none
Few UAG DirectAccess questions RRS feed

  • Question

  • Hi all,

    I cannot find the answer to this questions, I hope someone can help me here :)

     

    - Is there any way to limit the time when users are able to use DA?  E.g. only during business hours, etc.

    - Is it possible to initiate communication from internal network to the DA client (e.g.  active management such as RPC, share access, etc.)

    - Is it possible to connect using DA from Windows XP (some kind of addon by MS or 3rd party...)

     

    Thanks!


    R.*
    Monday, December 6, 2010 2:22 PM

Answers

  • - Is there any way to limit the time when users are able to use DA?  E.g. only during business hours, etc.

    As far as I know: no.

    - Is it possible to initiate communication from internal network to the DA client (e.g.  active management such as RPC, share access, etc.)


    Yes if your ressources/servers could talk natively in IPv6.

    - Is it possible to connect using DA from Windows XP (some kind of addon by MS or 3rd party...)


    Absolutly not:

    • No native IPv6
    • No NRPT support
    • ...

    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
    • Marked as answer by R.Vojtek Thursday, December 23, 2010 7:09 AM
    Monday, December 6, 2010 2:50 PM
  • Hi

     

    Directly i would also say no. But if we inclide NAP in the problem maybe. By default NAP rely on a NPS witch respond to queries 24 hours a day. If you limit to business hours, clients computers would not be able to get a Health certificate. If you deploy DirectAccess With NAP in enforcement mode, users wont be able to initiate user/application IPSEC tunnels. This should work.

     

    Have a nice day.

     

    Benoît


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by R.Vojtek Thursday, December 23, 2010 6:51 PM
    Thursday, December 23, 2010 4:39 PM

All replies

  • - Is there any way to limit the time when users are able to use DA?  E.g. only during business hours, etc.

    As far as I know: no.

    - Is it possible to initiate communication from internal network to the DA client (e.g.  active management such as RPC, share access, etc.)


    Yes if your ressources/servers could talk natively in IPv6.

    - Is it possible to connect using DA from Windows XP (some kind of addon by MS or 3rd party...)


    Absolutly not:

    • No native IPv6
    • No NRPT support
    • ...

    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
    • Marked as answer by R.Vojtek Thursday, December 23, 2010 7:09 AM
    Monday, December 6, 2010 2:50 PM
  • Thanks for reply, Lionel!


    R.*
    Thursday, December 23, 2010 7:10 AM
  • Hi

     

    Directly i would also say no. But if we inclide NAP in the problem maybe. By default NAP rely on a NPS witch respond to queries 24 hours a day. If you limit to business hours, clients computers would not be able to get a Health certificate. If you deploy DirectAccess With NAP in enforcement mode, users wont be able to initiate user/application IPSEC tunnels. This should work.

     

    Have a nice day.

     

    Benoît


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by R.Vojtek Thursday, December 23, 2010 6:51 PM
    Thursday, December 23, 2010 4:39 PM
  • Hi

     

    Directly i would also say no. But if we inclide NAP in the problem maybe. By default NAP rely on a NPS witch respond to queries 24 hours a day. If you limit to business hours, clients computers would not be able to get a Health certificate. If you deploy DirectAccess With NAP in enforcement mode, users wont be able to initiate user/application IPSEC tunnels. This should work.

     

    Have a nice day.

     

    Benoît


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Nice idea! ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, December 23, 2010 6:19 PM
    Moderator
  • Thank you, Benoît, that's really smart! :)

    R.*
    Thursday, December 23, 2010 6:51 PM
  • Yes, maybe a good idea for a blog post on multiple compliance level with DirectAccess and UAG. Merry chrismas at all.
    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Saturday, December 25, 2010 9:32 AM