1. Userless VPN
I almost titled this one “Users will consider you a hero” but it looked silly on paper. Apparently not too silly as I just typed it anyway. Think of DirectAccess as a completely automatic VPN connection. Around the office here, we like to call it “userless”. A DirectAccess laptop is connected to the corporate network automatically, without user input, the moment that it receives internet connectivity. One of the reasons that I love working with DA so much is the feedback I receive from, well, everyone. Users love it because their workflow processes are exactly the same whether they are sitting in the office or sitting in a coffee shop, IT loves it because those laptops are always available and managed (more on that later), and executives love it not only for their own use, but also because of the reduced helpdesk costs that it brings to the table (also more on this later).
2. Reduced support costs – ROI
In the majority of my implementations, a reduction in support and helpdesk costs is a bonus side-effect that is often not realized until months after the rollout of DirectAccess. In most companies, a high percentage of helpdesk calls are from remote users struggling with a VPN connection. Here are some of the things you will no longer need to worry about:
Forgotten passwords – There aren’t many good options for an employee who has forgotten their password and isn’t going to be back in the office in the near future. Nor for a user who reset an expired password on their desktop at the office, only to find out that this password change was not reflected on their laptop that they are now trying to use from home. IF you can get logged into the laptop with an old cached password you stand a decent chance at getting this situation straightened out, though it’s still going to be a headache and time consuming for the helpdesk. On the other hand, I have seen far too many cases where the password was forgotten and the only recourse is for the helpdesk to reset the password in Active Directory. In this situation, until that laptop is plugged back into the corporate network the only purpose it’s going to serve is to emit a friendly glow while it sits on the login screen. As you may have guessed by now, these problems are non-existent on a DirectAccess laptop. When the helpdesk resets a password in Active Directory, that new password is available for the user to type into their login screen in real-time. The user can literally call the helpdesk – “I forgot my password”, helpdesk resets password, user logs in with new password, and be off the phone in less than a minute.
Port restricted firewalls – We have all been in a hotel room or connected to a public WiFi only to discover that we have internet access, but our VPN will not connect. I won’t get into the technical nitty-gritty here, but will simply state that DirectAccess is able to work around these kinds of firewalls that prohibit traditional VPNs from connecting.
VPN software not working – Having VPN means you have a VPN software that is installed on the client computer. Sometimes software breaks, it’s inevitable. DirectAccess has no client software. The componentry for DA is baked right into the Windows 7 operating system. There’s nothing to install, nothing to break, and therefore nothing to worry about.
3. “Always-on” access for management and patching of your remote devices
Many of you probably realized this benefit after reading above about the always-on user experience. A seamless, self-connecting tunnel to the corporate network not only enables users to have a continuous connection to the network, but also allows the network to have a continuous connection to the laptops. Even before the user authenticates to the machine, as soon as that machine gets internet access an IPsec tunnel is established that we like to call the “Management Tunnel” or “Infrastructure Tunnel”. This means that if the device is turned on and has an internet connection, even if still sitting at the login screen, the IT department and management servers have the ability to push patches, push SCCM, push Group Policy objects, and even remotely control that remote computer from the corporate network. There’s no more waiting around for users to connect their VPN before patches and antivirus definition files can be updated, with the implementation of DirectAccess organizations see patch application rates immediately skyrocket. This always-on management capability is actually the sole reason that many of the customers I work with decide to use DirectAccess. While they all have plans to move to the “two way street” with DirectAccess enabling the users to access applications in the future, for the present time they may be happy with whatever remote access solution they currently have and instead of scrambling to train all of the users on something new, DirectAccess is being implemented as a “one way street” only allowing this management access and using it only for the continuous updating of their remote devices. Even in this limited one-way street/manage-only kind of installation, you still get the password reset benefits that I mentioned earlier.
Myke Schwartz, PEI