Notes on Folder Redirection when using VPNs. March 2010.
This Document
This document is an attempt to explain what goes wrong with Folder Redirection when used over a VPN. It's horrible.
What is Folder redirection?
Folder redirection is a Microsoft mechanism that allows all the import folders for a user to be kept safe on a server somewhere. Combined with "Roaming Profiles", which does the same for a user's profile, it can carry many advantages. For instance; a user can log-on to any computer in the domain and get his or her complete personal environment; if a user's PC is destroyed and a replacement ordered, all the user's data, because it is kept safe on a server can be easily copied onto the replacement server simply by logging on to the new machine, rather than having to use a file and settings transfer. All this is excellent and good news.
It even works for laptops that are occasionally taken away from the domain. The redirected folders have an "offline" setting which mean they can be accessed while away from the domain and any updates made while away are then synchronised when the laptop is eventually connected back into the domain. The profile has a local copy anyway, so the same applies.
And this is where the problems start for VPNs
VPNs ?
Despite what Microsoft may think, the world of computers is not divided into machines connected into high-speed LANs and those floating free in the world. Increasingly people, while working away from the main office high-speed network still want to access documents and email. Some people may never, or rarely, go back to the main office at all and instead work out of a small remote office. Increasingly small remote offices are connected back to the main office using Broadband Internet services operating typically around 3Mbps compared to the average LAN speed of 100Mbps. This is VPN technology: its primary function is to provide secure access to the main office facilities, "secure" because the data would otherwise be carried across the internet in a readable form for anyone to snoop. The problem is that while a VPN "looks" like a part of the main office network, the bandwidth restrictions tell a different story.
The Problem
When a computer with offline redirected folders is first started it makes a critical decision: Can it see the Server where all its folders are? If it can, it assumes it is connected to the main Office LAN and proceeds to use the server copy of any files it wants. If it can't see the server, it assumes it is not attached to the main office LAN and uses the offline (called the cached) copy of any files. If it is connected through a VPN however it can "see" the server files and switches to using the server copy even though the bandwidth restrictions may make this almost impossible.
So a VPN, provided with the intention of supplying online access to email and document folders, can be made almost unusable if the machine involved has Folder Redirection turned on. The line is swamped by continuous access to the server copies of Redirected folders.
Solutions
Microsoft
This is never going to happen, but the best solution would be for Microsoft to change the behaviour of the Synchronisation software, such that it makes the "server mode/ cached mode" decision based on something more than just "is the server visible". There are a number of things that might be done, although I can't see any signs on the Internet.
Incidentally, Windows does have a "slow link detection" mechanism but apparently it is only used to decide whether to load profiles and Group Policies from the server. The sync software needs a "what to do on a slow link" section.
One solution, more a work-around, is to establish the VPN after the user has gone through the login process, and the laptop is therefore using cached folders. However the synchronisation software soon detects the presence of the server and offers the user the option of "synchronising". While this is fine for email and document folders, my understanding gets a little hazy about the exact impact on the redirected folders. I suspect the things may switch back to "server copy" mode, it's difficult to tell. There is certainly unnaccounted network activity once this has happened. Also, because the user logged in via the cached copy if the profile, he or she may be asked for his or her password again when accessing email and when synchronising folders, which may not even work as the system seems to think that presenting the same login name and password that was used to log in to the cached profile is a security violation.
Either way, while a manual VPN may be fine for the occasional trip out of the office, it is a pain to set up every day, and means that normal domain services, like system updates cannot take place.
Permanent VPN
Establishing a permanent VPN is a good idea as the Laptop has access to all the normal domain features, but cannot be used unless folder redirection is turned off.
Turning off Redirected Folders
This is the technical stuff.