I am pleased to announce that I’ll be participating in the upcoming TechMentor conference in Orlando, FL in December. The TechMentor conference is part of the larger Live!360 event and offers a compelling agenda of training for IT professionals. I’ll be delivering the following sessions that are focused on providing secure remote access using Windows Server 2016.
TMT01 – Implementing DirectAccess in Windows Server 2016
TMT04 – DirectAccess Troubleshooting Deep Dive
TMT11 – Client-based VPN in Azure with Windows Server 2016
Don’t miss out on this outstanding conference. Register today and save $500.00!
Posted by Richard M. Hicks on October 25, 2016
I am very excited to announce that my new DirectAccess book, “Implementing DirectAccess with Windows Server 2016“ from Apress media, is now shipping! The book is available on popular online sites like Amazon.com, Barnes & Noble, Springer.com, Apress.com, and others. The book is also available in electronic formats such as Amazon Kindle and Barnes & Noble Nook, as well as a variety of subscription formats including Safari, Books24x7, and SpringerLink.
This book contains detailed and prescriptive guidance for the planning, design, implementation, and support of a DirectAccess remote access solution on Windows Server 2016. It also includes valuable insight, tips, tricks, and best practice recommendations gained from my many years of deploying DirectAccess for some of the largest organizations in the world.
Current DirectAccess administrators will also find this book helpful, as the majority of content is still applicable to DirectAccess in Windows Server 2012 and Windows Server 2012 R2. In addition, the book also includes essential information on the design and deployment of highly available and geographically redundant DirectAccess deployments.
Troubleshooting DirectAccess can be a daunting task, so I’ve dedicated an entire chapter in the book to this topic. For those responsible for the maintenance and support of DirectAccess in their organization, this chapter alone will be worth the investment.
Be sure to order your copy today!
Posted by Richard M. Hicks on September 22, 2016
I’m pleased to announce that I will be delivering a community theater session at this year’s Microsoft ignite conference in Atlanta, GA. The session, THR2136 in the session catalog, is scheduled for Thursday, September 29 at 12:40PM. This is a level 200 talk where I’ll be providing a high-level overview of all remote access technologies in Windows Server 2016, including DirectAccess, client-based VPN, and Web Application Proxy (WAP). I’ll be focusing on what’s new in each of these technologies and demonstrating how each solution applies in different use cases.
In addition to the session, I’ll be spending time with the folks from PointSharp and Pluralsight in their respective booths too, answering questions and providing demonstrations. I hope to have copies of my new DirectAccess book to sign as well. Be sure to follow me on Twitter for up-do-date details. Hope to see you at the conference!
Posted by Richard M. Hicks on August 29, 2016
For anyone testing DirectAccess in Windows Server 2016 Technical Preview 5 (TP5), be advised there is a bug in the latest release that is preventing DirectAccess from working. At this time Microsoft is aware of the issue and is working to resolve it.
I’ll post more details when they become available.
Posted by Richard M. Hicks on May 17, 2016
For DirectAccess manage out deployments using ISATAP, you may encounter a scenario in which you are unable to initiate outbound connections to connected DirectAccess clients from a Windows 10 computer. Outbound connections using ISATAP from Windows 7, Windows 8, Windows Server 2008/R2, or Windows Server 2012/R2 systems work without issue.
As it turns out, there is a bug in the Windows 10 DNS client code that prevents manage out using ISATAP from a Windows 10 client from working correctly. Thanks to the diligent effort of DirectAccess administrators Mike Piron and Jason Kuhns, a workaround has been identified. To deploy the workaround, it will be necessary to implement registry changes to alter the default behavior of the DNS resolver in Windows 10. You can implement these changes on a Windows 10 DirectAccess manage out machine by using the following PowerShell commands:
New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name DisableParallelAandAAAA -PropertyType dword -Value 1 -Force
New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name DisableServerUnreachability -PropertyType dword -Value 1 –Force
Once these registry changes have been made, you should now be able to use ISATAP for DirectAccess manage out connections from a Windows 10 machine.
Posted by Richard M. Hicks on November 10, 2015
Recently I had the opportunity to once again join Richard Campbell on his popular RunAs Radio podcast to chat about all things remote access in Windows Server 2012 R2. The conversation starts out with DirectAccess, but we also touch upon important topics like client-based VPN and BYOD access. We also talk a little bit about DirectAccess in Windows Server 2016 and what the future might look like for DirectAccess in Windows.RunAs Radio
You can listen to the podcast here.
Posted by Richard M. Hicks on September 14, 2015
Today Microsoft announced a new partnership with Dell to deliver the Surface Pro and Windows 10 to enterprise customers around the world. This new initiative addressees the specific needs of large enterprises, whose increasingly mobile workforce places unique demands on IT to provide high levels of security and consistent platform management. This partnership will ensure that Dell’s enterprise customers have access to the Microsoft Surface Pro along with Dell’s enterprise-class service and support offerings.
Of course DirectAccess on Windows Server 2012 R2 complements this initiative quite nicely. Using DirectAccess with it’s always on functionality ensures that remote Windows devices like the Surface Pro are always managed and consistently updated, providing IT administrators greater control and visibility for their field-based assets than traditional VPN is capable of providing. In addition, DirectAccess connectivity is bi-directional, allowing administrators to “manage out” to their connected DirectAccess devices. This opens up compelling use cases such as initiating remote desktop sessions for the purposes of troubleshooting or conducting vulnerability scans to determine the client’s security posture.
In addition, Windows 10 now supports the full enterprise feature set of DirectAccess on Windows Server 2012 R2, including geographic redundancy and transparent site failover, along with significant performance improvements over Windows 7 for perimeter/DMZ deployments. DirectAccess with Windows 10 is also easier to manage and support.
For more information about the Microsoft/Dell partnership, watch Microsoft CEO Satya Nadella’s message here. For assistance with the planning, design, and implementation of a DirectAccess solution, click here.
Posted by Richard M. Hicks on September 8, 2015
The April 2015 monthly security update release from Microsoft includes a fix for a serious vulnerability in HTTP.sys. On an unpatched server, an attacker who sends a specially crafted HTTP request will be able to execute code remotely in the context of the local system account. DirectAccess leverages HTTP.sys for the IP-HTTPS IPv6 transition protocol and is critically exposed. Organizations who have deployed DirectAccess are urged to update their systems immediately.
More information can be found on MS15-034 here.
Posted by Richard M. Hicks on April 20, 2015
A few months ago I had the opportunity to work with the folks at KEMP Technologies to document the use of their LoadMaster load balancers for Windows Server 2012 R2 DirectAccess deployments. DirectAccess has several critical single points of failure which can benefit from the use of a load balancer. Typically Windows Network Load Balancing (NLB) is used in these scenarios, but NLB suffers from some serious limitations and lacks essential capabilities required to fully address these requirements. The use of an external third-party load balancer can provide better load distribution and more granular traffic control, while at the same time improving availability with intelligent service health checks.
Working with the LoadMaster was a great experience. Installation was quick and simple, and their web-based management console is intuitive and easy to use. The LoadMaster includes essential features that are required for load balancing DirectAccess servers, and advanced capabilities that can be leveraged to enhance geographic redundancy for multisite deployments.
KEMP offers the widest platform coverage with their solutions, including dedicated hardware appliances, virtual appliances for multiple hypervisors including Hyper-V, cloud-based including Microsoft Azure, as well as bare metal support for installation on your own hardware. You can download a fully functional free trial here.
You can view and download the Windows Server 2012 R2 DirectAccess Deployment Guide for the KEMP LoadMaster load balancing solution here.
Video: Enable Load Balancing for DirectAccess
Configure KEMP LoadMaster Load Balancer for DirectAccess Network Location Server (NLS)
DirectAccess Single NIC Load Balancing with KEMP LoadMaster Load Balancers
DirectAccess and the Free KEMP LoadMaster Load Balancer
Webinar Recording: DirectAccess Load Balancing Tips and Tricks
Webinar Recording: DirectAccess Multisite with Windows 10 and KEMP LoadMaster GEO
Webinar Recording: Maximize Your Investment in Windows 10 with DirectAccess and the KEMP LoadMaster Load Balancer
Implementing DirectAccess with Windows Server 2016 book
Posted by Richard M. Hicks on February 5, 2015