locked
DirectAccess, overall impressions of people using it? RRS feed

  • General discussion

  • I'm just wanting to share my overall experience and get some others' takes on the general DA experience.

    I've been working to deploy DA at a university and my experience has been pretty mixed so far.  When it works, it's great:

    • Experience is seamless to the user
    • Some delay issues we had on offsite machines related to network-redirected MyDocs are resolved
    • Startup policy/scripts are applied

    But I do also have a few problems (irrespective of whether I'm connecting with Teredo or IP-HTTPS).

    • Logins are often slow (and even much slower when someone has a network-located home folder set on their account.  This adds 30sec-5min of "Waiting for User Profile Service").
    • Outlook seems flaky.  Sometimes it takes a while to get in a connected state.  Even after connection, some things, like accessing "out-of-office" status, don't work (gives a server unavailable message).
    • Things in general seem slower than when conected over a PPTP/L2TP VPN.  Maybe this is my imagination.
    • It needs everything on my IPv4 internal network that I'm accessing to return pings.  Doable but annoying.

    Overall, the slow logons and flaky Outlook behavior are what's going to make this a hard sell as far as deploying on a large scale.  I can't help but wonder why MS didn't just use a more conventional thing like an IPv4 L2TP or SSTP connection underneath DirectAccess based on the general flakiness I'm seeing... but maybe my experience is not typical.  How has it been for everyone else?






    Wednesday, June 1, 2011 4:45 PM

All replies

  • I have not experienced any pronounced delay in login times as a result of using DirectAccess.  You might look into some GPO's that might cause a delay (like Computer Configuration\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon).

     

    As for Outlook, I would recommend you exclude Exchange from your DirectAccess tunnels and instead configure clients to use "Outlook Anywhere" (RPC over HTTPS).  It's optimized for remote access and does not require any additional overhead of the IPSec or Transition tunnels which could improve the experience.

    http://exchangeserverpro.com/how-to-configure-exchange-server-2010-outlook-anywhere

    If you want to get fancy you can also publish Outlook Anywhere via UAG.  This will allow you to keep the traffic out of the DA tunnel but still secure the Exchange server behind a proxy.

    http://technet.microsoft.com/en-us/library/ee921429.aspx

     

    I have done some speed tests between VPN and DirectAccess and have found them to be very comparable.  The IP-HTTPS connection tends to be slower, but 6TO4 and Teredo are are par with your typical SSL VPN option.


    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide
    Wednesday, June 1, 2011 5:10 PM
  • I will definitely begin excluding the Exchange stuff.  I've already got the "Always wait for network" setting configured not to wait.  Just out of curiosity, what is the speed/type of connection over which you're typically using DA?

    Update:  I've added just our CAS server as a DNS exclusion list and that did the trick as far as the OOO thing.  I noticed an HTTPS connection is made there for some reason when you open the OOO tab, so now that and other RPC/HTTPS traffic goes over the internet.  Thanks.
    Wednesday, June 1, 2011 5:16 PM
  • Glad to hear you're making progress!

    A large portion of my clients are actually using cellular dial-up cards like EVDO devices from Verizon or Sprint.  Others are actually tethering their iPhone, Backberries or other smart phone to get a 3G connection.  Those users are getting connected over the 6TO4 tunnel which has the least overhead, thankfully, because it's on a link which tends to have a thin bandwidth availability.  Those same users then also jump on WiFi hotspots at coffee shops and hotels, and those are usually behind a more restricted gateway which lands them on IP-HTTPS, but there is more bandwidth available so the affect is negligible.  Also, the same users get connected over Teredo when they are on their home network, so they don't really fit nicely into one "typical" connection model.

    Speaking of dial-up connections and DirectAccess, if you are using any cellular devicaes, this might be of interest to you.

    http://blog.concurrency.com/infrastructure/unified-access-gateway/register-dns-for-directaccess-on-dial-up-connections/

     


    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide
    Wednesday, June 1, 2011 7:18 PM
  • Thanks, I'm actually doing a non-managed-out config with just NAT64/DNS64 though.

    I'm doing a lot of my testing on a WiFi tether from a smartphone with a 3G connection.  I'm also working during the day with that connection at the office so I can have the full experience; "eating my own dog food" as much as possible.

    I've traced my biggest issue on the slow logons to group policy processing and/or file redirection.  I wonder, do most people enable slow link detection for that?  I'm thinking about enabling that and setting the threshold to like 5 mbit.  I'll let you know how that goes...



    • Edited by RossJG Thursday, June 2, 2011 1:45 AM clarification
    Wednesday, June 1, 2011 8:08 PM
  • Some great feedback from Shannon, and I concur with his comments...

    Couple of questions though:

    Are all your DA clients running Windows 7 SP1?

    Are you accessing Windows Server 2003 file servers and domain controllers with NAT64?

    Cheers

    JJ 


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, June 1, 2011 11:50 PM
  • Hi Jason:

    No, not all have SP1 for Win7.  Is that a critical thing for DA?  Maybe an occasional 2003 file server.  Most CIFS access will be to a NetApp appliance.  DCs are 2008.

    I wanted to add one other question to the discussion, too: has anyone on here ever implemented DA for a user count in the 1000s?  If so, how reasonable is the support experience for you?

    Thanks,

    Ross

     



    Thursday, June 2, 2011 1:28 AM
  • What are typical speeds that everyone is seeing for DA? I'm only getting around 250 KB/sec through DA compared to my firewall VPN client which gives me around 900 KB/sec.
    Wednesday, June 8, 2011 12:15 AM
  • I just did an unscientific test tethered off a 3g connection and got ~54k/sec on DA with a CIFS download from my workplace and ~70k/sec on a large HTTP file download from microsoft outside of DA.

    So if the download from MS represented my max download rate given the 3g coverage in the spot where I am sitting, and my download from my employer is roughly showing the overhead associated with using DA, that implies there's an overhead cost of about 20%.

    I'm using Teredo as my tunneling mechanism, what are you using?

    FYI, Shannon, since I've taken the Exchange CAS (RPC/HTTPS) out of DA and made it a DNS exception, and done the same with our OCS server, the DA experience just seems much, much better overall.  I really like it at this point.


    Friday, June 10, 2011 8:03 PM
  • I am very enthausiastic about DirectAccess. DirectAccess works very seemless and gives a much better user experience. Although there are some things to keep in mind. Not everything works (flawless) through DirectAccess. For example, you really need to bypass things like...

    - WPAD (Web Proxy Automatic Detection)

    - Lync 2010

    - Etc...

    User Roaming Profiles is a no-go with DirectAccess. Actually this has always been an issue with remote access solutions. It was only not noticeable since most people are used to logon with cached credentials and afterwards establish a VPN connection. Which in return has some disadvantages. A better solution for this is to look at UE-V (User Experience Virtualization) which is still in Beta.

    About performance. I must admit that in some situations there is a performance downside, but always that much. It really depends on the infrastructure and hardware resources.

    Another thing to look deep into is "manage-out" capabilities. Most people make assumptions that ain't possible. Of course you are able to manage-out, but you have to think closely about the solution you are going to implement if your corporate intranet only hosts IPv4.


    Boudewijn Plomp, BPMi Infrastructure & Security


    Tuesday, July 3, 2012 12:47 PM
  • Hi Jason:

    No, not all have SP1 for Win7.  Is that a critical thing for DA?  Maybe an occasional 2003 file server.  Most CIFS access will be to a NetApp appliance.  DCs are 2008.

    I wanted to add one other question to the discussion, too: has anyone on here ever implemented DA for a user count in the 1000s?  If so, how reasonable is the support experience for you?

    Thanks,

    Ross



    Ok, there was an issue with Windows 2003 file servers (CIFS) when using NAT64 which was fixed in Windows 7 SP1. This caused havoc when multiple DA clients tried to access the same file server at the same time.

    I have a customer with 6000 users which sometimes hits 1000 concurrent users at peak - what do you mean by support experience exactly? 


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Tuesday, July 3, 2012 11:00 PM