UAG DirectAccess and corporate resources RRS feed

  • Question

  • Hi,


    Is it possible to restrict access to corporate resources on the UAG DirectAccess server from DirectAccess clients based on, let's say group membership or others e.g. Finance users cannot access HR servers? The concern here is about limiting potential malicious activities from one client host to a subset of the overall corporate environment.

    Thank you.

    Wednesday, June 8, 2011 3:26 PM

All replies

  • Not sure if you ever got a reply - but the answer is some kind of yes and no. UAG does not integrate a firewall rule set or something similar to restrict who can access an internal system (therefore a no). but think about how you would achieve this internally without DA, so the answer usually is domain/server isolation (therefore the answer is yes).

    Hope it helps.

    Tuesday, September 27, 2011 7:53 PM
  • Exactly right, my typical short answer to this question is "Think of DA computers as being plugged into the corporate network all the time, if they don't have access to it from inside the network, they don't have access to it from DA".

    Dominik, thanks for bringing attention to these questions that seem to have been overlooked!

    Tuesday, September 27, 2011 8:46 PM
  • I think you can achieve some control with DA end-to-end mode and modifying policies on the backend servers...placing a firewall between UAG and the internal resources is a more brutal, and less granular approach, but may provide some value...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, September 27, 2011 9:22 PM
  • I agree with the previous posts.  Access rights of DA users should be plotted as you would other internal user.

    One sort of "hack" way to block DirectAccess clients from accessing a specific corporate resource would be to add that server to the DNS Exclusion list.  This would configure the NRPT rules on the DirectAccess client to never ask an internal DNS server for the IP address of that resource and instead look at external DNS, thereby never finding the resource in the first place.  This is an all-or-nothing way of blocking access to all DirectAccess clients and could not be made more granular by user groups.

    If you really wanted to isolate a set of servers from your DirectAccess clients, you could place those servers in a subnet that the UAG server does not have a route in to.  That way even if they got a DNS answer, the UAG server would be unable to route the traffic there.  This too would be an all-or-nothing way of blocking access.

    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide
    • Edited by MrShannon Sunday, October 2, 2011 2:37 AM typo
    Sunday, October 2, 2011 2:36 AM
  • I had a customer ask me this again today & I said pretty much the same thing as you guys have here (you can use a firewall but its not fine grained or NRTP but still accessible via IP) and they pointed me back to Microsofts website for DirectAccess which states:

    Access Control
    IT professionals can configure which intranet resources different users can access using DirectAccess, granting DirectAccess users unlimited access to the intranet or only allowing them to use specific applications and access specific servers or subnets.

    Is there something we're all missing here or is that statement incorrect & very misleading?!
    • Edited by Bibbleq Monday, October 17, 2011 3:50 PM
    Monday, October 17, 2011 3:48 PM
  • Sounds like a nice bit of marketing speak ;)

    As I said, I believe you can extend the functionality using DA end-to-end mode, as opposed to end-to-edge mode, but you need to be running IPv6 capable systems on the intranet for that...



    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, October 17, 2011 3:55 PM
  • Ahh yes that would make sense, Use IPSec policies to restrict access to only certain servers on the internal network... seems quite a convoluted way to do it. I wonder if there's anyway of using the TMG firewall client to talk to the UAG server and doing some user based access rules in the TMG part although I suspect the IPv6 traffic would loose the attached "User" as it gets pushed through the 6to4 process. One for the lab i think. thanks, Ben
    Monday, October 17, 2011 6:15 PM
  • Yeah, and I am not 100% sure end-to-end can fully satify what the marketing speak says though...it is something I really should lab and blog too, as a lot of people would find it interesting I think...


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, October 18, 2011 7:57 AM
  • Has anyone found a good solution to this yet?     Thank you in advance.
    Wednesday, June 27, 2012 3:03 PM