Microsoft’s original VPN solution within its comprehensive portfolio of enterprise cybersecurity products, but is it the right choice for your organization?
DirectAccess is a popular remote access solution used by many organizations, often selected for its attractive price point and inclusion in bundled Microsoft products. But sometimes ‘low-cost’ doesn’t make it the best choice. It’s important to ask if it fits the needs of your organization’s remote working environment.
The new reality
Just as the conversation appeared to be trending away from VPNs, the events of 2020 resulted in an unprecedented shift towards remote working, causing many IT teams to scramble and attempt to scale up their existing legacy VPNs, such as Cisco AnyConnect, Palo Alto’s GlobalProtect, and of course, Microsoft’s DirectAccess.
While these traditional solutions work great for granting a few employees access to on-site resources remotely, they have seldom been battle-tested to handle a full organizational shift towards remote working. Many require additional hardware for a simple server set-up, which can create big headaches considering the ‘stay at home orders’ currently in place in many locations.
This post takes a closer look at DirectAccess specifically and highlights factors that you should consider before making continued remote access investments.
Device and OS Support
DirectAccess was designed to be seamlessly integrated into existing Microsoft-centric organizations. Windows clients running on Windows 7 Enterprise/Ultimate or Windows 8x/10 Enterprise or Education can easily be supported. However, widely used and familiar operating systems such as Windows 7/10 Professional are not supported, nor are operating systems outside the Windows ecosystem.
If your enterprise runs exclusively on these systems, then DirectAccess might be an effective, cost-efficient remote access solution for your team. If instead you rely on a wider range of Windows operating systems – or especially if your fleet includes Android, iOS or MacOS devices – then DirectAccess is unlikely to be the wisest choice.
When to choose DirectAccess
- DirectAccess is a practical solution for organizations that already rely strictly on Enterprise or Windows Ultimate clients and have minimal or no usage of mobile devices and other operating systems.
When to choose something better
- Agile organizations with a wide range of operating systems and devices including iOS, Mac, Android, and Windows Pro Tablets should not rely solely on DirectAccess. Consider a solution that supports all major platforms at ease of deployment.
Performance
Unfortunately, thanks to cumbersome implementations of legacy options, VPNs often come with a negative reputation. To many end users, VPN is a technology viewed as a hindrance or an obstacle to their productivity. DirectAccess’ structural design is the undoing of end-user productivity in many cases. The solution functions through a complex and heavy communication channel, requiring multiple layers of unnecessary encapsulation, encryption and translation, resulting in packet fragmentation. High packet fragmentation means patchy data i.e. blocky video calls, unusually long PDF loading times and interrupted virtual team happy hour games.
Of course, DirectAccess will keep remote workers secure in perfect network connections without too much performance sacrifice. The sudden requirement for mass remote working means that scaling on the foundations of unreliable home networks presents a real challenge. Expect decreases in performance as latency increases and packet loss is encountered, which is common in networks outside of those which are corporate-managed.
If your enterprise runs primarily on high performance, company-owned networks, then DirectAccess shouldn’t pose too many problems.
When to choose DirectAccess
- DirectAccess works well for enterprises with stable and high performance networks. It is ideally for organizations that have minimal reliance on multiple networks or a small number of field workers or remote employees.
When to choose something better
- DirectAccess is an impractical solution for environments with unreliable connections. Remote and on the go workforces that rely on a variety of uncontrolled networks should look into a solution that offers network persistence to ensure no loss in productivity.
Visibility and policy
DirectAccess covers the standard needs in terms of visibility and control. Basic information such as the client’s hostname, connection durations, the IPv6 tunnel address and the amount of data transferred are completely visible for network administrators. Unfortunately, the list of visibility features stops there.
On top of that, the limited policy options in DirectAccess require mass application instead of granularly per user or by group. This means that administrators are unable to restrict or allow user access based on the user of the device, time of day, network conditions, and other factors that uniquely differ based on the number of functions in a workforce.
When to choose DirectAccess
- DirectAccess meets the standard requirements for visibility and policy that are efficiently enforced and deployed on the server. It is able to provide data and standardized restrictions in a broad way, making it well suited to small organizations or those with homogenous workforces.
When to choose something better
- DirectAccess visibility and policies are not dynamic or contextual. This could lead workforces with diverse functions to circumvent security and data gathering to be more productive in networks outside a corporate perimeter. In these circumstances, IT leaders should consider a solution that allows granular control based on individual client behaviors and usage reports.
Support and troubleshooting
DirectAccess is often paired with Active Directory servers to function at its full capacity, which can mean troubleshooting and configuration required tinkering between services to fix one simple problem. As more complicated issues arise, cases are often bounced around between Microsoft’s network support team, to then the active Directory Team, and then back to PKI team due to the lack of continuity in their support model.
Despite its’ frantic nature, this support model managed to stay up float during DirectAccess’ glory days. However, since Microsoft officially labeled the solution “End of life”, it’s difficult to request for proper troubleshooting documentation and basic customer support.
When to choose DirectAccess
When to use something else
- Support for DirectAccess customers will continue to downsize as it approaches end of life. Organizations with the resources and patience to rely on limited support should be fine for now. As long as major shifts in remote working don’t cause any issues, of course.
- DirectAccess lacks a centralized tool for in house diagnostics and troubleshooting. Organizations should never settle for sub-par client support and expect responsive customer service when problems arise. Innovative solutions should be backed by 24/7 x 365 customer support.
Summary
It is easy to turn to widely known solutions when massive shifts and abruptions occur in our workplace. But being recognizable doesn’t always translate to being reliable. DirectAccess will continue to function for organizations that are heavily reliant and built around a Windows ecosystem.
But as our workplaces evolve and as remote working becomes more and more normalized, organizations must look for solutions that will empower workforce productivity without circumventing security. One that is backed by dynamic policies and a responsive support team.
NetMotion has become the premier choice in the VPN market, with hundreds of its customers making the switch from other solutions as remote and mobile working become increasingly important. It today supports over 3000 organizations and one million workers that cannot afford to compromise when it comes to user experience, including 7 of the top 10 largest airlines and powers three quarters of first responders in North America. Organizations wishing to test the products in a head-to-head capacity can do so for free by getting in touch with one of our experts.
