DirectAccess is a Microsoft remote access technology designed for managed (domain-joined) Windows client computers. Much like NetMotion Mobility, it provides seamless and transparent remote network connectivity. However, it differs dramatically in many important ways. This is part five in a continuing series of articles that will compare NetMotion Mobility and Microsoft DirectAccess in terms of their security, performance, visibility, supported clients, and solution support.
Comparing Solution Support
Solution support is an important consideration when choosing an enterprise remote access technology. The complexity of the solution and its associated dependencies must be taken in to account. The vendor’s support model and product expertise are also important factors to consider.
DirectAccess is an incredibly complex technology with many crucial interdependencies. It relies heavily on Active Directory and group policy, the Network Location Server (NLS), IPv6 networking its and associated transition/translation technologies, certificates and Public Key Infrastructure (PKI), Kerberos and NTLM authentication, Windows Firewall, and more. Large-scale deployments often require dedicated load balancers too. All these moving parts make the solution hard to troubleshoot, and even more difficult to support. A seemingly benign change in one part of the infrastructure could have a negative impact on connectivity for remote workers.
Microsoft’s tiered and siloed support model presents its own unique challenges. Often a case will be referred from one support engineer to another during troubleshooting, and this lack of continuity often results in wasted time and duplicated efforts. In addition, it is not uncommon to open a support case for a DirectAccess issue and start out with the network support team, but then get referred to the Active Directory team to investigate an authentication issue. That might result in a referral to the PKI team to investigate a certificate issue. When these scenarios play out, it can result in protracted support cases with extended time to resolution.
DirectAccess is tightly-coupled with Active Directory and the DirectAccess servers, which often makes the solution fragile. Making changes to Active Directory, PKI, and even some DirectAccess configuration changes can be highly disruptive to clients in the field. They can be cut off with no way of reconnecting to the DirectAccess servers without coming back to the office or connecting with another VPN. Also, the NLS is notoriously problematic. When it is unavailable or unreachable for any reason, DirectAccess clients on the internal network will be unable to access internal resources until connectivity is restored.
Microsoft has stated publicly they are no longer investing in DirectAccess, and no new features and/or functionality will be added in the future. Although DirectAccess has not yet been formally deprecated, it’s useful life is not indefinite. As a result, many of the most experienced DirectAccess support engineers have transitioned to other more viable solutions, taking with them valuable knowledge and experience.
NetMotion Mobility is a proprietary solution that is much less complex than DirectAccess. It is a client/server solution that can be installed on Windows Server (physical or virtual, on-premises or cloud-based) and has fewer critical dependencies.
NetMotion uses a dedicated, in-house, single-tired support model. There is no call routing or triage that takes place. The engineer you connect with initially is the same engineer who will see the issue through to resolution. Support engineers have deep expertise and extensive experience with the product and have on average more than four years of experience.
Mobility has fewer infrastructure dependencies than does DirectAccess. It does not rely on Active Directory and group policy for configuration deployment and management. Instead, once the client is deployed, all settings are managed on the Mobility server and the client agent receives these settings when it connects. It also uses a streamlined connection that does not require multiple layers of encryption, encapsulation, and translation. In addition, NetMotion Mobility does not require an NLS, eliminating this critical and often disruptive dependency, and making the solution inherently easier to support.
NetMotion Mobility is a mature enterprise mobility solution that is broadly deployed across many verticals. It is actively being developed and has a rich, robust roadmap for the future.
It’s been said that “complexity is the enemy of security”. Complexity is also the enemy of a supportable solution. DirectAccess is tightly coupled with many infrastructure components, and the complex nature of their integration often leads to difficulties. NetMotion Mobility is a streamlined solution with fewer critical dependencies, making it a much more supportable solution overall. Also, when issues arise that prevent remote workers from connecting to critical on-premises resources, resolving the problem quickly and effectively is crucial to ensuring the highest levels of productivity for field-based workers. Further, adoption of NetMotion Mobility is growing daily, and you can rest assured it will be around for many, many years to come.