Yes I can, First it depends on your setup scenario, what your routers, firewalls, dns...can if they are Ipv6 compliant and so on. In my case, we cannot rely on these as they are not all configured correctly to support ipv6 from end-to-end (from the external client to the internal resources). That's why Direct Access has a magic 6-to-4 component responsible for the transition (NAT6to4 and DNS6to4). It's acting somehow like a "uni-directional proxy resolver" for your clients but not for your internal resources. In this scenario anything pulled on the clients works but anything pushed internally towards connected clients is discarded. So, yes, in this scenario, there are applications that don't work. I gave you the example of the helpdesk tool initiated by an admin but there are others. We've got a VoIP client application that doesn't work when people are outside of the network but works when their laptop is back on the internal network.
On Tue, Mar 15, 2016 at 5:09 PM, Kish n Kepi <[email protected]> wrote: > Excellent feedback. > > > > Can you please elaborate on para 8. What do you mean by ‘discarded’? > interally, most of our boxes have IPv6 enabled, but all communications use > IPv4. Are you saying that the encapsulation of v6 in a v4 packet will not > work with all apps and protocols? > > > > KnK > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Emin > *Sent:* Tuesday, March 15, 2016 03:53 PM > *To:* [email protected] > *Subject:* Re: [NTSysADM] DirectAccess > > > > > > 1. It's a project. There was a project manager, meetings, purchase orders, > a schedule,.... Technically I did it myself with the help of a consultant. > > 2. Technically not difficult or time-consuming if you've followed a MS > course https://www.microsoft.com/en-us/learning/course.aspx?cid=22411 > > The difficulty in this kind of projects is change management as well as > getting the network and security guys do/accept what's required to > implement this solution. > > 3. Deployment started with a pilot,... now we've slowed it down (because > we gave users a brand new sexy and expensive laptop). We've 250 computers > in production. > > 4. Yes, it does. > > 5. It depends on the target operating systems. Windows 7 is encrypting > network packets twice, so it could be slower than a VPN. > > Anyway, we've focused on a specific user scenario and coupled the DA > deployment with Offline Caching and Exchange cache mode. > The feedback from users is excellent because they don't care if the tunnel > is up or down, they just continue working. > > > 6. Are your client machines running Win7 or Win8.x? Windows 7 > > 7. AFAIK, CA requirement doesn't exist if you've only Windows 8 or more > recent clients. > > 8. any unintended consequences of having always connected laptops? Yes, > if you don't have full IPV6 internally, anything pushed or initiated from > the intranet towards connected clients is discarded. > > Example: the helpdesk tool to remotely help the end user. > > > > On Tue, Mar 15, 2016 at 12:30 PM, Kish n Kepi <[email protected]> wrote: > > I would like to hear from people who have implemented DirectAccess on > Windows Server 2012 R2. > > > > 1. Did you do it yourself or hire a consultant > > 2. Was it difficult, or time-consuming to deploy the solution > > 3. To how many computers did you deploy > > 4. Does it work seamlessly as advertised > > 5. Is throughput same, faster or slower than conventional VPN? > > > > Any other questions I’m not knowledgeable enough to ask? > > > > Kish > > >
