none
DirectAccess Multitenant deployment

    Question

  • Hello,

    I have a question about DirectAccess with server 2012. Is it possible to use DirectAccess in a multitenant cloud enviroment and use some kind of access control? The requirements are that users can only access their own resources when connecting through DirectAccess. So that each customer is separated from each other based on subnet.

    Kind regards,

    John

    Wednesday, November 13, 2013 9:34 AM

All replies

  • Hi,

    DirectAccess extend local network to remote clients to allow users to work as if they were connected on LAN. We configure computers as DirectAccess clients, any user bellonging to any approved Active Directory domain can logon on these computers.

    If I understand what you are looking for, you want to limit user access based on selected ressources. In some way, it is possible (Additional IPSEC application tunnel established from DirectAccess client to internal resources in IPv6, ressources access control would be performed tunnel endpoint). But be carefull this scenario requires advanced skills in DirectAccess. And watch-out, customizing DirectAccess IPSEC tunnel is not supported by Microsoft.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, November 14, 2013 8:40 AM
  • +1 from me (I agree with Benoit)

    There is no administrative setting in DirectAccess to be able to control this. Some creative work could be done withe editing the IPsec rules, but it certainly won't be supported.

    DirectAccess's motto is "Extending the network to the users" - it really is more about thinking of your DA clients as being part of the internal network, rather than thinking of them as different/remote machines. So at a routing level, everyone coming in through a DirectAccess server has access to the same places on the network, and the permissions to keep everyone only accessing what they should are regular things like file and share permissions, etc. Because DirectAccess computers are all domain joined, and therefore DirectAccess users are all domain users, if "Susie" has access to server File1 but not File2 inside the office, then when she is connected over DirectAccess, the exact same permissions will automatically be applied.

    Wednesday, November 20, 2013 8:59 PM
  • Hi, Customising IPSEC tunnels of DirectAccess is listed as unsupported scenario : http://technet.microsoft.com/en-us/library/dn464274.aspx

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, November 20, 2013 10:09 PM