back to article Can DirectAccess take over the world?

Microsoft believes that DirectAccess is such a critical feature of Windows that we will soon wonder how we lived without this fundamental part of network infrastructure. Having played with it I think Microsoft is very close to being right, but there are some bugs to work out and misconceptions to dispel. Internet Protocol …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Up

    Refreshing

    Both the article as well as the development. Although I'm very sceptical about the continuous "we're running out of IPv4, the Internet blows up tomorrow" (and nothing happens the day after) I still think it's a good thing that some companies (and projects) started paying serious attention to IPv6.

    I'm somewhat proud to say that very soon all of my customer websites (and my own of course!) will be accessible using both protocols.

    Either way, I think it's quite refreshing to read a story which shares both the strong and weak points of a new development. I was especially interested in your (author) display of interest in the possible potential. Because in my opinion a lot of Microsoft developments show high potential, in a lot of cases its poor marketing (and "after-sales") which turn it into a disaster.

    1. Anonymous Coward
      Boffin

      Re: Refreshing

      I think companies need to start considering it … throughout the software stack.

      Last time I developed a SCADA driver, one of the early things to get baked into it was support for IPv6 … tested and verified using a NAT64 gateway. The extra effort involved was about 5 minutes, if that. Not significant, and not difficult.

      That said, sometimes you need to cry out "The sky is falling!" before people will take notice. Trying to connect to an endpoint that's behind NAT is a royal pain in the arse. Great if the end user is capable of opening a port and forwarding it to their device — but not everyone can do that. Suppose the NAT device is owned and operated by your ISP?

      The only sure fire way to get around that is for the client to make an outbound connection to a proxy which both endpoints can access. A common way to do this, is to have the device VPN back to a publicly-accessible hub — thus giving you an interface you can reach at the other end.

      This is extra infrastructure that must be configured and maintained however. This costs real time and effort to co-ordinate. Skype gets around this by using publicly accessible clients to step into this proxy role, but as ISPs start all jumping on the CGN bandwagon, how long will this remain viable?

      Dear grandma who just wants to have a Skype/FaceTime session with the grandkids isn't likely going to understand the need or procedure in setting such infrastructure up — and nor should they. That is why we need IPv6.

      DirectAccess looks like a handy tool for network admins, however something more consumer oriented is what we really need to get the ball rolling.

  2. Anonymous Coward
    Anonymous Coward

    MS, Fix your IPV6 first

    If you can, although, as you've not fixed windows after more than a decade, you probably won't be able to.

  3. Mark 65

    Does not compute

    I know the whole lovely rose-pettle covered IPv6 world everything is supposed to be exposed but I cannot see even one sane network admin letting devices not sit behind a single protective device shielding them all in one fell swoop from invasion

    1. Trevor_Pott Gold badge
      Happy

      Re: Does not compute

      Why do you think I like DirectAccess? It gives me that single point of defence instead of my having to be constantly paranoid that I need to update the firmware on my lightbulb to prevent some clown from using it as an attack vector behind my perimeter.

    2. Nick Ryan Silver badge

      Re: Does not compute

      I'm not entirely sure how directaccess could protect a light bulb... unless this light bulb is also running windows, in which case that's a scary prospect - both the additional requirements and the sheer inefficiency of running 2gb of bloat on a light bulb (because we can bet these technologies won't be available on the embedded form).

      But back to the other problem... I have a single Internet connection for my home, this is shared between multiple devices and systems as they don't have their own connection and I'm definitely not stupid enough to run an open routing gateway. Where does it make sense to put the protection? On each device, or on the gateway? Not that directaccess couldn't prove useful for windows only environments where you don't mind (or care) about the inevitable lock in, it could be a very useful additional tool, but for protecting arbitrary devices it just doesn't read like it's the right tool.

      1. Trevor_Pott Gold badge

        Re: Does not compute

        I think you might have missed the point of the article. DirectAccess protects the lightbulb in the same way your home router today defends your network: it is the single attack surface of the network.

        Nobody has produced a remotely comparable consumer-level IPv6 firewall. Microsoft have the closest thing to something usable by small businesses. DirectAcces is that "gateway" device on your network; and at the moment it's the best there is.

        In the internet of things you cannot guarantee that every individual device will be defensible. You need solid gateway tech. DirectAccess is far from perfect, but I see nothing else on the market that is usable for the non-linux, non-cisco nerd. DirectAccess running on a home NAS (like perhaps a newer generation version of that WD Sentinel) would be a wonderful edge device for a home network.

        1. Nick Ryan Silver badge

          Re: Does not compute

          I read it that DirectAccess functionality is required on every device on your network. :)

          1. Trevor_Pott Gold badge

            Re: Does not compute

            Nyet. It's required on all client devices, but it talky just fine to the Linuxen on the server side.

            1. Mark 65

              Re: Does not compute

              I still don't get what difference there'll be between now with ipv4 and the future with ipv6. I don't think any company in their right mind will allow direct connection to the Internet and everything will go through proxy server and boundary appliance. I also don't think many will trust a windows box for the protection. As for home networks I'll still be sat behind one appliance as I don't need to expose ports left, right, and centre. YMMV.

  4. hungee
    WTF?

    you would be joking, yes?

    I work for a corporate with over 80,000 employees and a complete windows infrastructure. The reality is Eadon, that this is par for course. Yes, Google use *nix for their web servers.. Whoop-di-doo. The reality is however that any time you are talking about large user environments, you are likely talking about large Windows install base and therefore Windows servers to manage their server side operations such as mail/ directory support/ group policies / etc.

    Why large windows environments? Because a user asked me today why he couldn't access Google (which is blocked) when he actually just meant "the internet".

    Users are not tech savvy and Thanx to corporate training courses in "how to use Office products" that is the most we can assume they will know.

    At least Microsoft are busy attacking this issue, even if a bit pre-emptively...

  5. Annakan
    IT Angle

    Like exchange right ?

    "Most of the confusion surrounding DirectAccess stems from the fact that it is no more a single technology than Microsoft Exchange is. What we think of as Exchange is a large collection of highly interdependent applications. These in turn are dependent upon applications that we usually think of as entirely separate, such as Internet Information Services (IIS) and certificate management."

    We think about them separate because they ARE separate, and Direct Access is just another locking in path and nothing more, not a new technology, not a new concept, just a bundling of tied in and tying in proprietary tech with a nice "graphic interface" and no way to understand what happened when it fails ...

    But yes it will be, as usual, easier to sell, probably a bit easier to manage at first in a 90% windows environment and in the end cost 5 time the cost of well designed separate solutions; but he,y they do lock you in for a reason right ?

  6. Kubla Cant
    Joke

    So it's kind of like Microsoft Exchange, and it's named after Microsoft Access?

    Sounds good.

  7. Matt_payne666

    I like direct access, but it can de a fickle beast... been running it on my home network for a few months now and its nice to have my VPN always on...

    My main complaint is the need for a software assurance or Ultimate licence... whats wrong with rolling the functionality out to Pro OS's?

    1. Trevor_Pott Gold badge

      Since when has Microsoft licensing been sane, humane or designed to do anything other than infuriate and antagonize?

      1. Anonymous Coward
        Anonymous Coward

        Microsoft may as well be upfront and direct: call us all pirates, then apologise when we supply the documentation.

        It's one of the reasons I avoid them where I can: they have little respect for the end user.

  8. Anonymous Coward
    Anonymous Coward

    DirectAccess - does what it says on the tin, but...

    ...there are some caveats. Don't bother with it on Server 2008. It's too much of a cludge requiring things like consecutively numbered public IP addresses and you can't run the VPN server on the DA server.

    Server 2012 does a lot to counter these issues and the dashboard makes it nice and simple to see what, if anything, has gone wrong.

    The NLS (Network Location Server) is an absolutely key (read: critical) component as it's how clients determine whether or not they're on the LAN or WAN. This should be highly available/resilient.

    There can be some real quirks with certificates and I've personally found that even if the site in question has a solid PKI infrastructure it's just easier to go with a publicly signed cert.

    This is one of the best features that is surprisingly well hidden to the world in general. The sites I've suggested it and popped in a proof-of-cocept have all gone on to implement it and seen immediate benefits of management.

    1. Trevor_Pott Gold badge

      Re: DirectAccess - does what it says on the tin, but...

      I'm pretty sure the article made clear the fact that Server 2008 R2's implementation of DirectAccess was less appealing that rotting goat cheese.

      Your point about public certs is well taken, however; my experience with it bears out your warning there.

      1. Anonymous Coward
        Anonymous Coward

        Re: DirectAccess - does what it says on the tin, but...

        Yeah that's my bad - I scan-read it and didn't really take that bit in.

        I do like it though. It removes the requirement for things like third party VPN appliances, makes end point security as trivial as being on the LAN and best of all of course, just works.

        FD's like the idea of something they don't have to pay extra for.

        Mind you I was taken aback by the lack of support in Windows 7 Professional when I first tried it...felt like a misnomer that...a 'pro' product that we're traditionally used to associating to mean 'in the workplace' but with such a fundamental lack of support for something so useful.

        1. Trevor_Pott Gold badge

          Re: DirectAccess - does what it says on the tin, but...

          Microsoft and licensing. What are you going to do except weep?

          1. Anonymous Coward
            Anonymous Coward

            Re: DirectAccess - does what it says on the tin, but...

            You're not wrong there. One area Eadon could be justifiably foaming at the mouth.

  9. Anonymous Coward
    Anonymous Coward

    DA on 2008R2 is a steaming pile but there can also be issues with the NLS on the client not recognising it is on the corporate LAN and leave the device trying to connect as if it wasn't on the LAN.

    Also not everything works. OCS doesn't work as I believe it doesn't support IPv6

    1. Anonymous Coward
      Anonymous Coward

      Not sure about that - I believe IPv6 is a wrapper for the tunneling protocol. From my own experience, when you ping anything, it defaults to v4. Same for DNS etc.

      And like I said earlier - the NLS server(s) need to be very highly resilient/available.

  10. simmondp
    FAIL

    Same old same old

    So if I read this correctly, connect anything to anything - as long as it users Microsoft Active Directory and other Microsoft components - so ubiquitous computing (not) Microsoft style.....

  11. Hud Dunlap
    Headmaster

    Who is the Eadon Fellow and why does anyone care what he says?

    It seems that way too many threads like this one are hijacked by this Eadon fellow. Everyone seems to spend more time bashing what he says rather than discussing the article.

    The comments section used to be the best part of this site, now it is all "@ Eadon".

    1. John P

      Re: Who is the Eadon Fellow and why does anyone care what he says?

      Just sit back and enjoy it, sometimes I only come in to the comments section to see what rubbish Eadon is spouting today, he does make me laugh. Sometimes he even pops up in unexpected places, spouting anti-MS rubbish in the comments for articles that have nothing to do with MS at all.

      I half suspect that he doesn't hate MS at all, but just enjoys spouting controversy and getting people all worked up who feel the need to correct his blatantly false and exaggerated ramblings.

      @Trevor_Pott, bravo on the Eadon rebuttal, very eloquently put.

    2. Jason Terando
      Go

      Re: Who is the Eadon Fellow and why does anyone care what he says?

      I think it may be time for a "nuclear" option... All of Eadon's posts should be re-routed to a "meta-discussion" at http://theregister.co.uk/eadon. There, any of us who need a fix for anti-M$ screed can quickly go there and get our fill. Anybody who wants to waste keyboard clicks at trying to point out logical fallacies can humor themselves at their leisure.

      There will likely be some ongoing maintenance since Eadon may assume pen-names, but given the correct motivation, perhaps TheRegister users can band together to create Eadon-detecting heuristics. Ordinarily, I would propose writing something like that in PERL, but because it's Eadon, perhaps we figure out a way to make it work in C#/.NET.

      1. Kristian Walsh Silver badge

        Re: Who is the Eadon Fellow and why does anyone care what he says?

        Well, it looks like like all his posts have been modded away. Thank fuck.

        EADON MINDLESS TROLLING FAIL!

  12. Anonymous Coward
    Anonymous Coward

    DirectAccess?

    sounds like a good reason to avoid Windows Server 2012 at all costs

This topic is closed for new posts.

Other stories you might like