Manage Learn to apply best practices and optimize your operations.

Always-on VPN extends remote management for IT admins

Always-on VPN technologies like Microsoft DirectAccess are changing the way organizations communicate inside and outside the office.

At an airport in Orlando, Florida: You realize the trip’s documentation is still on the office computer’s desktop, so you make a copy with nothing more than \\server\share.

During a conference in Las Vegas, Nevada: You learn about a server problem, so RDP connects to that server with nothing more than

In a hotel in Fairbanks, Alaska: You need to fill out an expense report using the company’s client/server application, so you launch the application with nothing more than a double-click.

These situations are common to many organizations: remote employees forgetting a document or who need access to a business application with no IT manager readily available. But these problems may not be as easily solved as described here. For instance, they might require some extra steps such as like launching a VPN application or connecting to an SSL VPN, or perhaps they require multiple usernames and passwords.

But there are technologies designed to simplify this out-of-office experience, such as Microsoft DirectAccess and LogMeIn Hamachi. Also known as the “always-on VPN”, these technologies ensure that every laptop in an organization is connected to the nearest LAN at all times. This ensures that connecting to resources from outside the office is no different than connecting from inside.

Although Microsoft’s DirectAccess tool is meant for always-on nirvana, its complex installation and integration of bleeding-edge technologies like IPv6 and Teredo make it a challenging tool to work with. For instance, Microsoft’s twenty-step learning roadmap gives a rundown of the technologies required just to get DirectAccess up and running.

That’s why I was fundamentally impressed when someone recommended a DirectAccess alternative called LogMeIn Hamachi. Within 15 minutes of downloading the application, my laptop was authenticating against the domain controller. Suddenly, documents on my office desktop were only a \\server\share away. Even though client/server applications ran slower over that long-distance connection, there was no change to my usual launch process. I even connected to my iTunes library and streamed music when my hotel’s Internet connection was fast enough.

But always-on VPNs aren’t just for remote employees, they’re for the IT group in the office as well. For instance, if an IT team rarely returns to the internal LAN and has trouble servicing help desk tickets, an always-on VPN can solve these problems by operating in both directions.

That bi-directional capability means WSUS updates can deploy even as road warriors connect from Starbucks. In addition, software like Configuration Manager, LANDesk and Kaseya install software and lockdowns as if those machines never left the LAN. It also means that external users communicating back into someone’s computer doesn’t require extra steps because there’s remote support.

Always-on VPN vs. the real world 
The naysayers will suggest that an always-on VPN connection is a threat to an internal network. For instance, bridging a VPN connection with a remote laptop’s airport connection has long been frowned upon by well-meaning IT security admins. But how different is a bridged connection from one that passes through an IPSec VPN concentrator? If a laptop has been hacked, it will pass on its nefarious payload at the next VPN logon whether the connection is bridged or not.

What about security? Part of DirectAccess’ complexity surrounds Microsoft’s need for a secure and foolproof product. That complexity might suggest that Hamachi’s simplicity belies a lesser security, but that doesn’t seem to be the case. A cursory look at Hamachi shows that connections and data transfers are secured via authentication, encryption and traffic filtering. Even man-in-the-middle attacks are inhibited through a central website for approving client connections.

While Hamachi’s target audience isn’t necessarily the enterprise organization, smaller companies will find value in the technology. Enterprises that require the expanded capabilities that come with DirectAccess can accelerate adoption through any of the DirectAccess Concentrator appliances now sold by various vendors.

So, does this networking approach work in real life?

One organization reported that a significant portion of its employee base never returns to the LAN, except once a year during the annual sales meeting. After implementing a DirectAccess Concentrator, remote device management dramatically improved IT support. Since IT now controls when updates and security configurations are installed, the company also boosted its security posture. Now, remote employees can no longer delay patching until their once-a-year visit to the home office since new applications can be delivered in days.

The walls between what’s outside the LAN and what’s inside are quickly crumbling as the always-on VPN becomes a competitive advantage for businesses. But this disappearing distinction between what’s in and what’s out will obviously require an evolution in security mindsets -- shoring up data protection while opening access to applications. Embracing these changes early on might help your business remain competitive in the years to come.

You can follow on Twitter @WindowsTT.

Greg Shields is a Partner and Principal Technologist with Concentrated Technology, an IT analysis and strategic consulting firm. Contact him at

Dig Deeper on Windows administration tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.