not to switch.)

So Eadon - and any other hard-core anti-Microsoft type - can't come out and call me a Microsoft shill directly without appearing clinically insane. I am - and always have been - very open about any dealings I have had with vendors that could possibly influence my judgment or impartiality. The About Trevor page on Trevorpott.com contains a detailed disclosure list including a link to the WeBreakTech About Us page which itself contains a detailed explanation of how the sausage of technology blogging gets made.

Shills do not typically devote a third of a review to talking about an elephant in the room that they have been explicitly told the subject of the review would rather not be talked about.

If I was a shill for Microsoft I wouldn't write an article about how I'll never trust them or called their "all in bet" on the cloud by discussing the real cost of cloud storage, the general lack of trustworthy design in computing (and how that has dramatic repercussions for a cloudy world, or called for a planetary boycott of US cloud providers.

I'm tired of this "shill" business; especially as pertains to Microsoft. I think I've proven more than enough times that am 100% pure El Reg material: I bite the hand that feeds IT and I do so gleefully.

The truth is that I don't have any real-world economic or pragmatic reason to be a shill. If I piss off one company and they will never deal with me again then there are literally thousands to take that company's place. I am far more valuable to Microsoft - or anyone else - exactly as I am. Nobody trusts a butt snorkler. When Microsoft has something actually worth writing home about they'll drop it in my lap and there is credibility to me saying "this doesn't suck!"

So once and for all, to Eadon - or anyone else - who thinks I am a shill: [citation needed], internet trolls.

DirectAccess was a topic that I chose to write about. I chose it because the version that came with Server 2008 R2 was a steam pile of elephant dung and I wanted a reason to carve out time on the eGeek lab to test the new version and see if it had improved. It has.

Just wait until I get to start writing about Server 2012 R2. Some of the stuff they've built into that looks awesome. If even half of those features live up to the hype...

19
2
Bronze badge

Re: Windows on servers, how noughties! @Eadon 05:11

@Tevor

and breathe :)

Nobody with even an iota of sense believes Eadon to be other than an ignorant self regarding dork. He needed to post to help him off to sleep. No chance of a gf and even less a bf to cuddle

7
1
Gold badge
Pint

Re: Windows on servers, how noughties! @Eadon 05:11

I AM TEVOR! I CONSUME THE LETTER R! :destruction of Tokyo:

Beer because FRIDAY!

0
0

Re: Windows on servers, how noughties! @Eadon 05:11

Never mind the beer - - How did you like core config

DS :p

0
0
Silver badge
Thumb Down

Re: Windows on servers, how noughties!

I stopped thinking of Windows as a toy operating system when I found out that the Eve-Online cluster uses Microsoft SQL Server for its back-end. It's one of the few (maybe the only) MMORPG that operates as a single universe for all players.

It's big, Jim!

Being critical is one thing but dismissing Windows as not fit for a server OS is silly. Maybe an alternative platform would be better but that platform is still going strong and most of the time doing a damn good job. Or so I hear. I admit I left the game a couple of years ago.

3
3
Gold badge

Re: Windows on servers, how noughties! @Eadon 05:11

Seriously haven't even had a chance to touch it yet. Your e-mail is on my "todo" list.

About three weeks ago every single one of my non-Edmonton clients started losing their shit as The Great Pre-VMworld Planning has begun. I get >100 actionable e-mails a day and end up in an average of 4hrs of phone calls. The rest of the day is scrambling to put out fires on client sites, move research and implementation projects for "must be done August 1" datacenter upgrades for clients, cranking out documents for the tech sites I write for, critiquing marketing slides/sites/videos/blogs/etc from my clients or writing said slides/sites/videos/blogs/etc.

I've never in my life been as busy as I am now. Unlike when shit hitteth fan as a generalist sysadmin who had to do everything from tech support to CIO-level planning I am not on the verge of a nervous breakdown. This tech marketing consulting thing is an absolute blast and a half! I love writing, too; so I'm doubly blessed that this is how my crazy time works out.

Sadly, the one thing that gets chopped during crunch time is personal research projects like Core Config. I don't have a comissioned article covering it and my blogs are basically planned until September. Worse; the lab itself is booked solid for at least the next two weeks! Even if I wanted to, I couldn't get time on my own test lab at this point; I have a three-man company and we're going to have to implement chargeback software so we can track lab use for given project and clients.

All of that isn't to say that I'll not be getting 'round to core config. I absolutely will. It will, however, have to wait for a quieter time. Or until I get around to buying another 4 nodes to flesh out that FatTwin of mine. Who'd have ever thought I'd flatten four of those nodes 24/7 for two solid months?

0
0

This post has been deleted by a moderator

Silver badge
Facepalm

Re: Windows on servers, how noughties! @Eadon 09:38

And you show ( once again) that you are incapable of reading anything written in plain english without attaching your own preconceived notions about How the Universe Should Work.

Although I must admit you put on an impressive display of foot-in-mouth disease here.

5
1
FAIL

Re: Windows on servers, how noughties! @Eadon 05:11

"And that shows your (probably unconscious) pro-microsoft bias right there. You seem emotionally offended that Microsoft are accused of employing shills."

I'm not going to even pretend to believe that you aren't fully aware that he's offended at being accused of being a shill you ridiculous little man.

4
1
FAIL

Re: Windows on servers, how noughties! @Eadon 05:11

"Since we're talking about new stuff, it would be best to evaluate it and offer specific arguments based on that rather than talk about track records. FUD, my good man - akin to saying that you need compile anything you want to run on Linux, no?"

New stuff which retains a lot of the old cruft...

Windows 8/2012 is still vulnerable to hash passing attacks, and its still possible to extract plain text passwords from memory.

Also, the idea of verifying any settings on an endpoint device before letting it connect is stupid, its client side security and you're relying on the client to reply truthfully. It will always be possible to lie, and the server has no way to tell, thus giving users a false sense of security.

1
1
WTF?

Re: Windows on servers, how noughties!

"So Eadon, what is the open source alternative to ensure and manage that only fully patched desktop clients are connecting to the corporate structure and the right bits of it in a IP6 environment."

There is no way to do this, with windows or with any other system, in ipv6, ipv4 or any other networking protocol. All this does is rely on the client running a program which verifies such settings and then reports back to the server that the client is fully patched etc. What's to stop you:

1, running the client in a fully patched sandbox/vm - so it reports back that the host is fully compliant when only the vm is and the actual host isn't.

2, modifying the software to lie to the server

3, writing your own implementation of the software which doesn't do any checks whatsoever and reports what you tell it to

There will not be any open source version of this, because open source developers see no benefit in writing fundamentally flawed software.

So instead of pretending like you can prevent arbitrary devices from connecting, open source users would concentrate on doing something useful instead - namely ensuring that any access is minimised and thoroughly logged.

The only way to be sure whats connected to your network is to have physical access to the device and install all the software on it yourself.

2
0
Anonymous Coward

Re: Windows on servers, how noughties!

Windows Server has a much lower average TCO in than enterprise than any other commercial server option.

I have not seen figures, but I would suspect the same is true of Windows Phone, zero security vulnerabilities, zero malware - and fully manageable via SCCM that 95% of enterprises will already have...

0
3
Anonymous Coward

Re: Windows on servers, how noughties!

i'lll give you that it can't be the sole line of defence against a determined and well resourced attack.

But what about that mobile rep who was abroad with his laptop connecting to lax local wifi networks and reading his personal mail with all its spammy content? The corporate network wants to take precautions in case he picked up more than a nice tan and a few orders.

0
0
Silver badge
Devil

Re: Windows on servers, how noughties!

What? Some idiot Lemming is conflating bugs with malware causing trouble in the wild. Imagine that.

The problem with fixating on Fortune 100 security requirements as they relate to Windows desktops is the fact that they relate to Windows desktops. Those are machines that are a menace on any network. This leads to a painful user experience for the megacorp employee as all of the crap that Fortune 100 companies subject a Windows box to are a cure worse than the disease.

When you see Windows app installers punching holes into the Windows firewall, you really have to wonder.

0
0
Anonymous Coward

MS, Fix your IPV6 first

If you can, although, as you've not fixed windows after more than a decade, you probably won't be able to.

2
1
Silver badge

Does not compute

I know the whole lovely rose-pettle covered IPv6 world everything is supposed to be exposed but I cannot see even one sane network admin letting devices not sit behind a single protective device shielding them all in one fell swoop from invasion

9
0
Gold badge
Happy

Re: Does not compute

Why do you think I like DirectAccess? It gives me that single point of defence instead of my having to be constantly paranoid that I need to update the firmware on my lightbulb to prevent some clown from using it as an attack vector behind my perimeter.

3
0
Silver badge

Re: Does not compute

I'm not entirely sure how directaccess could protect a light bulb... unless this light bulb is also running windows, in which case that's a scary prospect - both the additional requirements and the sheer inefficiency of running 2gb of bloat on a light bulb (because we can bet these technologies won't be available on the embedded form).

But back to the other problem... I have a single Internet connection for my home, this is shared between multiple devices and systems as they don't have their own connection and I'm definitely not stupid enough to run an open routing gateway. Where does it make sense to put the protection? On each device, or on the gateway? Not that directaccess couldn't prove useful for windows only environments where you don't mind (or care) about the inevitable lock in, it could be a very useful additional tool, but for protecting arbitrary devices it just doesn't read like it's the right tool.

2
3
Gold badge

Re: Does not compute

I think you might have missed the point of the article. DirectAccess protects the lightbulb in the same way your home router today defends your network: it is the single attack surface of the network.

Nobody has produced a remotely comparable consumer-level IPv6 firewall. Microsoft have the closest thing to something usable by small businesses. DirectAcces is that "gateway" device on your network; and at the moment it's the best there is.

In the internet of things you cannot guarantee that every individual device will be defensible. You need solid gateway tech. DirectAccess is far from perfect, but I see nothing else on the market that is usable for the non-linux, non-cisco nerd. DirectAccess running on a home NAS (like perhaps a newer generation version of that WD Sentinel) would be a wonderful edge device for a home network.

2
1
Silver badge

Re: Does not compute

I read it that DirectAccess functionality is required on every device on your network. :)

1
0
Gold badge

Re: Does not compute

Nyet. It's required on all client devices, but it talky just fine to the Linuxen on the server side.

0
0
Silver badge

Re: Does not compute

I still don't get what difference there'll be between now with ipv4 and the future with ipv6. I don't think any company in their right mind will allow direct connection to the Internet and everything will go through proxy server and boundary appliance. I also don't think many will trust a windows box for the protection. As for home networks I'll still be sat behind one appliance as I don't need to expose ports left, right, and centre. YMMV.

2
0
WTF?

you would be joking, yes?

I work for a corporate with over 80,000 employees and a complete windows infrastructure. The reality is Eadon, that this is par for course. Yes, Google use *nix for their web servers.. Whoop-di-doo. The reality is however that any time you are talking about large user environments, you are likely talking about large Windows install base and therefore Windows servers to manage their server side operations such as mail/ directory support/ group policies / etc.

Why large windows environments? Because a user asked me today why he couldn't access Google (which is blocked) when he actually just meant "the internet".

Users are not tech savvy and Thanx to corporate training courses in "how to use Office products" that is the most we can assume they will know.

At least Microsoft are busy attacking this issue, even if a bit pre-emptively...

5
1
IT Angle

Like exchange right ?

"Most of the confusion surrounding DirectAccess stems from the fact that it is no more a single technology than Microsoft Exchange is. What we think of as Exchange is a large collection of highly interdependent applications. These in turn are dependent upon applications that we usually think of as entirely separate, such as Internet Information Services (IIS) and certificate management."

We think about them separate because they ARE separate, and Direct Access is just another locking in path and nothing more, not a new technology, not a new concept, just a bundling of tied in and tying in proprietary tech with a nice "graphic interface" and no way to understand what happened when it fails ...

But yes it will be, as usual, easier to sell, probably a bit easier to manage at first in a 90% windows environment and in the end cost 5 time the cost of well designed separate solutions; but he,y they do lock you in for a reason right ?

5
2
Silver badge
Joke

So it's kind of like Microsoft Exchange, and it's named after Microsoft Access?

Sounds good.

4
0

I like direct access, but it can de a fickle beast... been running it on my home network for a few months now and its nice to have my VPN always on...

My main complaint is the need for a software assurance or Ultimate licence... whats wrong with rolling the functionality out to Pro OS's?

0
0
Gold badge

Since when has Microsoft licensing been sane, humane or designed to do anything other than infuriate and antagonize?

5
0
Silver badge

Microsoft may as well be upfront and direct: call us all pirates, then apologise when we supply the documentation.

It's one of the reasons I avoid them where I can: they have little respect for the end user.

1
0
Anonymous Coward

DirectAccess - does what it says on the tin, but...

...there are some caveats. Don't bother with it on Server 2008. It's too much of a cludge requiring things like consecutively numbered public IP addresses and you can't run the VPN server on the DA server.

Server 2012 does a lot to counter these issues and the dashboard makes it nice and simple to see what, if anything, has gone wrong.

The NLS (Network Location Server) is an absolutely key (read: critical) component as it's how clients determine whether or not they're on the LAN or WAN. This should be highly available/resilient.

There can be some real quirks with certificates and I've personally found that even if the site in question has a solid PKI infrastructure it's just easier to go with a publicly signed cert.

This is one of the best features that is surprisingly well hidden to the world in general. The sites I've suggested it and popped in a proof-of-cocept have all gone on to implement it and seen immediate benefits of management.

0
0
Gold badge

Re: DirectAccess - does what it says on the tin, but...

I'm pretty sure the article made clear the fact that Server 2008 R2's implementation of DirectAccess was less appealing that rotting goat cheese.

Your point about public certs is well taken, however; my experience with it bears out your warning there.

0
0
Anonymous Coward

Re: DirectAccess - does what it says on the tin, but...

Yeah that's my bad - I scan-read it and didn't really take that bit in.

I do like it though. It removes the requirement for things like third party VPN appliances, makes end point security as trivial as being on the LAN and best of all of course, just works.

FD's like the idea of something they don't have to pay extra for.

Mind you I was taken aback by the lack of support in Windows 7 Professional when I first tried it...felt like a misnomer that...a 'pro' product that we're traditionally used to associating to mean 'in the workplace' but with such a fundamental lack of support for something so useful.

0
0
Gold badge

Re: DirectAccess - does what it says on the tin, but...

Microsoft and licensing. What are you going to do except weep?

1
0
Anonymous Coward

Re: DirectAccess - does what it says on the tin, but...

You're not wrong there. One area Eadon could be justifiably foaming at the mouth.

0
0
Anonymous Coward

DA on 2008R2 is a steaming pile but there can also be issues with the NLS on the client not recognising it is on the corporate LAN and leave the device trying to connect as if it wasn't on the LAN.

Also not everything works. OCS doesn't work as I believe it doesn't support IPv6

0
0
Anonymous Coward

Not sure about that - I believe IPv6 is a wrapper for the tunneling protocol. From my own experience, when you ping anything, it defaults to v4. Same for DNS etc.

And like I said earlier - the NLS server(s) need to be very highly resilient/available.

0
0
FAIL

Same old same old

So if I read this correctly, connect anything to anything - as long as it users Microsoft Active Directory and other Microsoft components - so ubiquitous computing (not) Microsoft style.....

1
1
Bronze badge
Headmaster

Who is the Eadon Fellow and why does anyone care what he says?

It seems that way too many threads like this one are hijacked by this Eadon fellow. Everyone seems to spend more time bashing what he says rather than discussing the article.

The comments section used to be the best part of this site, now it is all "@ Eadon".

3
1

Re: Who is the Eadon Fellow and why does anyone care what he says?

Just sit back and enjoy it, sometimes I only come in to the comments section to see what rubbish Eadon is spouting today, he does make me laugh. Sometimes he even pops up in unexpected places, spouting anti-MS rubbish in the comments for articles that have nothing to do with MS at all.

I half suspect that he doesn't hate MS at all, but just enjoys spouting controversy and getting people all worked up who feel the need to correct his blatantly false and exaggerated ramblings.

@Trevor_Pott, bravo on the Eadon rebuttal, very eloquently put.

1
1
Go

Re: Who is the Eadon Fellow and why does anyone care what he says?

I think it may be time for a "nuclear" option... All of Eadon's posts should be re-routed to a "meta-discussion" at http://theregister.co.uk/eadon. There, any of us who need a fix for anti-M$ screed can quickly go there and get our fill. Anybody who wants to waste keyboard clicks at trying to point out logical fallacies can humor themselves at their leisure.

There will likely be some ongoing maintenance since Eadon may assume pen-names, but given the correct motivation, perhaps TheRegister users can band together to create Eadon-detecting heuristics. Ordinarily, I would propose writing something like that in PERL, but because it's Eadon, perhaps we figure out a way to make it work in C#/.NET.

3
1

Page:

This topic is closed for new posts.

Forums