DirectAccess WhitePaper With Teredo Tunnels Behind NAT’s

Its finally here!

The long awaited WhitePaper to show you how to get Teredo tunnels working with DirectAccess when you are behind a NAT device.

This 60 page article will give you everything you need to know on how to setup DirectAccess when you are behind a NAT device.

It works with all versions of DirectAccess.

It will show you step by step on how to get Teredo tunnels to work for you when you are behind a NAT device.

You can even ring / email us 24/7 to help you on your conquest.

So preview the WhitePaper and get it here http://mydanat.co.uk/id2.html

 

Icacls Backup and Restore – How to only restore parts of the backup

One of our customers rang us up the other day requesting help with an icacls backup that they ran.

What has this got to do with our DirectAccess service I hear you ask? Well they have a maintenance agreement with us and even though this has nothing to do with DirectAccess we are always happy to help out. After all we love thinking out side of the box, it’s what got us to make DirectAccess work behind NAT’s in the first place.

So the background,

Our customer wrote a script to change ACL’s on a drive where users would save work to share with everyone else. There was over 400Mg of data and the folder structure had got out of hand over time. Meaning the security on them had gone a bit screwy.

So the script they wrote was going to fix it. Very exciting times.

The first thing thank god they did was to run this command

Icacls d:\* /save AclFile /T /C

As a note it is very important to use /C. if icacls finds an error half way through it will stop and you may think your drive is backed up but it won’t be.

So this creates a file called AclFile on the drive. Their file was nearly 30Mg. Each line contains the path to the file and security information.

So they then ran their script and all was going to plan. 4hrs later they brought the cmd window backup to check the progress and realised something was not right. They paused the script and sure enough it hit a blip and was changing stuff on folders they didn’t want to . Ops.

But don’t panic we got a backup all is well. So let’s restore it back , fix the problem and try again.

So they ran

Icacls d:\ /restore AclFile /T /C

As a note it is very important to use /C. if icacls finds an error half way through it will stop and you may think your drive is restored but it won’t be.

This took another 4hrs to restore and they thought all was well until a user said they could not access a folder they were working on.

What the user had done was  in the middle of all this they had cut and pasted a folder somewhere else.

The problem with the backup is that it contains a path to files and folders and if they have moved or been deleted it will just fail to reset it even if the folder has only been moved down one level.

So the obvious answer is that you just move the folder back and re-run the restore. Well that would have worked but IT had already done a lot of work on the security manually and didn’t want to lose their progress.

So they went about researching how to restore just part of the backup. I.e. just the security on one folder tree.

That’s when the phone rang.

So we took the challenge and eventually sorted it.

I’m not going to go into everything we tried but eventually we did this;

Open your AclFile in notepad and un tick word wrap then do a find for the folder that you want to change.

So if the folder is called “ops” do a find and it find you the part in the file that contains the folder tree and below it all the other files and folders in the tree

So if it starts with hot\sharing\ops and below it will be everything else contained in that folder.

Copy and paste everything you need starting from hot\sharing\ops and ending with the last folder / file but its security bit like D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-2841303841) into a new notepad

Save it as newrestore with no extension, if you can’t, save as txt then rename it.

You will now think if you ran icacls d:\hot\sharing\ops /restore newrestore /T /C it will work.

But no we need to do a little more work.

You will now need to make a new AclFile backup so this time to make life easier map a drive z: to d:\hot\sharing so z: drive shows z:\ops. (its easier this way because the command restore does not like folders with spaces in them)

In cmd go to z: drive and run icacls * /save AclFile /T /C

You will have a new AclFile at the root of z: drive.

Go back to your newrestore file and you will need to do a find and replace for the new folder structure. So if it was hot\sharing\ops  you will need to do a replace for hot\sharing\ops with ops.

Now you’re thinking of running the command again but wait we are still not finished.

Open the z:\AclFile in notepad with word wrap off. Copy everything in the newrestore file and paste it at the very bottom of the z:\AclFile. Don’t replace what’s in there. Save it.

Now you can run the restore

In cmd go to z: drive and run icacls z:\ /restore AclFile /T /C

What will happen is that it will restore the security with the wrong info that you want but then will carry on to do the right stuff.

And bingo, hours saved

Remember to read our other blogs to see how DirectAccess could change your business.

More Ammo For Teredo – IP-HTTPS Component Could Allow Security Feature Bypass

A new update by Microsoft has confirmed a vulnerability in the IP-HTTPS tunnel. This just brings more ammo to why people should be switching to Teredo for their real world DirectAccess configs even when your behind a NAT. Visit us here to see how to do it.

I even posted a blog here that mentions already that Teredo is more secure.

The security update details are here -

http://technet.microsoft.com/en-us/security/bulletin/ms12-083

DirectAcess And Pandora’s Box – What no one has told you yet

Thinking of getting DirectAccess? Well find out why it changes the game -

We live in a world were time is money. There is no other simple way to show you but to remind you of what life was like when we had Dial up and now how much productivity has gone up since broadband.

For years we have all longed for a simple way to connect to the work place and work from home over the fastest possible speeds out there. I am now going to show you how this is changing companies perspective on everything.

Lets talk security – Teredo connections are the most secure connections you can get to your work place when you are behind a NAT. There is no other VPN solution to date than can offer this. I only know of one other that can get the same security level however if you read their manual it tells you to turn this off as it causes to much lag and does not work. This means when your boss asks you how secure is it? you can say with confidence “It is the most secure connection in the world to date”

Lets talk speed – Teredo is up to 3 times faster than HTTPS and therefore 3 times faster than your VPN. The only thing close to it to date is Server 2012 but as we have shown in a previous blog it is still off by a mile. This means productivity goes up 300%. Referring back remember how long it took to do anything on dial up. Now think how much you can get done in the same time with broadband. It saves you not only time but stress.

Lets talk productivity – I hate germs. I live in a house with 2 children under 2 and with my wife. It bugs me (punt) when people come to work ill just because they do not want to look like they are not trying or do not want to lose a days pay only to spread their germs to everyone else. This means sleepless nights because my kids are ill and stress to me because I am ill trying to keep my kids happy. Image now that they can just as easily get the exact same work done at home infecting no one. Therefore productivity goes up and you have a more healthier, happier workforce. With Teredo tunnels users will see no lag or difference when browsing the network when they are at home.

Lets talk happy workforce – Where we have installed this software we have had companies run some statistics. At a 6 month period after the install date when users were asked if they change jobs there was a 65% increase who said no. Further reaseach revealed the following. The company decided not to replace woman or men on maternity / paternity because they gave them the option to work as much as they wanted to at home. This meant people who wanted to come back only part time did not have to sacrifice pay cuts because they could work for example 50% of the time at home. To the company this meant valuable staff kept up the same level of work and they did not have to employ extras and train them up. Happy staff, massive cost saving to the company. Staff turn around could then be down 65% again saving money, time, training and losing valuable staff. Have you seen the program take your babies to work? its like that but without the other headaches it brings for bosses. This shows staff that bosses are willing to invest money into their work force, this goes along way.

Lets talk time – I am going to relate this to IT mostly because I am IT. You have setup a VPN connection and some amazing scripts to which keep your work rate down a little. However how much time did it take to set that up? How much time is it taking to maintain it all? Why is it not maintenance free? Think £250 is now to much? Think how much time it takes you to keep all those mobile laptops up to date. When there is a new piece of software to be released from antivirus programs to GPO’s to Microsoft office. With the integration of RemoteApp you will never have to ask for a laptop back again. Think of when there is a critical update and you only have to run it on 1 server and everyone in the world instantly has access to the updated product. Think of how annoyed your users are when you ask for their laptop back and tell them it will take you a day to update. That’s a whole day they cannot do their job properly. Think about how much you stress out because all of a sudden you have 50 laptops to update in 1 day because its a holiday period and your users don’t need the laptops during it. You have holidays to! Now all that is just the IT department. With DA and RemoteApp you will never have to worry again.

So do you think we are joking when one of our customers are boasting a £230,000 above their expectations in profit in just 6 months ofter installing DA?

When you get DirectAccess, if it through us or not it will open up opportunities that most IT managers do not think of. That most bosses do not think of because they have no idea what their IT Managers are telling them. We could dribble about this for much more but for now we will leave it there to just wet your appetite.

Want to change the game? Its now time to send an email to sales@mydanat.co.uk

 

DirectAccess Server 2012 Behind a NAT with Teredo Tested

So here it is finally our REAL world test of Server 2012 DirectAccess.
We said REAL because and going off for a little rant here but stick with it as its quite important – We have read so many posts about people using DirectAccess 2012 and how great it is and how the IPHTTPs tunnel is on par with Teredo now, well no. Simply Teredo is still better and we have the proof to show you ( but in fareness we are the only people in the world who can test this behind a NAT). The difference is, is that we live in the real world and not test labs. We have over 5 year old servers we are installing this on. We have laptops that are not meant for even windows vista but we have worked endless hours getting Windows 7 working on them so that they just about work so we do not have to go begging for money that our bosses do not have just so we can use this technology. We do not have 10Gb/1Gb back bones from one test lab behind a NAT to another. We have 5-40mg broadband at the work place and if we are lucky 24mg at home (i’m not lucky only 13mg here :( ). We live in the real world and this is why we have had a sharp increase in customers wanting the bolt on fix to help speed up their lives.
So little rant over lets get down to the tests.
Some notes: The ipv6-test.com is done on different equipment and broadband speed so don’t compare it to the last blog on speed we did under UAG.
Did you know Teredo is more secure? a link here on the benefits of Teredo here http://technet.microsoft.com/en-us/library/bb457011.aspx

First Test we did was through a 3g phone to see how long the initial connection took. We disabled Teredo, netsh int teredo set state disable and connected laptop to phone. This quite often seemed to take nearly 60secs to connect over IPHTTPs and browse the network. That means this could add 60secs to your boot time as it connects to the work place before anything else happens so that the machine can get its GPO’s. When we enabled Teredo netsh int teredo set state client it instantly connected.

The rest of the tests were at home via a 20mg fibre workplace connection and 13mg broadband connection on a latitude d600 11Mbs wireless card.

Second test was with ipv6-test.com. The first set of pictures shows browsing with Teredo were the second is IPHTTPS enabled.

That’s 1.25Mbs/s extra that we have to play with. We can already see IPHTTPS is slightly better than before but still way off par with Teredo.

Third Test was with downloading a 40768KB file from the work place straight to the laptop. The first set of pictures shows IPHTTPS downloading and the second is Teredo.

We noticed IPHTTPS was all over the place where as Teredo was Solid. Teredo was also 50KB/s faster. That sounds very little in performance. Again in the real world were your downloading real files like for instance a 1gb file (1/3 of a movie for example) you will see a dramatic time saving. Here is a small calculation on downloading 1gb over 50KB/s. 1 gb = 1024 mb and 1 mb = 1024 kb so 1024*1024=1048576 kb so you have to download 1048576 kb ok now 1048576/50=20971.52 second
20971.52/60=349.52 minute 349.52/60=5.82 hour
so you need about 6 hours to download it.

Our next blog is on DirectAccess Pandora’s box - What you don’t know about DirectAccess and how it could help your company save £££,£££’s

Conclusion – As we have said before we were very excited about Server 2012 when we heard about what it could do but the fact you can now get Teredo tunnels, well save everyone the hassle and time and buy the bolt on from just £250

Just email sales@mydanat.co.uk to say your interested.

RDC for MAC cannot connect to TS server with error message “You were disconnected from the Windows-based computer because of problems during the licensing protocol”

As post here http://social.technet.microsoft.com:80/Forums/en-US/winserverTS/thread/8e28b0af-b374-4ca0-a255-5fd854bdc7fa

We have been having issues with getting Mac’s to run on RemoteApp. We are the only people in the world at mydanat.co.uk that know how to get Teredo Tunnels to run behind NAT devices. So why are we involved? A customer uses DirectAccess to access RemoteApp services like Sims .Net on a Mac, well they did until  the message popped up.

So as our motto is lets not wait around for Microsoft to fix this, we fixed it in 2 days after a lot of research on the Internet.

Error:

“You were disconnected from the Windows-based computer because of problems during the licensing protocol”

Cause:

There is currently a bug in RDC 2.1.1 that does not allow the client to download the correct licensing info from a 2008 R2 license server. This means that after the standard 90 days the clients will get the error message above even though windows based connections will still work correctly. This is because when a user first runs the RDC client it sets up a folder structure that only contains read & wright access rights for the currently logged on user. All other users are read only. This means no other users can download the correct file when available.

Fix:

This is a simple fix but also a little headache, as at this moment to rush this fix out onto the Internet we have not found a way to automate the process. Please leave useful comments to help automate this fix.

Go to Macintosh HD > Users > Shared > Microsoft.

Go into RDC Crucial Server Information and you should see a folder and no files

Go Back to Microsoft folder

Click on “RDC Crucial Server Information” and then click file > Get Info

Under Sharing & Permissions select “everyone” and change it to “Read & Write”

Run your RDC connection again and it will start working fine.

You will now notice a file in RDC Crucial Server Information folder that was not there before

Notes: If there was a file in there back it up and try trashing it then run through the fix again.

You may also need to set Read and Write for the everyone group on each folder inside the Microsoft folder.

If there is not a microsoft folder in the Shared folder then run the RDC client and connect to the server. This will be succesful but you will still need to setup the security structure

So, a Microsoft or Apple issue?

Don’t forget to check out the DirectAccess going Dubstep video

Notes on security:

Some people may feel it is a security problem by enabling everyone to read & write but we are happy with this setting. If you are concerned then add a new user group for the group of people you would like to use RDC rather than changing the everyone group.

Also see comments below for extra help

When you draw DirectAccess does it look like a smiley face?

The answer is yes, when you are drawing your design it will only lead to a smiley face because you will soon see its potential like my example below that www.mydanat.co.uk setup for their latest customer.

Speed difference between force tunnels and Teredo

To highlight another reason why in some cases you want Teredo to work behind NAT’s will be discussed here. Obviously this is not for every environment as you may want force tunneling on.

I am going to show you the difference in speeds between IP-HTTPS and Teredo but also the pros and cons of both.

Lets first take a look at IP-HTTPS and force tunneling. I have got a connection on my laptop through ForeFront UAG DirectAccess and my server is sat behind a NAT with mydanat.co.uk fix to get it to work. So here is a speed test of the laptop using force tunneling.

So as you can see I have  a ping of 95ms, Download speed of 0.75Mbps and Upload speed of 0.67Mbps. Also notice the time and date is 23.15 03/01/2012

This makes my browsing speed slow and basic. I would hate to download programs and things.

Now what I did then was turn on split tunneling so I could fall over to Teredo and below are the results.

Ping =65ms, Download speed = 2.74Mbps and Upload speed = 0.78. Time is 23.16 03/01/2012.

Now that is a massive speed increase. All of a sudden I have an extra 2Mbps to play with!

Conclusion, Always try to convince your site to move to at least Teredo.

I understand people want to filter their Internet at home and yes this is a plus. You can also argue that the computers are property of your site and you don’t want users downloading programs by themselves etc.

But also note this is hammering the line for what you actually want DirectAccess to do by making people sit on IP-HTTPS tunnels.

My own opinion is that we will use Teredo and only when the need comes up, like to monitor Internet usage or do spot checks, will we then turn on force tunneling.

Don’t forget you can turn it on and off anytime you want without the users ever knowing which one is being used.

So draw up contracts and get your staff to sign them that they agree that everything they do on the computer is monitored. You will find that this in its self is good enough in most cases to stop that dodge Internet stuff going on at the work place and home.

Now for one last picture to show you the same laptop being filtered for something I should not of typed into google at home just to prove it works.

Remember you can only get Teredo tunnels to work when your server is behind a NAT with the help of mydanat.co.uk

Update;

I found this speedtest site showing pretty much the same thing.

The first picture is a speedtest over Teredo and the second is HTTPS.

 

Microsoft makes new DirectAccess server 8 work behind NAT’s finally

Well sort of….

Bits and pieces are popping up all over the Internet stating that the new DirectAccess in Server 8 supports putting the server behind a NAT. Yes this is true but with many limitations.

First lets start at the setup page that is causing all this debate

So as you can see we have 3 options to install our DA server.

The Edge option is the standard we are all used to.

The second 2 will allow you to setup your DA behind a NAT. Thats great I have been waiting for that for years. So I took a deeper look into it and found this page http://technet.microsoft.com/en-us/library/hh831416.aspx and I am quoting this section -

Support for DirectAccess Server behind a NAT Device

A Windows Server 2008 R2 DirectAccess server requires two network interfaces with two consecutive public IPv4 addresses assigned to the external interface. This is required so that it can act as a Teredo server. In order for clients behind a NAT to determine the Teredo server and the type of NAT device, the Teredo server requires two consecutive IPv4 addresses.

This requirement presents difficulty for small and medium organizations that do not have access to consecutive, public IPv4 addresses. In the future this has the potential to become a deployment blocker as the available IPv4 address space is exhausted. Windows Server “8” Beta DirectAccess provides the ability to deploy the DirectAccess server behind a NAT device, with support for a single network interface or multiple interfaces, and removes the public IPv4 address prerequisite.

When the Remote Access Services setup Getting Started Wizard or Remote Access Setup Wizard is run, it will check the status of network interfaces on the server to determine if the DirectAccess server is located behind a NAT device. In this configuration, only IP over HTTPS (IP-HTTPS) will be deployed. The IP-HTTPS protocol is an IPv6 transition technology that allows for a secure IP tunnel to be established using a secure HTTP connection.

Damn, like I said there are limitations and they are you can only have HTTPS tunnels.

But that is basically equaling speeds of traditional VPN’s but with the added security gain and transparency. Thumbs down and two thumbs up.

Well it was a good job I worked out how to get Teredo to work behind NAT’s then isn’t it. By simply selecting the Edge option and talking to the guys at mydanat.co.uk you to can have Teredo speeds when you are behind NAT’s.

Don’t settle for HTTPS, when in a quick phone call you to can smile all the way home to work faster than your fellow man.

 

 

 

Microsoft to rename DirectAccess

Microsoft is not renaming DirectAccess but the question still popped into our heads here at mydanat.co.uk world, why not?

To understand why Microsoft could change its name you will first have to hear my little story… sorry.

DirectAccess is as it says on the tin. DirectAccess needs a direct connection to the internet for users to access it.

However I (Scott Logan) fixed a big flaw in the design. You can’t use it when your network is behind a NAT. “Well just put it on your edge” – I don’t have an edge. You see my edge is owned by another company. Our network connects to their grid which eventually connects to the internet. All other sites that connect to the grid go out on the same connection.

So when my super duper server turned up and I decided to fire up the DirectAccess role i quickly discovered my problem. But I thought surely other people are in the same sinking boat as me. And rest assured there are lots of sinking ships in the ocean.

The next thing I got pointed to was ForeFront UAG. Apparently that works behind NAT’s. So I fired up ForeFront UAG setup.

Damn, my mistake, I misunderstood that it was the client’s that could be behind NAT’s not the server. So again I kept thinking there have to be other people in the same plane crashing to earth.

Months went by and experiment after experiment went on. Research into every element of ForeFront UAG ensued until I hit the inevitable. It will not work behind a NAT.

However I am not someone who gives up that easily. I am well renowned for coming up with solutions to problems by thinking outside of the box.

So off I went and over 50 re-install’s later, connection!

Not only HTTPS but Teredo to. Not only that as my install is 100% VM’s and with no Vlan’s I could failover cluster the servers. Just imagine in the picture below the orange thing is my offsite firewall and NAT server.

This means that I can move my ForeFront UAG server around anywhere on my network and it will continue to run very happily. The fix will also support Windows Server 8 DirectAccess and future releases of ForeFront UAG with no configuration changes.

This makes this great tool available to everyone now with no limits.

So what should Microsoft in their future releases of DirectAccess call it as now you do not need a direct access connection to the internet? SuperAccess?

 

This blog is protected by Dave\'s Spam Karma 2: 8644 Spams eaten and counting...