I can't speak to your environment, but many of my customers are pushing for Office 365/Azure Constrained Access.
Especially because of mobile/BYOD. I suggest you should consider the likelihood or whether you'll NEED that capability within 5 years. -----Original Message----- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Tuesday, November 14, 2017 4:31 PM To: ntsysadm Subject: Re: [NTSysADM] Looking for a global VPN solution - looking for input Ran through your posts in this thread, and i have to say that it looks like the days of DA are numbered. However, if I implement it under 2016, it should be supported for at least 5 more years (assuming that Win10 still supports it, too). So, I'm not worried too much about that as such, but AVPN support for non-domain-joined devices looks very interesting, and the fact that DA only supported IPv6 was sometimes limiting. I think I'll explore AVPN a bit more, and probably include it as an option. On Mon, Nov 13, 2017 at 6:08 PM, Michael B. Smith <mich...@smithcons.com> wrote: > So.... just a data point to consider. > > Microsoft is kinda moving away from DirectAccess. > > Many of the security functionalities added in Server 2016 won't work with DA. > > Instead you need to be using their Automatic VPN. The endpoint isn't very > relevant, although they push RRAS. > > For example, WIP doesn't work properly with DA. Only with AVPN. > > -----Original Message----- > From: listsad...@lists.myitforum.com > [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff > Sent: Monday, November 13, 2017 8:19 PM > To: ntsysadm > Subject: Re: [NTSysADM] Looking for a global VPN solution - looking > for input > > Arg - that should be "seeking commercial services".. > > And, once I bring recommendations, it might well be that we just fall back to > a DirectAccess server in each office, with our without a multi-site > configuration, potentially with an SSP VPN appliance also at each office for > backup and contractors, and call it good. > > Kurt > > On Mon, Nov 13, 2017 at 5:03 PM, Kurt Buff <kurt.b...@gmail.com> wrote: >> I'm not sure either, but that's the task I've been given - not >> necessarily to implement at this stage, but to scope out the >> alternatives and come up with some possibilities. >> >> It's also why I'm seeing recommendations on commercial services, so >> that our implementation requirements are minimized. >> >> Kurt >> >> On Mon, Nov 13, 2017 at 4:38 PM, Joseph L. Casale >> <jcas...@activenetwerx.com> wrote: >>> I've done a lot of openvpn setups in a myriad of formats, site to site, hub >>> and spoke, client etc. >>> It works well and there are even some lesser documented features that do >>> some neat stuff but you are now rolling your solution and marinating it >>> manually. >>> Not sure how well that will scale unless you have a skilled team. >>> >>>> -----Original Message----- >>>> From: listsad...@lists.myitforum.com >>>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff >>>> Sent: Monday, November 13, 2017 5:22 PM >>>> To: ntsysadm <NTSysADM@lists.myitforum.com> >>>> Subject: [NTSysADM] Looking for a global VPN solution - looking for >>>> input >>>> >>>> All, >>>> >>>> 1) For staff, currently we're using DirectAccess on 2012R2 as our >>>> primary conduit in the US, with SSL VPNs (SonicWall and Palo Alto >>>> Global Protect) as primary for our overseas offices and secondary >>>> for the US (Sonicwall). >>>> >>>> 2) In the US office, we also have contractors/consultants needing >>>> to use our SSL VPN for access to various resources, and that will >>>> likely expand to our overseas offices soon. Differentiation and >>>> securing resources is even more important here than in 1). >>>> >>>> 3) We also stand up IPSec tunnels for vendors/partners as needed >>>> (lab to lab), for interoperability/compatibility testing. >>>> >>>> We're looking to get into a solution that will take care of at >>>> least the first two (and ideally the third as well), so that we >>>> don't have so many platforms to support, and so that we can make >>>> sure that staff in the field get the fasted connection available. >>>> >>>> I've taken a quick gander at the websites for vyprvpn (Golden >>>> Frog), and OpenVPN (commercial client offering), but don't have >>>> much of an opinion on them, as info about them is a bit thin. >>>> >>>> Anyone have experience with solutions like this, and care to comment? >>>> >>>> Thanks, >>>> >>>> Kurt >>>> >>> > >
