locked
Direct Access 2012 R2 - route by IP address ? RRS feed

  • Question

  • Hi all,

             Direct access on 2012 R2 implemented and working.

    We have one application, which after initially querying the server via DNS name (which works) - all further communication occurs via IP address....  which fails - I assume because DA simply doesn't know that the IP traffic should be sent across the tunnel.

    Is there any way of adding an IP (or set of IP's) that should always be sent across the DA tunnel ?

    Wednesday, November 12, 2014 5:44 AM

Answers

  • If application force IPv4 and use UDP, PortProxy does not fit. Maybe your application vendor could help you.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by Ben_22 Thursday, November 13, 2014 8:30 AM
    Thursday, November 13, 2014 7:59 AM

All replies

  • Hi,

    First what is the DNS answer IPv6? If yes it goes throught the IPSEC tunnels. Otherwise, it does not.

    if application request DNS resolution but does not use IPv6 address provided, it's because application want to use IPv4. I had such case. I had a sort of solution for TCP IPv4 based communications : http://danstoncloud.com/blogs/simplebydesign/archive/2012/02/11/tcpv4-based-applications-with-directaccess.aspx. It may help but need some automation to detect if DirectAccess client is connected on LAN or on Internet to enable / disable the Portproxy trick I used.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, November 12, 2014 11:36 AM
  • Hey,

           thanks for the reply.

    That is indeed an interesting article, however it doesn't quite fit my scenario.... the application in question, after initial communication via name (which resolves to an IPv6 name and works fine), an IP address is returned as the "connect to this" address. This appears to be internal to the application and not configurable.

    Direct Access routes based on dns suffix, hence my question of if there is any way to specify that certain IP addresses should also be sent through the DA tunnel.

    In addition, the app uses UDP for all comms, so the netsh port proxy, even if a name was in use, wouldn't help.

    Wednesday, November 12, 2014 10:01 PM
  • If application force IPv4 and use UDP, PortProxy does not fit. Maybe your application vendor could help you.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by Ben_22 Thursday, November 13, 2014 8:30 AM
    Thursday, November 13, 2014 7:59 AM
  • yep, im following that path... but don't hold out much hope.

    The crux of it is at this point in time, there is nothing I can configure in DA to make the application work. (Which was my impression, but I wanted to see if someone else had a funky idea)

    Thursday, November 13, 2014 8:30 AM