locked
DirectAccess, Proxies, Holding Pages & Force Tunnelling RRS feed

  • Question

  • Hi. I wonder if anyone has come across this and has a solution for an issue I'm encountering. Basically we have UAG/DirectAccess up and running all happily. Force Tunelling is enabled due to security reasons and users web traffic is filtered through a web proxy which is set in users browsers by Group Policy. The issue we're having is when a user goes to a hotel or McDonalds, they cannot access the holding page where they need to enter their details for them to be granted internet access, as their browser cannot see the web proxy set by the Group policy

    I've been looking into pac files but cannot see how i can get this to work to detect if it's on the corporate domain or not.

    Any suggestions greatly appreciated.

    Monday, July 21, 2014 2:22 PM

Answers

  • Use Web Proxy Auto Discovery Protocol (WPAD) instead of manual proxy settings or a proxy.pac file. 

    To do so:

    • Remove wpad from the dns blocklist for your domain 
    • Add a wpad DNS entry to your domain (e.g. wpad.contoso.com)
    • Host a website that responds on port 80 and contains a wpad.dat file (e.g. http://wpad.contoso.com/wpad.dat) 
    • You may need to configure the IIS Mime Types to serve up a .dat file

    Then the browser just needs the proxy setting "Automatically Detect Settings" enabled. When off the network, it will be able to log onto captive portals. Then the DA tunnel will come up, clients obtain the wpad file and start using the corporate proxy settings.

    • Marked as answer by Steve _999 Friday, August 1, 2014 2:41 PM
    Wednesday, July 23, 2014 12:19 PM

All replies

  • Hi

    You might be looking a solution like that : http://www.concurrency.com/blog/web-filtering-for-directaccess-users-55/. With this solution, you are in a Split-tunneling mode until user connect to the WIFI captive portal. Once logged, DirectAccess is able to establish IPSEC tunnels with IPHTTPS and get the proxy.pac.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, July 21, 2014 5:21 PM
  • Hi thanks,

    That's almost along the lines I'm after, though reading it, I need to be in split tunneling and thats the route I can't go down.

    Tuesday, July 22, 2014 11:49 AM
  • Hi,

    There is no other solution except if you accept to abandon wifi captive portal connection scenario.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, July 22, 2014 1:17 PM
  • Ah ok, thank you for the response. I guess its the same situation with DirectAccess 2012 too?
    Tuesday, July 22, 2014 1:21 PM
  • Hi,

    From a technical point of view, the force tunneling mode is a combination of two GPO configuration. a NRPT entry with a wildcard that cover all DNS resolution and a network parameterer named "Route all traffic throught the Internal Network". It's the same configuration with all implementation of DirectAccess.

    Need to be tested but if we only operate in split tunneling and use the wildcard NRPT entry, this may work is some situations. Problem, in some captive portal deployments, we have local DNS zones and our NRPT will try to perform DNS resolution for them but will fail.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, July 23, 2014 7:53 AM
  • Use Web Proxy Auto Discovery Protocol (WPAD) instead of manual proxy settings or a proxy.pac file. 

    To do so:

    • Remove wpad from the dns blocklist for your domain 
    • Add a wpad DNS entry to your domain (e.g. wpad.contoso.com)
    • Host a website that responds on port 80 and contains a wpad.dat file (e.g. http://wpad.contoso.com/wpad.dat) 
    • You may need to configure the IIS Mime Types to serve up a .dat file

    Then the browser just needs the proxy setting "Automatically Detect Settings" enabled. When off the network, it will be able to log onto captive portals. Then the DA tunnel will come up, clients obtain the wpad file and start using the corporate proxy settings.

    • Marked as answer by Steve _999 Friday, August 1, 2014 2:41 PM
    Wednesday, July 23, 2014 12:19 PM
  • Thanks Matt, I'll give it a try next week when I'm back from leave
    Wednesday, July 23, 2014 5:51 PM
  • Hi Steve , Matt's answer is the best one and has worked on many deployments where the alleged forced tunneling is required. Using the wpad allows the flexibility of both scenarios (split tunneling and security back to the corporate proxy) and means the clients log in to captive portals and get protected from the "bad things" on the internet. Quite a few Public Sector configurations have been done this way.

    john davies

    Saturday, July 26, 2014 5:57 AM
  • Thanks Matt. Just been to MacDonalds (other fast food restaurants are available), and it worked a dream. Logged onto the capitve portal, entered details,established internet connection, then automatically brought up the DA tunnel and I could access all the corporate resourses. Fantastic. thanks for help.

    Friday, August 1, 2014 2:41 PM
  • Great :) good to hear there is a good use for McDonalds WiFi :)
    Friday, August 1, 2014 8:24 PM
  • Hi we are experiencing the same issues. I have tried implementing the wpad solution but the browser does not seem to want to use the wpad.dat file once da is up. We have a websense gateway in a load balanced config and the only way to force the browser to use wpad once the connection is up is by closing the browser Any help would be appreciated I am literally pulling my hair out
    Monday, October 26, 2015 6:51 PM
  • Steve,

    Would love to talk about your setup further as you seem to have the same ideas and restrictions as I have.

    Security compliance recommends not using Split Tunnelling so Force with this WPAD option sounds ideal. 

    Question for you .... Once you are through the Captive Portal and out on the internet have you then pushed back to use another Proxy or do you not have a Proxy etc ?

    We currently don't use a Proxy so the idea to the WPAD and download this is confusing to what happens once connected and out on the web in regards to then ensuring not to use a Proxy after this point.

    That make sense ?

    Many Thanks

    jFranko82

    Tuesday, February 9, 2016 12:09 PM
  • Matt,

    We don't use a Proxy here, What happens after the WPAD download can we then push the browser to use our settings after that or will it continue to always use the WPAD ?

    Many Thanks

    jFranko82 

    Tuesday, February 9, 2016 12:10 PM
  • The way I saw it working for us was, when the laptop was at a site with a captive portal, our IE settings are set to autodiscover i.e. resolve WPAD in DNS. When this can't be resolved, the policy doesn't take effect and therefore the local captive portal can be reached and users can authenticated. Once authenticated to this, the pc can see our https://da.mydomain.com/IPHTTPS, the tunnel kicks in and  WPAD.mydomain.com can now be resolved and interal proxies are used. WPAD.dat contains all the info about which proxy to connect to. The very definition of WPAD is Web Proxy Auto-Discovery, so if your not using proxies this may not be the way for you.
    Wednesday, February 10, 2016 4:46 PM
  • Guys 

    We have a similar challenge. We have set this up as described by Matt, with one addition. We have included the wpad internal server in the infrastructure tunnel. Is this needed in the Infra tunnel or can it be left out. We also use OTP with a RSA backend and find some of our global users encounter a 0x80040001 error.

    Tuesday, April 11, 2017 11:26 AM
  • Have you installed this hotfix?

    https://support.microsoft.com/en-us/help/2939489

    Tuesday, April 11, 2017 11:51 AM
  • Thanks for the reply, we have Win 10 1607 so this patch would not be applicable
    Wednesday, April 12, 2017 1:10 PM