locked
NRPT and the . (dot) RRS feed

  • Question

  • We would like to use forced tunneling in DirectAccess but due to Lync 2010 and 2013 clients not working with IPV6 we cannot. What we would like to do is have split tunneling and use the "." in the NRPT and then add exclusions for Lync to use the split tunnel.

    THe problem is that when I do this, I can apply the policy with no error but when I click activate I get an error that states "An error occured while loading the configuration. Please configure DirectAccess again." and it complely wipes my configuration and I need to start from the beginning again.

    Any advice or hints on how to achieve this? I got the idea for the "." (just the dot) from another thread on here.

    Thursday, December 6, 2012 5:54 PM

Answers

  • This is where the .(dot) theory came from.  .dot theory

    We need to do forced tunneling due to security requirements but because of Lync not working we would need to do split tunneling but we need a way to have all traffic by default go via the UAG server and only selected like Lync not do that.

    At the moment I don't think DirectAccess will be the platform we will be going forward with due to this.


    May not be an ideal approach, but you could perhaps achieve what wanted by using DA split tunnelling combined with manual firewall rules to only allow permitted outbound connections.

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    • Marked as answer by Pegoto Tuesday, December 18, 2012 4:34 PM
    Tuesday, December 18, 2012 9:22 AM

All replies

  • Never seen you can add only "." and I don't think that is possible. For split-tunneling to work you have to add your *.yourdomain.com (or *.yourdomain.local) and configured it to be resolved by the DNS64 service. Only corporate related traffic that can be resolved within that domain namespace will be routed trough /-hosted by DirectAccess. On top of that you also add things like sip.yourdomain.com, av.yourdomain.com and other hostnames to be [Excluded] from name resolution and allow the client to use local name resolution instead. Specially for things Lync and some other services you want.

    For example:

    *.yourdomain.com [DNS64]
    sip.yourdomain.com [Exclude]
    av.yourdomain.com [Exclude]
    webconf.yourdomain.com [Exclude]
    webext.yourdomain.com [Exclude]
    lyncdiscover.yourdomain.com [Exclude]
    ...


    Boudewijn Plomp, BPMi Infrastructure & Security

    Wednesday, December 12, 2012 4:07 PM
  • Is there a particular reason you want to go force tunneling? In my opinion it has many more disadvantages than advantages. Also, "split tunneling" does not mean the same thing that it used to long ago with VPN, the old mentality that it's a bad thing just doesn't fit the bill for DirectAccess: http://www.ivonetworks.com/news/2011/05/why-split-tunneling-with-directaccess-is-not-only-for-thrillseekers/

    Friday, December 14, 2012 2:39 AM
  • Where did this .(dot) theory actually come from?

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Friday, December 14, 2012 4:25 PM
  • This is where the .(dot) theory came from.  .dot theory

    We need to do forced tunneling due to security requirements but because of Lync not working we would need to do split tunneling but we need a way to have all traffic by default go via the UAG server and only selected like Lync not do that.

    At the moment I don't think DirectAccess will be the platform we will be going forward with due to this.

    Saturday, December 15, 2012 12:40 AM
  • This is where the .(dot) theory came from.  .dot theory

    We need to do forced tunneling due to security requirements but because of Lync not working we would need to do split tunneling but we need a way to have all traffic by default go via the UAG server and only selected like Lync not do that.

    At the moment I don't think DirectAccess will be the platform we will be going forward with due to this.


    May not be an ideal approach, but you could perhaps achieve what wanted by using split tunnelling combined with manual firewall rules to only allow permitted outbound connections.

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Tuesday, December 18, 2012 9:22 AM
  • This is where the .(dot) theory came from.  .dot theory

    We need to do forced tunneling due to security requirements but because of Lync not working we would need to do split tunneling but we need a way to have all traffic by default go via the UAG server and only selected like Lync not do that.

    At the moment I don't think DirectAccess will be the platform we will be going forward with due to this.


    May not be an ideal approach, but you could perhaps achieve what wanted by using split tunnelling combined with manual firewall rules to only allow permitted outbound connections.

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Tuesday, December 18, 2012 9:22 AM
  • This is where the .(dot) theory came from.  .dot theory

    We need to do forced tunneling due to security requirements but because of Lync not working we would need to do split tunneling but we need a way to have all traffic by default go via the UAG server and only selected like Lync not do that.

    At the moment I don't think DirectAccess will be the platform we will be going forward with due to this.


    May not be an ideal approach, but you could perhaps achieve what wanted by using DA split tunnelling combined with manual firewall rules to only allow permitted outbound connections.

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    • Marked as answer by Pegoto Tuesday, December 18, 2012 4:34 PM
    Tuesday, December 18, 2012 9:22 AM
  • We would like to use forced tunneling in DirectAccess but due to Lync 2010 and 2013 clients not working with IPV6 we cannot. What we would like to do is have split tunneling and use the "." in the NRPT and then add exclusions for Lync to use the split tunnel.

    THe problem is that when I do this, I can apply the policy with no error but when I click activate I get an error that states "An error occured while loading the configuration. Please configure DirectAccess again." and it complely wipes my configuration and I need to start from the beginning again.

    Any advice or hints on how to achieve this? I got the idea for the "." (just the dot) from another thread on here.

    Did you get this working?

    Would using this setup not actually break captive portal hostpots as the client wouldnt be able to connect to it in the first place as . (which the hotspot would be) is trying to go down a tunnel that does not yet exist!

    Res

    Wednesday, April 10, 2013 4:33 PM