Windows Surface Pro and Direct Access Hit a Home Run


Our company has a very mobile Sales team who travel most of the United States and part of Mexico. Their success, as is much of our company, is tied to an agile response to Sales opportunities and customer relations. While laptops and Cisco Any-Connect did meet their needs, both were clunky and Cisco Any-Connect accounted for over 600-service desk incidents in 2012. Our traders and IT staff also detested Cisco Any-Connect and the required token key, although using their smart phones to obtain a key did alleviate having to carry around that annoying RSA dongle.

Simply, we needed to mobilize their “at the office” desktop experience and make traveling transparent to their technology. Direct Access delivers this!

We took two routes – 1) iPad using Citrix Receiver 2) Windows 8 Surface Pro or Windows 7 laptop using Direct Access

After internal IT testing, we selected Windows Server 2012 Direct Access and Windows 8 Surface Pros for some of our Sales staff and senior Portfolio Managers. We started with our “early adopters” and then let technology envy do the rest (we have a very competitive group of users and when someone sees that they are falling behind because their peer has better technology, they want it). Our users immediately told us how much more they liked Direct Access but, as expected, were struggling with Windows 8 (really missed the Start button). We overcame this challenge with some one-on-one training and a one-page reference sheet (search and you’ll find plenty of examples). They quickly became comfortable the OS and overlooked the nuances after experiencing the mobility of the new VPN and tablet. For those users who wanted to stay with their Windows 7 laptops, we added DA to their system. That alone improved the mobile user experience. Eventually, all our mobile users were very pleased with this experience and this positive response continues.

It’s important to note that we are a Windows environment (SharePoint workflows, server, Win7 desktop, and MS SQL databases) using third-party applications and proprietary .NET solutions. Everything that worked in Windows 7 worked in Windows 8. We don’t experience many of the non-Microsoft pain points.

While the Citrix iPad solution worked well and delivered a reliable product, the user experience was so different they eventually stopped using iPads for business processes (other than email). Our users also disliked the additional “clicks” to obtain the final business information from the Citrix-published applications. We continue to support this option, but it’s not nearly as enterprise effective as DA and the windows-based devices.

Security is always an issue for us and removing the RSA key requirement for VPN didn’t increase our exposure. You can’t log in to our network with Direct Access without an active AD account. Your device also has to be in a special AD OU and you have to log in at least once at the office to receive a certificate. Only devices we issued and control can access our network after the company’s approval. Any device with a Citrix Receiver app, valid RSA key, and valid AD account can remote in. This increases network exposure. Simply, none-AD objects can access your network.

Here’s other reasons why the Surface Pro and Direct Access work better than the iPad Citrix solution:

  • Identical user experience anywhere when connected. Wi-fi, network cable, whatever.
  • Drive mapping works immediately when connected. We were pleasantly surprised by how much this was desired by our user base.
  • Single sign-on process to access their work environment when traveling.
  • Excellent n-tier application performance.
  • Full Microsoft Office experience.
  • Internet Explorer 10 is faster.
  • DA allows for two-way connectivity. We can now ensure our remote users receive SCCM 2012 patching and software deployments remotely.
  • Remote desktop support with Dameware or TeamViewer is much easier.
  • You can still use Cisco Anyconnect as a backup VPN solution.
  • DA client is part of the Windows 8 CAL and cheaper than the Citrix solution.
  • While the costs of a Surface Pro and ancillary equipment is more costly than an iPad (+$300-ish), it is cheaper than our standard laptop with docking station (-$600).

What we don’t like about the Surface Pro but liked about the iPad:

  • Battery life (4-hours for the Pro but over 10 for the iPad).
  • Lack of internal network connectivity (Verizon, for example).
  • We had to reimage each of our Surface Pros with Windows 8 Enterprise. We do this for all our systems anyway, using SCCM 2012, but still wanted to raise this as an issue for other teams.

Things you need to remember:

  • This is IPv6 and while we haven’t experienced any communication issues with IPv6, it is different. Research it and understand the differences.
  • Server 2012 Direct Access is ready for prime time while Server 2008 isn’t.
  • Windows 8 DA is much easier to install than Windows 7.
  • High-availability or Business Continuity for DA is painful, but achievable.
  • Learn to use IE 10 compatibility mode. We overcame all of our issues using this or F12.
  • Direct Access only works on certain versions of Windows 7 Ultimate or Enterprise and Windows 8 Enterprise (You’ll have to reimage your Surface Pros)
  • There are plenty of Direct Access and IPv6 troubleshooting sites, but here is a good one. Also, here’s one specifically for Windows 7. Our issues almost always point to a time problem with the Surface Pro or laptop time being greater than 5-minutes off.

Our mobile staff is more nimble, capable, and spend much less time on the phone with my help desk staff, which means their devoting more time to the job and not to the technology.


Home run!



About Doug Sigmon

IT Helpdesk manager in southern California. Love technology, gadgets, and golf.
This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to Windows Surface Pro and Direct Access Hit a Home Run

  1. Shaun says:

    How was the reimage of your surface pro with Windows 8 enterprise? Did you guys document it? Does MS have any official documentation on it? Drivers, etc… any issues? roadblocks?

    Great article!

    • dougsigmon says:


      Thanks for the feedback.

      We image our Surface Pros useing SCCM 2012 but it must be run via a USB stick (instead of using a network connection to access the server) due to driver issues. Sorry, no special documentation.

      Direct Access (DA) installation usually installs really well for 9 of 10 devices (add the computer object to right OU and run GPUPDATE /FORCE to install the DA certificate). A quick IPCONFIG /FLUSHDNS or a reboot and DA is running. When the install fails, it’s usually something to do with the AD Computer Object, which we rebuild.

      Hope this helps,


  2. Thanks for publishing this awesome article. I search since
    a long time an answer to this subject and I have finally found it on your site.
    I saved your blog in my rss feed and shared it on my
    Facebook. Thanks again for this great post!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s