When I talk with IT managers about Windows 8, one of the consistent complaints I hear is that you can't do a VPN with Windows 8. Several have even said that they are delaying Windows 8 rollouts because of security concerns. I certainly understand that position, but here's the thing: They're wrong.
Comments about the lack of VPN capability are everywhere. The more nuanced view is harder to find, but I'm fortunate enough to have friends like Brian Chee, director of the Advanced Network Computing Lab at the University of Hawai'i and an occasional Enterprise Efficiency blogger. He's been looking closely at Windows 8 (especially Windows 8 RT) and has come up with ways IT departments can securely connect Windows 8 RT devices back to their networks -- and the simple reason many folks think that can't happen.
First, the bad news: If you're absolutely, positively locked into one of the third-party VPN clients (like those from Juniper or Cisco) and you refuse to deal with anything else, then you're in a holding pattern. Those companies haven't released VPN clients for Windows 8 RT, because Microsoft hasn't released the Ring 0 APIs for them to hook their code into. Microsoft has delayed the release because it is trying to make the APIs PowerShell compliant (a good thing), but it has thrown a significant delay loop into the development of some crucial third-party software.
Even when Microsoft does release the beta code (something that should happen very soon), it's going to take a while for final software to make it to Windows 8 RT devices. Remember that all applications for Win 8 RT must come through Microsoft's App Store, and that particular venue doesn't allow beta code to be distributed. Bummer.
Here's the good news: Windows 8 RT comes with a VPN client just like pretty much every version of Windows. If your IT department can handle the customization for the individual cases, then you can be up and running secure Win 8 RT connections very quickly. This covers SSL, L2TP, and IPSec VPNs with encryption strength up to Blowfish or AES256. That's good enough for just about everyone, and even Triple DES (easier to configure) should keep most script kiddies at bay.
If that's not enough to convince you it's worth a shot, there's even more good news. The VPN client in Windows 8 RT is compatible with Microsoft DirectAccess. That means, among other things, that you can create role-based configuration files and have them automatically distributed to Win 8 RT devices through Active Directory login. Suddenly, things look up, but only as you get deeper and deeper into the Microsoft ecosystem.
And that's really the key: Though the industry has tended to treat the Microsoft Windows operating ecosystem as a variation on an open environment, it's still owned and controlled by a single company. This company lets a lot of other companies play in its sandbox, but the state of Windows 8 RT remote access is a reminder that it is, in fact, a Microsoft sandbox. It just lets us play in it.
If you have users banging on your door demanding that Windows 8 RT devices be given access to the enterprise network, you can make that happen. The client is there, and the tools are there. If all you want to do is move forward with your third-party VPN clients, though, you've still got a wait coming. Consider it a lesson in patience -- or a good reminder of the value of a fully integrated ecosystem from client to server.