All of what Michael said (and the non-techies really do *LOVE* not having to launch a VPN client), plus:
- GPOs get applied no matter what, as long as they have an Internet connection. This can fumble a bit if they have to log into a wireless network, but if they stay logged into that connection long enough, they *will* get their GPOs. - Same goes for any other pull stuff (like the machine polling WSUS, or the AV server, or etc.). - Biggest thing for IT, IMHO, which is the major design goal for us while moving to 2012R2, is that we'll be setting up "manage out" - then we can actively manage their machines, as in ping it, RDP to it, reboot it remotely, use PDQ Deploy to push software etc. Not that this couldn't be done with Forefront UAG SP1, but it's easier with 2012R2, and it wasn't one of our goals during our earlier implementation. Kurt On Wed, Mar 16, 2016 at 4:26 PM, Deb Gilbert <[email protected]> wrote: > Good points. I have had run into issues with users who goes to Hotels and > Starbucks and they block VPN traffic. I’ll for sure now look into this > option for my campaign users who are always out in the field – I’m sure they > would love to not have to login to the vpn then log into the terminal server > :) > > Deb Gilbert > Vice President of Information Technology > > From: <[email protected]> on behalf of "Michael B. Smith" > <[email protected]> > Reply-To: "[email protected]" <[email protected]> > Date: Wednesday, March 16, 2016 at 17:13 > To: "[email protected]" <[email protected]> > Subject: RE: [NTSysADM] DirectAccess > > Generally speaking, in my opinion there are two really significant > advantages to DA: > > > > [1] Auto-on. (And while this doesn’t tend to be a big deal for tech. people > – it’s a HUGE deal for sales people and upper management. At one of my > clients, resolving VPN issues was 20% of their helpdesk calls. Installing DA > took that to less than 1%.) > > > > [2] Easy to specify resources to share. Commonly, if you connect to a VPN, > you have access to everything on the network you’ve connected to. DA works > via a gateway concept and you can easily specify exactly which resources are > available (or all of them, if you don’t care). > > > > P.S. in re: [1] – there are a surprising number of hotels/motels that only > allow ports 80/443. Go to Starbucks or McDonalds. > > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Deb Gilbert > Sent: Wednesday, March 16, 2016 6:58 PM > To: [email protected] > Subject: Re: [NTSysADM] DirectAccess > > > > Out of curiosity what is making you look at this versus a traditional VPN? > I’m interested in hearing your thoughts around it. > > > > Deb Gilbert > > Vice President of Information Technology > > > > From: <[email protected]> on behalf of Kish n Kepi > <[email protected]> > Reply-To: "[email protected]" <[email protected]> > Date: Tuesday, March 15, 2016 at 05:30 > To: "[email protected]" <[email protected]> > Subject: [NTSysADM] DirectAccess > > > > I would like to hear from people who have implemented DirectAccess on > Windows Server 2012 R2. > > > > 1. Did you do it yourself or hire a consultant > > 2. Was it difficult, or time-consuming to deploy the solution > > 3. To how many computers did you deploy > > 4. Does it work seamlessly as advertised > > 5. Is throughput same, faster or slower than conventional VPN? > > > > Any other questions I’m not knowledgeable enough to ask? > > > > Kish
