DirectAccess is a Microsoft remote access technology designed for managed (domain-joined) Windows client computers. Much like NetMotion Mobility, it provides seamless and transparent remote network connectivity. However, the two products differ in important ways.
This is the second post in a series by Remote Access Expert, Richard Hicks comparing NetMotion Mobility and Microsoft DirectAccess in terms of their security, performance, visibility, supported clients, and solution support.
Both Microsoft DirectAccess and NetMotion Mobility provide a VPN connection between client and server, but do so in different ways. How each solution establishes and maintains its connection has a tremendous impact on device performance.
Unlike DirectAccess, Mobility offers advanced features that are built to perform in wireless environments. This focus on mobile uniquely positions NetMotion to deliver its users access to the same high-speed performance they experience in wired environments.
DirectAccess: Connection Complexity
DirectAccess uses authenticated and encrypted IPsec to establish secure tunnels for remote client communication. IPsec VPNs are not uncommon, and typically they provide reasonable performance. However, the DirectAccess connection is much more complicated than simple IPsec, and often leads to poor performance for remote connections.
DirectAccess relies exclusively on IPv6 for transport, which means an IPv6 transition technology must be leveraged to allow communication over the more common IPv4 Internet. The most commonly deployed IPv6 transition technology is IP-HTTPS, which encapsulates IPv6 traffic in IPv4 using HTTP. SSL/TLS is used for authentication. Depending on DirectAccess configuration settings and the client’s operating system, IP-HTTPS will also use encryption.
Double Encryption for IP-HTTPS:
In many cases IP-HTTPS will encrypt the encapsulated IPsec traffic, which itself is already encrypted. This double encryption is gratuitous, and dramatically increases protocol overhead, which leads to fragmentation, increased network latency, and reduced throughput. In addition, server scalability and performance are reduced significantly as the number of concurrent users increases.
IPv6 is not widely deployed on corporate networks today, so the DirectAccess server must also translate IPv6 traffic from DirectAccess clients to IPv4 for internal hosts. A DNS proxy running on the DirectAccess server is used to translate DNS queries on behalf of the client, and an IPv6 to IPv4 NAT service translates IPv6 packets to IPv4. Here again, the server must perform additional work to facilitate remote communication for DirectAccess clients. This results in increased resource utilization on the DirectAccess server, and degraded performance for all connected DirectAccess clients.
Mobility: Connection Enhancements
Mobility uses IPv4 natively, eliminating the need for version encapsulation and translation. Mobility also relies on the User Datagram Protocol (UDP) for transport, which is arguably better suited for communication over unreliable networks than the Transmission Control Protocol (TCP) used by DirectAccess.
Mobility’s proprietary transport protocol improves mobile communication and data streaming. Mobility boasts native support for data compression and acceleration, traffic prioritization, error correction, automatic packet loss recovery, and session persistence to ensure optimal and reliable wireless connections even over high latency or high loss links such as cellular and satellite networks.
To further improve performance, Mobility can enact policies to ensure mission critical applications receive highest priority. Policies can also be implemented to prevent superfluous traffic from travelling over a remote connection with reduced bandwidth. In addition, the Mobility client can be configured to automatically roam between networks (for example between cellular and Wi-Fi) based on available bandwidth to ensure optimal performance.
Providing optimal performance is crucial to maintaining the highest levels of productivity for mobile workers. The mechanics of DirectAccess, with its burdensome connectivity requirements and complex protocols, compromises mobile performance even under the best circumstances. In contrast, Mobility is designed to support remote access, so it’s features don’t depend on reliable connectivity. Mobility provides an efficient, high performance, and streamlined remote access connection with advanced capabilities to further optimize connectivity during times of limited bandwidth. The result is that NetMotion Mobility provides the fastest and most stable remote access experience and ensures the best possible wireless performance for mission critical data and applications.
About Richard Hicks:
Richard M. Hicks is a network and information security expert and a Microsoft Most Valuable Professional (MVP). He is the founder and principal consultant of Richard M. Hicks Consulting, Inc. and has deployed edge security and remote access solutions for some of the largest companies in the world. A widely recognized subject matter expert for DirectAccess, he is the author of Implementing DirectAccess with Windows Server 2016 (Apress Media, ISBN 978-1-4842-2058-0). For more information visit https://directaccess.richardhicks.com/