DirectAccess in the Cloud with Teredo


It has been a long quest to get here but we have made it. DirectAccess in the Cloud or onsite with Teredo is now available to Everyone

The only consultants in the world that can provide DirectAccess to any sized organization, more importantly to any scenario you currently have and even more importantly with Teredo Connections.

Why is Teredo Important in the cloud?

For a start the reason why other people can’t get DA to work in the cloud is because VM’s only have one nic and one public IP. Therefore DA will only deploy its slowest IPHttps tunnels.

However we now know how to over come this issue so that your clients can get much faster connection speeds over the same line. We are seeing up to 8x faster speeds when clients are using Teredo Tunnels. We were so shocked that we ran the test twice. On the left are two speed tests through a Teredo tunnel and on the right are two speed tests through a IPHttps tunnel. Take note of the time to complete. That’s the time you would of been sat there in front of your computer waiting for something to happen.










So are you ready to have DirectAccess installed? We can do it on Server 2008R2, UAG 2010, Server 2012, Server 2012R2 and Server 2016 in the cloud or onsite.

Contact us today

DirectAccess WhitePaper With Teredo Tunnels Behind NAT’s

Its finally here!

The long awaited WhitePaper to show you how to get Teredo tunnels working with DirectAccess when you are behind a NAT device.

It works with all versions of DirectAccess.

It will show you step by step on how to get Teredo tunnels to work for you when you are behind a NAT device.

So preview the WhitePaper and get it here


Icacls Backup and Restore – How to only restore parts of the backup

One of our customers rang us up the other day requesting help with an icacls backup that they ran.

What has this got to do with our DirectAccess service I hear you ask? Well they have a maintenance agreement with us and even though this has nothing to do with DirectAccess we are always happy to help out. After all we love thinking out side of the box, it’s what got us to make DirectAccess work behind NAT’s in the first place.

So the background,

Our customer wrote a script to change ACL’s on a drive where users would save work to share with everyone else. There was over 400Mg of data and the folder structure had got out of hand over time. Meaning the security on them had gone a bit screwy.

So the script they wrote was going to fix it. Very exciting times.

The first thing thank god they did was to run this command

Icacls d:\* /save AclFile /T /C

As a note it is very important to use /C. if icacls finds an error half way through it will stop and you may think your drive is backed up but it won’t be.

So this creates a file called AclFile on the drive. Their file was nearly 30Mg. Each line contains the path to the file and security information.

So they then ran their script and all was going to plan. 4hrs later they brought the cmd window backup to check the progress and realised something was not right. They paused the script and sure enough it hit a blip and was changing stuff on folders they didn’t want to . Ops.

But don’t panic we got a backup all is well. So let’s restore it back , fix the problem and try again.

So they ran

Icacls d:\ /restore AclFile /T /C

As a note it is very important to use /C. if icacls finds an error half way through it will stop and you may think your drive is restored but it won’t be.

This took another 4hrs to restore and they thought all was well until a user said they could not access a folder they were working on.

What the user had done was  in the middle of all this they had cut and pasted a folder somewhere else.

The problem with the backup is that it contains a path to files and folders and if they have moved or been deleted it will just fail to reset it even if the folder has only been moved down one level.

So the obvious answer is that you just move the folder back and re-run the restore. Well that would have worked but IT had already done a lot of work on the security manually and didn’t want to lose their progress.

So they went about researching how to restore just part of the backup. I.e. just the security on one folder tree.

That’s when the phone rang.

So we took the challenge and eventually sorted it.

I’m not going to go into everything we tried but eventually we did this;

Open your AclFile in notepad and un tick word wrap then do a find for the folder that you want to change.

So if the folder is called “ops” do a find and it find you the part in the file that contains the folder tree and below it all the other files and folders in the tree

So if it starts with hot\sharing\ops and below it will be everything else contained in that folder.

Copy and paste everything you need starting from hot\sharing\ops and ending with the last folder / file but its security bit like D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-2841303841) into a new notepad

Save it as newrestore with no extension, if you can’t, save as txt then rename it.

You will now think if you ran icacls d:\hot\sharing\ops /restore newrestore /T /C it will work.

But no we need to do a little more work.

You will now need to make a new AclFile backup so this time to make life easier map a drive z: to d:\hot\sharing so z: drive shows z:\ops. (its easier this way because the command restore does not like folders with spaces in them)

In cmd go to z: drive and run icacls * /save AclFile /T /C

You will have a new AclFile at the root of z: drive.

Go back to your newrestore file and you will need to do a find and replace for the new folder structure. So if it was hot\sharing\ops  you will need to do a replace for hot\sharing\ops with ops.

Now you’re thinking of running the command again but wait we are still not finished.

Open the z:\AclFile in notepad with word wrap off. Copy everything in the newrestore file and paste it at the very bottom of the z:\AclFile. Don’t replace what’s in there. Save it.

Now you can run the restore

In cmd go to z: drive and run icacls z:\ /restore AclFile /T /C

What will happen is that it will restore the security with the wrong info that you want but then will carry on to do the right stuff.

And bingo, hours saved

Remember to read our other blogs to see how DirectAccess could change your business.

More Ammo For Teredo – IP-HTTPS Component Could Allow Security Feature Bypass

A new update by Microsoft has confirmed a vulnerability in the IP-HTTPS tunnel. This just brings more ammo to why people should be switching to Teredo for their real world DirectAccess configs even when your behind a NAT. Visit us here to see how to do it.

I even posted a blog here that mentions already that Teredo is more secure.

The security update details are here –

DirectAccess And Pandora’s Box – What no one has told you yet

Thinking of getting DirectAccess? Well find out why it changes the game –

We live in a world were time is money. There is no other simple way to show you but to remind you of what life was like when we had Dial up and now how much productivity has gone up since broadband.

For years we have all longed for a simple way to connect to the work place and work from home over the fastest possible speeds out there. I am now going to show you how this is changing companies perspective on everything.

Lets talk security – Teredo connections are the most secure connections you can get to your work place when you are behind a NAT. There is no other VPN solution to date than can offer this. I only know of one other that can get the same security level however if you read their manual it tells you to turn this off as it causes to much lag and does not work. This means when your boss asks you how secure is it? you can say with confidence “It is the most secure connection in the world to date”

Lets talk speed – Teredo is up to 3 times faster than HTTPS and therefore 3 times faster than your VPN. The only thing close to it to date is Server 2012 but as we have shown in a previous blog it is still off by a mile. This means productivity goes up 300%. Referring back remember how long it took to do anything on dial up. Now think how much you can get done in the same time with broadband. It saves you not only time but stress.

Lets talk productivity – I hate germs. I live in a house with 2 children under 2 and with my wife. It bugs me (punt) when people come to work ill just because they do not want to look like they are not trying or do not want to lose a days pay only to spread their germs to everyone else. This means sleepless nights because my kids are ill and stress to me because I am ill trying to keep my kids happy. Image now that they can just as easily get the exact same work done at home infecting no one. Therefore productivity goes up and you have a more healthier, happier workforce. With Teredo tunnels users will see no lag or difference when browsing the network when they are at home.

Lets talk happy workforce – Where we have installed this software we have had companies run some statistics. At a 6 month period after the install date when users were asked if they change jobs there was a 65% increase who said no. Further reaseach revealed the following. The company decided not to replace woman or men on maternity / paternity because they gave them the option to work as much as they wanted to at home. This meant people who wanted to come back only part time did not have to sacrifice pay cuts because they could work for example 50% of the time at home. To the company this meant valuable staff kept up the same level of work and they did not have to employ extras and train them up. Happy staff, massive cost saving to the company. Staff turn around could then be down 65% again saving money, time, training and losing valuable staff. Have you seen the program take your babies to work? its like that but without the other headaches it brings for bosses. This shows staff that bosses are willing to invest money into their work force, this goes along way.

Lets talk time – I am going to relate this to IT mostly because I am IT. You have setup a VPN connection and some amazing scripts to which keep your work rate down a little. However how much time did it take to set that up? How much time is it taking to maintain it all? Why is it not maintenance free? Think £250 is now to much? Think how much time it takes you to keep all those mobile laptops up to date. When there is a new piece of software to be released from antivirus programs to GPO’s to Microsoft office. With the integration of RemoteApp you will never have to ask for a laptop back again. Think of when there is a critical update and you only have to run it on 1 server and everyone in the world instantly has access to the updated product. Think of how annoyed your users are when you ask for their laptop back and tell them it will take you a day to update. That’s a whole day they cannot do their job properly. Think about how much you stress out because all of a sudden you have 50 laptops to update in 1 day because its a holiday period and your users don’t need the laptops during it. You have holidays to! Now all that is just the IT department. With DA and RemoteApp you will never have to worry again.

So do you think we are joking when one of our customers are boasting a £230,000 above their expectations in profit in just 6 months ofter installing DA?

When you get DirectAccess, if it through us or not it will open up opportunities that most IT managers do not think of. That most bosses do not think of because they have no idea what their IT Managers are telling them. We could dribble about this for much more but for now we will leave it there to just wet your appetite.

Want to change the game? Its now time to send an email to


DirectAccess Server 2012 Behind a NAT with Teredo Tested

So here it is finally our REAL world test of Server 2012 DirectAccess.
We said REAL because and going off for a little rant here but stick with it as its quite important – We have read so many posts about people using DirectAccess 2012 and how great it is and how the IPHTTPs tunnel is on par with Teredo now, well no. Simply Teredo is still better and we have the proof to show you ( but in fareness we are the only people in the world who can test this behind a NAT). The difference is, is that we live in the real world and not test labs. We have over 5 year old servers we are installing this on. We have laptops that are not meant for even windows vista but we have worked endless hours getting Windows 7 working on them so that they just about work so we do not have to go begging for money that our bosses do not have just so we can use this technology. We do not have 10Gb/1Gb back bones from one test lab behind a NAT to another. We have 5-40mg broadband at the work place and if we are lucky 24mg at home (i’m not lucky only 13mg here 🙁 ). We live in the real world and this is why we have had a sharp increase in customers wanting the bolt on fix to help speed up their lives.
So little rant over lets get down to the tests.
Some notes: The is done on different equipment and broadband speed so don’t compare it to the last blog on speed we did under UAG.
Did you know Teredo is more secure? a link here on the benefits of Teredo here

First Test we did was through a 3g phone to see how long the initial connection took. We disabled Teredo, netsh int teredo set state disable and connected laptop to phone. This quite often seemed to take nearly 60secs to connect over IPHTTPs and browse the network. That means this could add 60secs to your boot time as it connects to the work place before anything else happens so that the machine can get its GPO’s. When we enabled Teredo netsh int teredo set state client it instantly connected.

The rest of the tests were at home via a 20mg fibre workplace connection and 13mg broadband connection on a latitude d600 11Mbs wireless card.

Second test was with The first set of pictures shows browsing with Teredo were the second is IPHTTPS enabled.

That’s 1.25Mbs/s extra that we have to play with. We can already see IPHTTPS is slightly better than before but still way off par with Teredo.

Third Test was with downloading a 40768KB file from the work place straight to the laptop. The first set of pictures shows IPHTTPS downloading and the second is Teredo.

We noticed IPHTTPS was all over the place where as Teredo was Solid. Teredo was also 50KB/s faster. That sounds very little in performance. Again in the real world were your downloading real files like for instance a 1gb file (1/3 of a movie for example) you will see a dramatic time saving. Here is a small calculation on downloading 1gb over 50KB/s. 1 gb = 1024 mb and 1 mb = 1024 kb so 1024*1024=1048576 kb so you have to download 1048576 kb ok now 1048576/50=20971.52 second
20971.52/60=349.52 minute 349.52/60=5.82 hour
so you need about 6 hours to download it.

Our next blog is on DirectAccess Pandora’s box – What you don’t know about DirectAccess and how it could help your company save £££,£££’s

Conclusion – As we have said before we were very excited about Server 2012 when we heard about what it could do but the fact you can now get Teredo tunnels, well save everyone the hassle and time and buy the bolt on from just £250

Just email to say your interested.

RDC for MAC cannot connect to TS server with error message “You were disconnected from the Windows-based computer because of problems during the licensing protocol”

As post here

We have been having issues with getting Mac’s to run on RemoteApp. We are the only people in the world at that know how to get Teredo Tunnels to run behind NAT devices. So why are we involved? A customer uses DirectAccess to access RemoteApp services like Sims .Net on a Mac, well they did until  the message popped up.

So as our motto is lets not wait around for Microsoft to fix this, we fixed it in 2 days after a lot of research on the Internet.


“You were disconnected from the Windows-based computer because of problems during the licensing protocol”


There is currently a bug in RDC 2.1.1 that does not allow the client to download the correct licensing info from a 2008 R2 license server. This means that after the standard 90 days the clients will get the error message above even though windows based connections will still work correctly. This is because when a user first runs the RDC client it sets up a folder structure that only contains read & wright access rights for the currently logged on user. All other users are read only. This means no other users can download the correct file when available.


This is a simple fix but also a little headache, as at this moment to rush this fix out onto the Internet we have not found a way to automate the process. Please leave useful comments to help automate this fix.

Go to Macintosh HD > Users > Shared > Microsoft.

Go into RDC Crucial Server Information and you should see a folder and no files

Go Back to Microsoft folder

Click on “RDC Crucial Server Information” and then click file > Get Info

Under Sharing & Permissions select “everyone” and change it to “Read & Write”

Run your RDC connection again and it will start working fine.

You will now notice a file in RDC Crucial Server Information folder that was not there before

Notes: If there was a file in there back it up and try trashing it then run through the fix again.

You may also need to set Read and Write for the everyone group on each folder inside the Microsoft folder.

If there is not a microsoft folder in the Shared folder then run the RDC client and connect to the server. This will be succesful but you will still need to setup the security structure

So, a Microsoft or Apple issue?

Don’t forget to check out the DirectAccess going Dubstep video

Notes on security:

Some people may feel it is a security problem by enabling everyone to read & write but we are happy with this setting. If you are concerned then add a new user group for the group of people you would like to use RDC rather than changing the everyone group.

Also see comments below for extra help

When you draw DirectAccess does it look like a smiley face?

The answer is yes, when you are drawing your design it will only lead to a smiley face because you will soon see its potential like my example below that setup for their latest customer.

Speed difference between force tunnels and Teredo

To highlight another reason why in some cases you want Teredo to work behind NAT’s will be discussed here. Obviously this is not for every environment as you may want force tunneling on.

I am going to show you the difference in speeds between IP-HTTPS and Teredo but also the pros and cons of both.

Lets first take a look at IP-HTTPS and force tunneling. I have got a connection on my laptop through ForeFront UAG DirectAccess and my server is sat behind a NAT with fix to get it to work. So here is a speed test of the laptop using force tunneling.

So as you can see I have  a ping of 95ms, Download speed of 0.75Mbps and Upload speed of 0.67Mbps. Also notice the time and date is 23.15 03/01/2012

This makes my browsing speed slow and basic. I would hate to download programs and things.

Now what I did then was turn on split tunneling so I could fall over to Teredo and below are the results.

Ping =65ms, Download speed = 2.74Mbps and Upload speed = 0.78. Time is 23.16 03/01/2012.

Now that is a massive speed increase. All of a sudden I have an extra 2Mbps to play with!

Conclusion, Always try to convince your site to move to at least Teredo.

I understand people want to filter their Internet at home and yes this is a plus. You can also argue that the computers are property of your site and you don’t want users downloading programs by themselves etc.

But also note this is hammering the line for what you actually want DirectAccess to do by making people sit on IP-HTTPS tunnels.

My own opinion is that we will use Teredo and only when the need comes up, like to monitor Internet usage or do spot checks, will we then turn on force tunneling.

Don’t forget you can turn it on and off anytime you want without the users ever knowing which one is being used.

So draw up contracts and get your staff to sign them that they agree that everything they do on the computer is monitored. You will find that this in its self is good enough in most cases to stop that dodge Internet stuff going on at the work place and home.

Now for one last picture to show you the same laptop being filtered for something I should not of typed into google at home just to prove it works.

Remember you can only get Teredo tunnels to work when your server is behind a NAT with the help of


I found this speedtest site showing pretty much the same thing.

The first picture is a speedtest over Teredo and the second is HTTPS.


Microsoft makes new DirectAccess server 8 work behind NAT’s finally

Well sort of….

Bits and pieces are popping up all over the Internet stating that the new DirectAccess in Server 8 supports putting the server behind a NAT. Yes this is true but with many limitations.

First lets start at the setup page that is causing all this debate

So as you can see we have 3 options to install our DA server.

The Edge option is the standard we are all used to.

The second 2 will allow you to setup your DA behind a NAT. Thats great I have been waiting for that for years. So I took a deeper look into it and found this page and I am quoting this section –

Support for DirectAccess Server behind a NAT Device

A Windows Server 2008 R2 DirectAccess server requires two network interfaces with two consecutive public IPv4 addresses assigned to the external interface. This is required so that it can act as a Teredo server. In order for clients behind a NAT to determine the Teredo server and the type of NAT device, the Teredo server requires two consecutive IPv4 addresses.

This requirement presents difficulty for small and medium organizations that do not have access to consecutive, public IPv4 addresses. In the future this has the potential to become a deployment blocker as the available IPv4 address space is exhausted. Windows Server “8” Beta DirectAccess provides the ability to deploy the DirectAccess server behind a NAT device, with support for a single network interface or multiple interfaces, and removes the public IPv4 address prerequisite.

When the Remote Access Services setup Getting Started Wizard or Remote Access Setup Wizard is run, it will check the status of network interfaces on the server to determine if the DirectAccess server is located behind a NAT device. In this configuration, only IP over HTTPS (IP-HTTPS) will be deployed. The IP-HTTPS protocol is an IPv6 transition technology that allows for a secure IP tunnel to be established using a secure HTTP connection.

Damn, like I said there are limitations and they are you can only have HTTPS tunnels.

But that is basically equaling speeds of traditional VPN’s but with the added security gain and transparency. Thumbs down and two thumbs up.

Well it was a good job I worked out how to get Teredo to work behind NAT’s then isn’t it. By simply selecting the Edge option and talking to the guys at you to can have Teredo speeds when you are behind NAT’s.

Don’t settle for HTTPS, when in a quick phone call you to can smile all the way home to work faster than your fellow man.




This blog is protected by Dave\'s Spam Karma 2: 23851 Spams eaten and counting...