Vol. 20, #45 - November 9, 2015 - Issue #1055

Image

Why DirectAccess

  1. Editor's Corner
    • Why DirectAccess
    • Send us your feedback
    • Recommended for Learning
    • Microsoft Virtual Academy
    • Registration is Open for Cloud Admin CON 2015
    • Quote of the Week
  2. Admin Toolbox
    • Admin Tools We Think You Shouldn't Be Without
  3. This Week's Tips
    • Exchange Online - Working with Remote Mailboxes
    • Storage - How fast is your disk?
    • Windows 10 - Preventing Windows 10 upgrade files from being downloaded
  4. Events Calendar
    • North America
    • Europe
  5. Tech Briefing
    • DirectAccess
  6. Recommended TechGenix Articles
    • Recommended articles from websites in TechGenix Network
  7. Other Articles of Interest
    • Dealing with hybrid cloud networking troubles?
    • VMware Horizon View 6: A new way for IT to publish individual apps
    • Systemd Linux: Is this logical choice for deploying Linux containers
    • Containerized Apps: Beneficial or troublesome?
  8. WServerNews FAVE Links
    • Microsoft MS-DOS 5 Upgrade (1991)
    • Compaq Portable Computer Compared To A Fish
    • MS-DOS on an i7 4790k
    • Can MS-DOS 6.22 (1994) Replace Windows 7? (long video)
    • MS-DOS Games in 1994
  9. WServerNews - Product of the Week
    • Server Monitoring at Cloud Scale

 

 

Editor's Corner

This week's newsletter is all about DirectAccess, a remote access technology in Windows Server 2012 R2 that your business can probably benefit from. To help us understand the capabilities and value of DirectAccess we have a guest editorial by Richard Hicks, a six-time Microsoft Enterprise Security MVP. Richard has also graciously provided us with a comprehensive summary of DirectAccess resources which we've included in the Tech Briefing section of this issue of WServerNews.

One thing I really like about DirectAccess is that it's direct. For example, in our increasingly indirect world where we avoid eye contact with others and even text friends and family when they are in sitting right beside us in a cafe or restaurant, it's refreshing to find a feature of Windows that's direct, right? Wally the Engineer would disagree however, and in the following Dilbert comic he created a suite of Internet collaboration tools that are clearly not very direct:

http://www.wservernews.com/go/1g65dy7w/

Maybe we're all going to end up as engineers like Wally?

Ask Our Readers: WServerNews has almost 100,000 subscribers worldwide. That's a lot of expertise to tap into. Do you need help with some issue or need advice on something IT-related? Got a question you'd like us to toss out to our readers to try and answer? Email us at [email protected]

And now on to our guest editorial by Richard Hicks...

Why DirectAccess

DirectAccess is a remote access technology included in the Unified Remote Access role in Windows Server 2012 R2. It provides secure, seamless and transparent, always on remote corporate network connectivity for managed (domain-joined) Windows clients. Originally introduced with Windows Server 2008 R2, DirectAccess is designed to streamline and simplify the end user's remote access experience. DirectAccess communication is also bidirectional, which allows IT administrators to better manage and support their field-based assets.

DirectAccess in Action

When a Windows machine provisioned for DirectAccess is outside of the office, a secure connection to the corporate network is automatically established any time an active Internet connection is detected. This connection takes place in the background, before the user logs on, and does not require any user interaction. When a user logs on to their computer away from the office, they can remotely access on-premises applications and data with the same, familiar user experience they have inside the office. Where traditional VPN is used to connect a user to the network, DirectAccess differs fundamentally by extending the network to the user, wherever they happen to be.

Supporting Technologies

DirectAccess is built on Windows platform technologies including Active Directory, IPsec, and IPv6. Everything required to establish a DirectAccess session is included natively in the Windows operating system. There is no additional client software to install for DirectAccess. The DirectAccess wizard configures and deploys Active Directory Group Policy Objects (GPOs) that distribute settings to DirectAccess clients and servers required for secure remote connectivity. Connection Security Rules in the Windows Firewall with Advanced Security are configured to and encrypt all traffic between the DirectAccess client and server, and all communication is fully authenticated using a combination of digital certificates, NTLM, and Kerberos. IPv6 transition technologies such as 6to4, Teredo, and IP-HTTPS allow for IPv6 connectivity between client and server over the IPv4 Internet. IPv6 translation technologies such as DNS64 and NAT64 work hand-in-hand to translate IPv6 client communication to IPv4, eliminating the need to deploy IPv6 on the corporate LAN to support DirectAccess.

Common DirectAccess Use Cases

Although the DirectAccess user experience is far superior to that of traditional client-based VPN, in my experience the most common motivating factor for deploying DirectAccess is to improve management of corporate-owned Windows laptops and tables. Since the DirectAccess client automatically connects to the corporate network whenever it has a connection to the Internet, it updates group policy and reports in to systems management servers on a regular basis. With bidirectional connectivity, administrators can proactively establish outbound connections to DirectAccess clients for the purposes of remote administration. For example, a help desk administrator can initiate a Remote Desktop session for the purposes of troubleshooting, or a security administrator can conduct a vulnerability scan or run a configuration script remotely to mitigate an issue.

Cost Savings

In many cases DirectAccess is deployed primarily to reduce the high costs associated with many proprietary third-party remote access solutions. DirectAccess is part of the Windows operating system and thus requires no additional client access licenses. This allows organizations to significantly reduce or even eliminate licensing costs for remote users. DirectAccess can be easily deployed on existing virtual platforms, eliminating costly investments in proprietary hardware devices. Further cost savings can be realized by reducing or eliminating existing public-facing infrastructure such as reverse web proxies or SSL VPN platforms. Also, DirectAccess can be managed without proprietary knowledge using existing Windows server management and networking skills. The improved end user experience DirectAccess provides will also reduce help desk calls and lost productivity due to common VPN-related issues such as name resolution problems or password synchronization issues.

DirectAccess Requirements

To deploy DirectAccess you must meet the following minimum requirements:

Enterprise Features

DirectAccess in Windows Server 2012 R2 now includes many important enterprise features that enhance availability, performance, and scalability. DirectAccess supports both integrated Windows Network Load balancing (NLB) and external load balancing for local high availability. In addition, DirectAccess servers can both be configured in multiple physical locations to provide geographic redundancy, and managed centrally through a single management console. The DirectAccess server can now be deployed in a perimeter/DMZ network protected by an existing edge security device.

Support and Provisioning

Once you've installed and configured DirectAccess, I can tell you from experience that it really doesn't require a lot of ongoing maintenance. Using implementation best practices I've learned from many years of deploying DirectAccess for some of the largest organizations in the world, it really can be a "set-it-and-forget-it" solution. Provisioning and de-provisioning DirectAccess clients is a simple as adding or removing a computer account from an AD security group. That's it!

Windows 10 and DirectAccess

Although Windows 7 Enterprise and Ultimate edition clients are supported as DirectAccess clients, the best experience from both a user and administrator's perspective comes when using a modern client such as Windows 10. As the screenshot below shows, Windows 10 includes an integrated DirectAccess connection status indicator and diagnostic logging facility:

Image 

Figure 1: Windows 10 integrated DirectAccess connection status indicator and diagnostic logging facility.

Windows 10 clients also include full support for all of the enterprise features of DirectAccess, including automatic entry point selection and transparent site failover. Windows 10 also includes support for IP-HTTPS null encryption, which greatly improves performance for DirectAccess clients located behind port-restricted firewalls.

Windows 10 DirectAccess also includes support for PowerShell. For example, the Get-DAClientExperienceConfiguration cmdlet provides detailed information for critical Windows 10 DirectAccess client settings such as IPsec tunnel endpoint addresses, local name resolution preference, multisite entry point selection options, the Global Server Load Balancer (GSLB) Fully Qualified Domain Name (FQDN), and the current configuration for force tunneling operation. Below is an example of some typical output from running this cmdlet:

PS C:\> Get-DAClientExperienceConfiguration

Description                      : DA Client Settings

CorporateResources               : {HTTP:http://directaccess-WebProbeHost.lab.richardhicks.net}

IPsecTunnelEndpoints             : {PING:fd5b:ce19:e73:2222::1, PING:fd5b:ce19:e73:2222::2,

                                   PING:fd5b:ce19:e73:2223::1, PING:fd5b:ce19:e73:2223::2}

CustomCommands                   :

PreferLocalNamesAllowed          : True

UserInterface                    : True

PassiveMode                      : False

SupportEmail                     : [email protected]

FriendlyName                     : Workplace Connection

ManualEntryPointSelectionAllowed : True

GslbFqdn                         : da.richardhicks.net

ForceTunneling                   : Default

 

Windows Server 2016 and DirectAccess

As of TP3 there are no new features or functionality (yet) with DirectAccess in Windows Server 2016.

Summary

DirectAccess is an amazing remote access technology. Its seamless and transparent nature provides a simple and easy to use remote access experience for remote workers. It leverages existing Windows platform technologies, often requiring minimal investment to implement. For organizations with a large population of remote Windows machines that are managed by central IT, this solution provides unparalleled capabilities when compared to traditional VPN. DirectAccess is always on, enabling machines to remain in contact with domain controllers and systems management servers consistently.

With bi-directional connectivity, administrators on the LAN can manage remote DirectAccess clients just as they would internally. This results in improved security posture and better visibility for their current configuration status. Enterprise features such as local and geographic redundancy ensure that DirectAccess clients can always connect. In addition, once the solution is in place it requires little ongoing maintenance and provisioning DirectAccess clients is a breeze.

IT professionals and systems administrators everywhere should take a serious look at DirectAccess. It will definitely make your lives easier! And with the recent release of Windows 10, there's no better time to do it. If you're planning a migration to Windows 10 now or in the future, consider deploying DirectAccess at the same time to maximize your investment.

For more information about DirectAccess and Windows 10, be sure to visit my web site:

http://www.wservernews.com/go/f5tycak4/

You can also follow me on Twitter (@richardhicks)

http://www.wservernews.com/go/nc3nxtui/

About Richard Hicks

Richard Hicks (MCP, MCSE, MCTS, MCITP:EA, MCSA, MVP) is a network and information security expert specializing in Microsoft technologies. As a six-time Microsoft Enterprise Security MVP, he has traveled around the world speaking to network engineers, security administrators, and IT professionals about Microsoft networking and security. Richard has nearly 20 years of experience working in large scale corporate computing environments and has designed and deployed perimeter defense and secure remote access solutions for some of the largest companies in the world. Richard is an independent consultant focused on helping organizations large and small implement DirectAccess, VPN, and cloud networking solutions on Microsoft platforms.

Send us your feedback

Got feedback about anything in this issue of WServerNews? Email us at [email protected]

Recommended for Learning

This week we have a bunch of resources on Windows 10 for both administrators and end-users:

Preparing your Enterprise for Windows 10 as a Service

What do you need to begin testing Windows 10 for your organization? Find out, in the fifth episode of the Enterprise Mobility Core Skills series:

http://www.wservernews.com/go/twnqo858/

A New Era of Windows 10 Devices from Microsoft

A blog post by Terry Myerson on new devices for Windows 10:

http://www.wservernews.com/go/jj7ivwqs/

Windows 10 development for absolute beginners

The absolute beginners' series is back for Windows 10.  It doesn't matter if you're a pro dev or just starting out, there's valuable content for everyone:

http://www.wservernews.com/go/b1o2vula/

Microsoft Virtual Academy

Windows Server 2012 DirectAccess Training

Windows Server 2012 combines the DirectAccess feature and the RRAS role service into a new unified server role. This new Remote Access server role allows for centralized administration, configuration, and monitoring of both DirectAccess and VPN-based remote access services. Additionally, Windows Server 2012 DirectAccess provides multiple updates and improvements to address deployment blockers and provide simplified management. This course will cover different deployment options and implementation details to illustrate the capabilities of DirectAccess with Windows Server 2012 and Windows 8 Clients:

http://www.wservernews.com/go/5har54zn

Registration is Open for Cloud Admin CON 2015

Cloud Admin CON is a cost-effective, convenient opportunity for busy System Administrators and IT Managers to stay up to date on the most recent industry trends and vendor solutions and build their network of IT experts and vendors. Individual focus sessions are scheduled to run consecutively, allowing you to attend all sessions, or selectively choose only those you wish to attend. A sample of what you can expect to learn includes:

Date and Time: Thursday, November 19, 2015 11am EST | 8am PST | 4pm BST

Participation is limited to the first 500 registrants, so sign up here today!

Quote of the Week

"Endless Loop: n., see Loop, Endless."

"Loop, Endless: n., see Endless Loop."

-- Random Shack Data Processing Dictionary

Until next week,
Mitch Tulloch

Note to subscribers: If for some reason you don't receive your weekly issue of this newsletter, please notify us at [email protected] and we'll try to troubleshoot things from our end.

Admin Toolbox

Admin Tools We Think You Shouldn't Be Without

Your infrastructure is dynamic. Your monitoring system should be, too. Datadog scales effortlessly with your infrastructure to capture metrics from new servers or containers as they come online.
http://www.wservernews.com/go/fpztwfq1/

Browse, search and export items directly from Veeam backups of your Exchange 2010 and 2013 VMs with Veeam Explorer for Exchange. FREE download!
http://www.wservernews.com/go/xtlypdu8/

Get Free Backup for Hyper-V & VMware. Don’t lose any VMs anymore with Altaro VM Backup. You can schedule backups and automated backup integrity checks for peace of mind. Free for 2 VMs, forever.
http://www.wservernews.com/go/6pmsjbp7/

Exchange reporting on Office 365, hybrid or on premises environments: try our latest V10 release of Promodag Reports with a new report engine, great looking graphs and professional layouts.
http://www.wservernews.com/go/i876tf33/

AOMEI Backupper Standard Edition is freeware and supports Windows 10.
http://www.wservernews.com/go/yh7j1z59/


GOT ADMIN TOOLS or other software/hardware you'd like to recommend? Email us at [email protected] 

This Week's Tips

GOT TIPS you'd like to share with other readers? Email us at [email protected]

Exchange Online - Working with Remote Mailboxes

Remote Mailboxes are a feature of Exchange Online that let you create a mailbox directly without needing to first create it on-premises. This blog post by Vinayak Latthe titled "Playing with Remote Mailboxes" shows you how you can use Windows PowerShell to create and manage Remote Mailboxes:

http://www.wservernews.com/go/37p33y5x/

Storage - How fast is your disk?

Ben Armstrong shares a story on his blog on the results he got bench-marking the performance of various storage hardware in his Hyper-V test environment:

http://www.wservernews.com/go/be3cjx9f/

If you're interested in profiling the performance of your own storage hardware, check out the link to Jose Barreto's blog at the end of Ben's post.

Windows 10 - Preventing Windows 10 upgrade files from being downloaded

If you don't want to upgrade your Windows 7/8 system to Windows 10 then you probably don't want to download the gigabytes of files needed for the upgrade. Rod Trent shows you how to block the automatic download of Windows 10 upgrade files in the following article on Windows IT Pro:

http://www.wservernews.com/go/kgy3vefr/


Events Calendar

North America

Convergence on April 4-7, 2016 in New Orleans USA
http://www.wservernews.com/go/u5ft3fzl/

2016 Microsoft Worldwide Partner Conference on July 10-14, 2016 in Toronto Canada
http://www.wservernews.com/go/qoeu32kn/

Ignite on September 26-30, 2016 in Atlanta USA
http://www.wservernews.com/go/i9voeuq4/

Europe

Convergence 2015 EMEA on Nov 30 - Dec 2, 2015 in Barcelona Spain
http://www.wservernews.com/go/m92uld4n/


Add Your Event

PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 100,000 subscribers about? Contact [email protected]

Tech Briefing

DirectAccess

For this issue instead of our usual techbriefs on various technologies we're instead presenting you with a comprehensive list of DirectAccess resources provided by Richard Hicks who contributed the guest editorial for this issue.

Richard Hicks' DirectAccess Blog
http://www.wservernews.com/go/4vo1m1ip/

Tom Daniels' DirectAccess Blog
http://www.wservernews.com/go/f69b4n8y/

DirectAccess Prerequisites
http://www.wservernews.com/go/ej6gud7v/

DirectAccess Test Lab Guides
http://www.wservernews.com/go/d87smkq7/

DirectAccess Capacity Planning
http://www.wservernews.com/go/ft53v5zg/

DirectAccess and Offline Domain Join
http://www.wservernews.com/go/1wdlda6r/

Recommended Hotfixes and Updates for DirectAccess
http://www.wservernews.com/go/xr2f658o/

DirectAccess Unsupported Configurations
http://www.wservernews.com/go/04eub9vs/

Troubleshooting DirectAccess
http://www.wservernews.com/go/1jyxpoa2/

Remote Access PowerShell Cmdlets in Windows Server 2012 R2
http://www.wservernews.com/go/b1axreuo/

The Future is Now! Next Generation Remote Access Today with Windows Server 2012 R2 DirectAccess
http://www.wservernews.com/go/65tvmadb/

Implementing Windows Server 2012 R2 DirectAccess Video Training Course
http://www.wservernews.com/go/aez25d52/

Recommended TechGenix Articles

Managing Azure VMs with System Center Virtual Machine Manager 2012 R2 (Part 1)
http://www.wservernews.com/go/z5hml3qs/

Secure services and resources with AWS Identity and Access Management (Part 3)
http://www.wservernews.com/go/1hfq564e/

Taking Control of VM Sprawl (Part 9)
http://www.wservernews.com/go/na0k94gl/

Video: Random Passwords for New Users
http://www.wservernews.com/go/xxsvdlv6/

Wi-Fi Site Survey Tips
http://www.wservernews.com/go/cpeb6k8u/

Other Articles of Interest

Dealing with hybrid cloud networking troubles?

Delivering IT services through a hybrid cloud creates a number of challenges, including networking and security domain compatibility.  However, with VMWare's recently previewed NSX integration with Amazon Web Services, there are huge implications for future vCloud Air users. Learn how you can take advantage and overcome the many hybrid cloud networking hurdles.
http://www.wservernews.com/go/vfces4ge/

VMware Horizon View 6: A new way for IT to publish individual apps

VMware Horizon View 6 allows IT admins to publish individual apps through a Remote Desktop Session Host farm (RDSH farm)—a program that also benefits workers on mobile devices.  Learn more about how you can eliminate the need to create and deliver full desktops.
http://www.wservernews.com/go/i2zhym5k/

Systemd Linux: Is this logical choice for deploying Linux containers

Linux has changed their default service manager to Systemd, which has provided a convenient standard for controlling programs and services, as well as managing resource allocations.  But is this "do-everything" style application too much?  Learn more about whether or not you should take the leap.
http://www.wservernews.com/go/znbv52mt/

Containerized Apps: Beneficial or troublesome?

Containers have created a standard way to write code, thus improving developer productivity. However, it is critical to have the tools necessary to adequately support containerized applications in production.  Learn how VMware is addressing these needs.
http://www.wservernews.com/go/x2l979z0/


WServerNews FAVE Links

This Week's Links We Like. Tips, Hints And Fun Stuff

GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at [email protected]

Image

This week we reach back into the Flixxy archives for a couple of fun videos about good old MS-DOS:

Microsoft MS-DOS 5 Upgrade (1991)

Hilarious Microsoft MS-DOS 5 Upgrade sales training video from 1991. "No Pc Should Be Without It!" "Freeing up 45k of memory at least!"
http://www.wservernews.com/go/e76d5b68/

Compaq Portable Computer Compared To A Fish

One of many wonderful commercials John Cleese did for Compaq Computer Corporation in the mid '80s. (A very rare find - this was shown only in England.)
http://www.wservernews.com/go/6vxv7xdg/

We also found these videos on YouTube that you might enjoy watching:

MS-DOS on an i7 4790k

It was bound to happen eventually...
http://www.wservernews.com/go/1pdge4s2/

Can MS-DOS 6.22 (1994) Replace Windows 7? (long video)

DOS may have been revolutionary for it's time but can you use it to do stuff we do today on windows 7 (or windows 8)?
http://www.wservernews.com/go/7ifj5j7c/

MS-DOS Games in 1994

A compilation of games released 20 years ago:
http://www.wservernews.com/go/uzevuw7u/

WServerNews - Product of the Week

 

WServerNews - Editors

Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit and has been author or series editor for almost fifty books mostly published by Microsoft Press. Mitch is also a ten-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com.

Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also manages research and marketing for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.