DirectAccess with different proiles for access RRS feed

  • Question

  • Hello,

    Is it possible (and if yes - How?) to make a difference between the clients which access DirectAccess.

    For example, some users may only access certain items (intranet websites for example) and no internet access.

    While other user may access more internal websites, as well  can surf the internet directly.

    I known that force tunneling is helping me on the first part. But how can I co-exist both profile on same DirectAccess Servers Array.

    Other solutions can work with different profiles - mostly user based.



    Monday, October 1, 2012 8:34 AM

All replies

  • Sadly that is not available. You would need to build two different DirectAccess Servers or Clusters. User Groups to determine which one they use. That solution doesn't scale well at all. 
    Monday, October 1, 2012 2:30 PM
  • This is indeed sad news. While with remote-Access you can play with different roles.

    Is the usage of DirectAccess not allowing this.

    This can indeed question the utilisation of UAG in an Array. Since the groups are to small to validate such a installation.



    Monday, October 1, 2012 6:17 PM
  • Hi

    That's maybe the most challenging DirectAccess deployment scenario. By Default, DirectAccess provide access to all users, there is no way to configure multiple profiles on the same Windows Server 2012 or UAG box. But have a look at the Selected Server Access deployment mode described here : http://technet.microsoft.com/en-us/library/ee382325(v=ws.10).aspx. If this is what you wish, have a look on this : http://danstoncloud.com/blogs/simplebydesign/archive/2012/08/01/directaccess-challenge-series.aspx.  It was designed for a customer of mine who wanted to limit access to internal ressources. In his situation, my design was helpfull but watch out because there is a lot of firewall rules customization on server side. Basicaly, i establish an IPSEC transport from the client to the selected resources using the DirectAccess tunnels as a foundation.

    Hope this help.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, October 1, 2012 7:19 PM
  • Thx for this info. Will have a look to it.

    It must be understandable for the support people to work and maintain this afterwards ;-)


    Tuesday, October 2, 2012 5:33 AM
  • Hi

    Unfortunately it's not simple. Technically there is no change on your DirectAccess configuration. My solution is based on IPSEC transport tunnels between DirectAccess clients and Secured servers. This means you will have to configure a connection secuity rule per server and configure incoming ports to allow the connection only if secured. Filtering can be performed on a user and or computer basis but at incoming rule only.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, October 2, 2012 7:40 AM