locked
Force tunnel RRS feed

  • Question

  • Our security team is insisting we use force-tunnel i.e. all traffic is passed through UAG DirectAccess server. Apparently this is a best practice for VPNs. What are the implications of this requirement on a UAG DirectAccess implementation?
    Wednesday, February 3, 2010 1:18 AM

Answers

  • Hi mrains,

    you can check this document regarding force tunneling in DirectAccess: http://technet.microsoft.com/en-us/library/ee809072.aspx

    basically, you need to set ForceTunneling settings on the clients GPO to enabled - which will cause only IPv6 traffic to work on the client, and only using IP-HTTPS.
    You also need to add the DNS suffix "." to the NRPT, which represents all of the internet.
    You'll have to use an existing web proxy in your organization in combination with NAT64.

    Anyway, in UAG DirectAccess SP1 we'll have built-in support for foce tunneling mode, which will require no manual changes at all.
    • Marked as answer by mrains Wednesday, February 3, 2010 11:19 AM
    Wednesday, February 3, 2010 10:28 AM

All replies

  • Hi mrains,

    you can check this document regarding force tunneling in DirectAccess: http://technet.microsoft.com/en-us/library/ee809072.aspx

    basically, you need to set ForceTunneling settings on the clients GPO to enabled - which will cause only IPv6 traffic to work on the client, and only using IP-HTTPS.
    You also need to add the DNS suffix "." to the NRPT, which represents all of the internet.
    You'll have to use an existing web proxy in your organization in combination with NAT64.

    Anyway, in UAG DirectAccess SP1 we'll have built-in support for foce tunneling mode, which will require no manual changes at all.
    • Marked as answer by mrains Wednesday, February 3, 2010 11:19 AM
    Wednesday, February 3, 2010 10:28 AM
  • Thanks Yaniv
    Wednesday, February 3, 2010 11:20 AM
  • sure :)
    Wednesday, February 3, 2010 4:06 PM
  • Hey guys,

    RE: force tunneling, I think it's important to point out the requirements for IPv4 Internet access for the DA client that is configured to use force tunneling. From how I understand it, you'll need a IPv4/IPv6 aware proxy to handle the connections.

    Thanks!
    Tom
    MS ISDUA Anywhere Access Team
    Thursday, February 11, 2010 12:35 PM
  • From my tests it should work even if the proxy is IPv4 only.
    Connection from the client to the proxy server is done via NAT64

    Thursday, February 11, 2010 3:27 PM
  • I tested force tunnel via one of our internal IPv4 ISA2k6 servers (obviously using NAT64) and this seemed to work well...a nice option for DA client malware protection and URL filtering if you have TMG internally ;)
    Jason Jones | Forefront MVP | Silversands Ltd
    Thursday, February 11, 2010 3:44 PM
  • From my tests it should work even if the proxy is IPv4 only.
    Connection from the client to the proxy server is done via NAT64


    Hi Yaniv,

    Yes, you are correct! I worked out the scenario myself yesterday. As long as the DA client is configured to use the FQDN of the outbound Web proxy listener in its Web proxy configuration, the DA client can connect to IPv4 Internet resources.

    Next test is to see if the DA client will be able to use other protocols using the TMG client :)

    Thanks!
    Tom
    MS ISDUA Anywhere Access Team
    Friday, February 12, 2010 1:40 PM
  • Hi Jason,

    You bet! If the performance hit on the Internet link isn't too much, I'd think that this might be the preferred method.

    As I mentioned earlier, it would be nice to test the TMG (Firewall) client and see if it works too.

    Thanks!
    Tom
    MS ISDUA Anywhere Access Team
    Friday, February 12, 2010 1:41 PM