Why bother to use secure Enterprise WiFi when I could use Microsoft's Direct Access on a non secure WiFi network?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Why bother to use secure Enterprise WiFi when I could use Microsoft's Direct Access on a non secure WiFi network?

schulzbot

5 posts

Wannabe Geek

#173613 29-May-2015 12:33

I've just started using Direct Access at a company I work at - although its limited to Windows devices, it seems to work pretty well.

It got me thinking that, if you are in a reasonably big company and you're happy to restrict yourself to Windows based devices, then why would you bother with installing secure Wifi when you could just use Direct Access on a non secure network to access your company's servers and files and services etc - even when working from your desk?

What would the benefits of having both secure WiFi and Direct Access available be if you only used Windows based devices??

Does using secure WiFi lessen the load somehow for network administrators?

Or is it cheaper for an organisation to run with both for some reason?

I dont really know what the reason to have secure WiFi would be if Direct Access was available.... but there must be some reasons since when I looked into a bit more - it seems companies that use DA also have secure WiFi...

Any thoughts?

Thanks!

andrewNZ

2487 posts

Uber Geek
+1 received by user: 1461
Inactive user

#1314050 29-May-2015 12:36

Doesn't secure wifi encrypt the traffic so it can't just be sniffed by anyone.

schulzbot

5 posts

Wannabe Geek

#1314070 29-May-2015 12:39

Hi AndrewNZ - I have no idea.. So DA would be more secure than "secure" WiFI?

Cheers

lxsw20

3689 posts

Uber Geek
+1 received by user: 2174

Subscriber

#1314072 29-May-2015 12:45

Direct Access would make my life so much easier as a SysAdmin. I really wish it was available in W7/W8 Pro, not just Enterprise.

xontech

268 posts

Ultimate Geek
+1 received by user: 56

#1314078 29-May-2015 13:00

No experience with DA, but it sounds like you have to have some sort of WiFi for DA to use. If you are deploying WiFi in a "reasonably big company" then "turning on" the security features of the WiFi isn't going to be a big deal in the scheme of things that need to be done to have an acceptably performing WiFi.

schulzbot

5 posts

Wannabe Geek

#1314145 29-May-2015 14:27

Yeh the thing I like about DA is that you can use ANY WiFi access - public Wifi included - and it lets you access your company servers and services without having to go through any process - its like its always on so thats why I'm wondering what the advantage of having secure Wifi to do the same thing would be..
Maybe its a cost thing?
Or if I had 500 people using DA, then it would slow everything down ?

lxsw20

3689 posts

Uber Geek
+1 received by user: 2174

Subscriber

#1314156 29-May-2015 14:44

So what you're saying is why have internal WiFi when you could just come in to the firm over the internet using DirectAccess (VPN). In which case, because going over the internet is never going to be as fast or reliable as using a direct attachment to your internal network, bandwith cost, use of bandwidth etc etc.

Geekzone support

Support Geekzone with one-off or recurring donations Donate via PressPatron.

schulzbot

5 posts

Wannabe Geek

#1314159 29-May-2015 14:51

Yeh I think youre right. - I figured a direct connection on WiFi MUST be better than using DA over WiFi then internet but Ive struggled to find any proof that it really makes much difference. Cheers

toyonut

1508 posts

Uber Geek
+1 received by user: 211

#1314204 29-May-2015 15:50

Having secure wifi is part and parcel of any of the wireless access controller and it ties to AD/Radius really easily. It is also fast and direct and ties directly into your core routers, switches and firewall.

Why would you egress all your internal network traffic to the internet, only to bring it back in through a direct access server. It makes no sense. Sure it is secured, but it is a dumb double handling of data. You also have to have the webservers set up internally for the clients to check if they are inside or outside the corpnet which adds to the infrastructure setup.

Direct access is an IPV6 transport/tunnel and makes some internal resources hard to get to. If it is not on your DNS, it may or may not be able to be accessed over DA. In particular, we have trouble with clients trying to RDP to non-domain test servers, where they work perfectly over an SSTP IPV4 VPN. Also related, routing is nearly impossible over DA, but it is trivial when your users are on a corporate network.

Lastly, if your DA server goes down or the NLA servers go down, suddenly all your internal clients wouldn't be able get to corporate resources.

Don't get me wrong, I love Direct Access, but what you are suggesting is much harder than just having simple radius secured WPA-Enterprise wifi. I am going to guess you have never had to set it up, but even the simplified and friendly DA in server 2012+ is much harder to set up than enterprise wifi and has a lot more places that it can go wrong. Even a bad gpupdate can break the whole thing as it is pushed to the clients over group policy (Thankfully this is rare now.)

*EDIT* Sorry, not sure why I went into grumpy sysadmin mode there. I have had to install and upgrade every version since it was released as forefront UAG. It has caused plenty lost sleep because it is so critical for our staff to have access, so if it goes down, it is a big deal. The 2012R2 version on decent hardware has been rock solid though. Even server updates have failed to kill it unlike our previous 2012 and 2008R2/UAG server implementations.

Try Vultr using this link and get us both some credit:

http://www.vultr.com/?ref=7033587-3B

schulzbot

5 posts

Wannabe Geek

#1314211 29-May-2015 15:57

OK great - this helps clarify things a LOT!
The point about if DA falls over then we're all stuffed is a great one.
Hmm..

Thanks to all who posted :)

Cheers