How does DirectAccess compare to Pertino

Lost_Signal773

@RoguePacket You can do Windows Enterprise now WITHOUT SA (its not cheap, but its doable).

RoguePacket

@Lost_Signal773 Don't bring that up to M- Olan. Someone would be liable to get hurt.

Carnival Boy

I tried to get a guy to setup DirectAccess here about 3 years ago. He completely failed, I don't know why. It did seem very complicated to setup. We've been using Hamachi for a couple of years, without any major issues. The only issue is that very occasionally the Hamachi service sometimes needs restarting on the client for whatever reason. The one thing I really want is iOS access. Hamachi released a beta app a year or so ago, but it's still in beta for some reason and I've never managed to get it working.

I've just started trialling Pertino. Erm, how does Hamachi compare to Pertino?

A Former User

@Carnival-Boy said:

I've just started trialling Pertino. Erm, how does Hamachi compare to Pertino?

I am on my phone so I am going to have to keep in short, but Pertino will give you everything Hamachi does, plus more. The community loves Pertino, LogMeIn, not so much

Carnival Boy

Not quite everything, I guess. We mainly use Hamachi for remote workers to access the corporate intranet, which is running on Windows 2003 Server. I believe Pertino won't support this

I've fallen at the first hurdle.

scottalanmiller

@Carnival-Boy you are correct. Hamachi is older and not maintained but has modes like full mesh, hub and spoke and gateway.

JaredBusch

@Carnival-Boy said:

Not quite everything, I guess. We mainly use Hamachi for remote workers to access the corporate intranet, which is running on Windows 2003 Server. I believe Pertino won't support this

I've fallen at the first hurdle.

Read the above posts discussing the subject. I would never have deployed hamachi as you did for security purposes. Yes, it works, but I do not like the method.
Then again, I do not like a VPN gateway for users either since it does the same thing. For IT staff yes, but not users.

scottalanmiller

Full mesh / SDN definitely brings some amazing new capabilities.

Carnival Boy

@JaredBusch said:

Read the above posts discussing the subject. I would never have deployed hamachi as you did for security purposes. Yes, it works, but I do not like the method.
Then again, I do not like a VPN gateway for users either since it does the same thing. For IT staff yes, but not users.

I did, but I don't understand them

Josh

@Dashrender said:

I just read @bill-kindle post about a new 2012 R2 book that appears to focus on DirectAccess.

We've touched on it here in these boards recently - but what do you think?

I've been meaning to get around to setting up a DA lab with @tomta1 to see the differences personally. We've had customers choose to PAY for Pertino networks despite haveing both hardware VPNs and Server 2012 w/ DA due to two reasons: complexity to deploy (both) and end user experience (hardware/OS support for DA).

To be honest, when I first came to Pertino and saw DA, I was a little nervous. Competition isn't always a bad thing, especially when you're trying to create a new market, but it is a challenge when it is a "free" product packaged with a software our target customers are going to deploy anyway. Then I started to read about the limitations - Enterprise editions, Win 7/8 only, Win 7 is a completely different setup process, server has to compute all the network connections = single point of failure, no support, etc.

This is something we need to investigate first hand, but we aren't expecting it to impact our target user base all that much given the reliability, OS requirements, and configuration differences.

Thanks for bringing this top of mind!

Bill Kindle

@Josh TBH, I haven't seen very many people post about it in the forums either.

scottalanmiller

@Bill-Kindle said:

@Josh TBH, I haven't seen very many people post about it in the forums either.

No, DA has gotten nearly a complete snub in the SMB world because of the cost, complexity and limitations.

Carnival Boy

@Carnival-Boy said:

@JaredBusch said:

Read the above posts discussing the subject. I would never have deployed hamachi as you did for security purposes. Yes, it works, but I do not like the method.
Then again, I do not like a VPN gateway for users either since it does the same thing. For IT staff yes, but not users.

I did, but I don't understand them

Seriously, if anyone could explain, in simple terms, the security risks in Hamachi (or similar VPN) I would be really, really grateful.

scottalanmiller

It's not the security risk of the VPN but of a gateway component. When you have a VPN that simply exposes a tunnel then anything that gets onto the network at one end has access to everything at the other end.

What Pertino is trying to do is bring a higher level of control and security assurance often to people lacking network engineers. If you have a gateway, this blinds Pertino's software to what is going onto the network and it lacks the ability to identify and cut off a foreign attacker that without a gateway it does naturally.

It is not that a gateway is insecure, it is that it lacks the lock down, visibility and control features that only a full mesh can provide.

Nara

@scottalanmiller said:

Pertino has automatic load balancing across the country (or globe.) DA does not include that ability although with some effort you could build your own.

DirectAccess can be set up to select servers by geolocation.

scottalanmiller

@Nara said:

@scottalanmiller said:

Pertino has automatic load balancing across the country (or globe.) DA does not include that ability although with some effort you could build your own.

DirectAccess can be set up to select servers by geolocation.

That's cool, is that a new feature added in later versions?

Nara

I set up DirectAccess over the weekend, and it only took me about 40 minutes. Server 2012's implementation is absurdly quick and easy for a basic single-server deployment. It even creates the necessary GPOs for you. All you need to do is select the group of computers it applies to and tweak any related DNS resolution table entries. If you want to go into a more advanced deployment, it could potentially get a bit more involved.

It's location-aware and doesn't enable itself when it can see the corporate network. The moment I switched over to an external network, DA engaged. If you have software assurance on your computers, you really should be considering this. While I haven't tested any quirky legacy applications with it, typical file services and use cases seem to work fine. If you test it and don't like it, you can use the same wizard to pull out the entire configuration, GPOs and all.

Having used both, they're really for different environments. Pertino's good for accessing other computers directly. DirectAccess is good for accessing infrastructure. If you're in a workgroup setup, Pertino would be great. You get the unstructured cross-communication that you'd expect. If you're on a domain, DirectAccess shines. You get timely connectivity to your environment when you need it, and don't need to modify any of your other servers or devices. I'm sure that as both technologies evolve and mature, things may change, but for now, that's how I've experienced it.

scottalanmiller

I assume that there is no means of using DA with Macs, for example?

RoguePacket

@scottalanmiller said:

What Pertino is trying to do ....

Still don't have a firm "knowing" of what Pertino is, but that has been more helpful than anything thus far.

Carnival Boy

@scottalanmiller said:

It is not that a gateway is insecure, it is that it lacks the lock down, visibility and control features that only a full mesh can provide.

So what's the difference between Pertino's mesh and Hamachi in mesh mode?

The biggest problem I had trying to implement DA in Server 2008 was that I wasn't running Forefront UAG, and Microsoft made it very complicated to implement without it. Is that still the case with 2012?