VPN, DirectAccess or Windows 10 auto-trigger VPN profile?

On a recent consulting gig, I found myself advising a customer who was keen to deploy Microsoft DirectAccess (DA) in place of their legacy virtual private network (VPN) solution. As a DirectAccess user (who used Cisco AnyConnect VPN at my last place of work), I have to say the convenience of being always connected to the company network without any interaction on my part is awesome. I’m sure the IT guys like that they can always access my PC for management purposes too…

The trouble with DirectAccess is that it doesn’t seem to have a published roadmap. So, should I really be advising my customers to use a technology that doesn’t seem to be being developed? First of all, I should add that it’s not been deprecated. DirectAccess is still a supported feature in Windows Server 2016 (it’s part of the Remote Access server role) – so it’s still got a future. Annoyingly, it’s not a supported workload on Azure (leading to on-premises deployments) but we can’t have everything…

Now for the question of whether to use DA or a traditional VPN. Well, Microsoft MVP Richard Hicks (@RichardHicks) has written a fantastic blog post that goes through this in detail. Rather than paraphrasing, I’ll suggest that you go and read Richard’s post on DirectAccess vs. VPN.

But that’s not the whole picture… you see Windows 10 has a new auto-triggered VPN profile capability that I’m sure will, in time, replace DirectAccess. So, where does that fit in?

Great response there from Richard, and then my colleague Steve Harwood (@steveeh) joined in, advising that Auto VPN still requires a VPN profile and infrastructure but gets initiated through either a Universal Windows Platform (UWP) or desktop app being started or stopped, meanwhile DirectAccess has other benefits from being always-on avoiding the need to expose management/compliance systems publicly.

Actually, it gets a bit better with the Windows 10 Anniversary Update (RedStone 1/1607), which has the Always On VPN profile option, but we’re still Windows-only at this point. Richard has recommended a DirectAccess alternative for Windows, MacOS, iOS and Android:

So if the question is “should you deploy DirectAccess?”, the answer is “maybe”. It’s a Windows Enterprise-only solution but, if you have other clients in your enterprise, you might want to consider alternatives instead of or alongside DA.

Auto-responder for blog marketing requests…

Having a popular blog is great. Mine’s probably not as popular as it once was – mostly that’s because I don’t get the time to write all the content that I would like to – but there are still more than 2000 posts here, so I do see a reasonable volume of traffic.

Unfortunately, that also means I get a lot of emails (sometimes several a day) asking me to add a link/feature some content/something else – much of which is clearly scripted bulk email. And not replying only results in multiple chaser emails… so I’m fighting back with my own scripted response (I actually got the idea from a journalist who provided advice to PR teams to help them only pitch items he’d be interested in…):

“Hi,

You’re receiving this email because you recently emailed about the website at markwilson.it/markwilson.co.uk. Thanks for getting in touch; however, I receive several emails each day that take a lot of time to respond to (or multiple chaser emails if I don’t respond) so please don’t be offended by this automatic reply.

  • If you’re looking to place ads on my site, please don’t ask me what I would charge. Instead, please make me an offer. I don’t really know what the market rates are but you probably do. Please also include details of the page you’d like to advertise on, the landing page you would like and the period you would like to advertise for. I’ll only advertise sites that I think will be relevant to my readers so please don’t be offended if I don’t reply.
  • If you have a great resource that you’re sure would improve my content, please consider that markwilson.it is a blog. I’m not going to go back and edit posts from months or years past but you could always leave a comment on a post instead, as long as it’s genuine and not just spam.
  • If you’re offering to create content, please note that the content on the site is all written by me or by one of a very small number of trusted colleagues or family. I do not feature content written by others to promote their goods and services. If you’re starting out as a writer, I wish you well but would politely suggest you write on a public platform – or maybe start your own blog.

Thanks for your understanding.

Mark”

It’ll probably make no difference at all… but at least I can legitimately ignore repeated requests that haven’t acted on my reply…