locked
Direct Access RRS feed

  • Question

  • Can you use Direct Access to force a remote PC to send all traffic through the corporate network?
    Wednesday, November 14, 2012 10:58 PM

Answers

  • On Wed, 14 Nov 2012 22:58:32 +0000, Chas SB wrote:

    Can you use Direct Access to force a remote PC to send all traffic through the corporate network?

    Yes, it is a feature known as force tunneling.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    People who deal with bits should expect to get bitten.  -- Jon Bentley

    • Marked as answer by Chas SB Friday, November 16, 2012 2:52 PM
    Wednesday, November 14, 2012 11:06 PM

All replies

  • On Wed, 14 Nov 2012 22:58:32 +0000, Chas SB wrote:

    Can you use Direct Access to force a remote PC to send all traffic through the corporate network?

    Yes, it is a feature known as force tunneling.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    People who deal with bits should expect to get bitten.  -- Jon Bentley

    • Marked as answer by Chas SB Friday, November 16, 2012 2:52 PM
    Wednesday, November 14, 2012 11:06 PM
  • Yes, this is quoted from Microsoft:

    By default, DirectAccess clients are able to access the Internet, the corporate intranet, and local LAN resources simultaneously. Since only connections made to the corporate intranet are sent over the DirectAccess IPsec tunnels, this is known as a split-tunnel configuration. Split tunneling provides an optimal user experience when accessing resources on the Internet, while still providing strong security for traffic intended for the intranet.

    Although split tunneling is not a security risk, some organizations have a requirement to force all traffic through a corporate proxy so that it can be inspected by their IDS. With legacy VPN connections, the potential exists for users to bridge traffic between networks, such as a home network and the corporate network, effectively making the client operate as a router. For this reason, it is common practice for administrators to disable split tunneling for VPN connections, forcing all network traffic to be routed through the VPN connection. This results in decreased performance when accessing Internet resources, since all traffic must traverse the VPN tunnel and then be proxied out to the Internet. It also consumes significant additional bandwidth on the corporate network.

    The perceived security risk of split tunneling is not valid in a DirectAccess scenario, since the IPsec rules that enable DirectAccess require authentication by the client endpoint. If another endpoint attempts to route through the DirectAccess client, it will not be an authenticated source, and IPsec will prevent the connection. However, since some organizations have a requirement to force all traffic through the corporate proxy server so that it can be inspected, the DirectAccess Force Tunneling option provides this ability.

    The Force Tunneling option was provided in Windows Server 2008 R2 DirectAccess, but required manual steps to enable it via group policy setting. Windows Server 2012 DirectAccess integrates the Force Tunneling option with the Setup Wizard and management UI to automate the required settings. Enabling the Force Tunneling option limits the DirectAccess client to using only the IP-HTTPS protocol for connectivity, and by default uses the DirectAccess server as the NAT64/DNS64 server to translate IPv6 resources to send to the IPv4 proxy server.


    Bob Lin, MVP, MCSE & CNE Networking, Internet, Routing, VPN Troubleshooting on

    http://www.ChicagoTech.net

    How to Setup Windows, Network, VPN & Remote Access on

    http://www.howtonetworking.com


    • Edited by chicagotech Wednesday, December 5, 2012 6:08 PM
    • Proposed as answer by chicagotech Wednesday, December 5, 2012 6:09 PM
    Wednesday, November 14, 2012 11:08 PM
  • Hi,

    Thank you for the post.

    You may also refer to this blog:http://blogs.technet.com/b/tomshinder/archive/2010/03/30/more-on-directaccess-split-tunneling-and-force-tunneling.aspx

    Regards,


    Nick Gu - MSFT

    Friday, November 16, 2012 7:21 AM