Direct access OTP and internet browse disable RRS feed

  • Question

  • Dear All,

    As you all know Direct access doesn't support OTP with force tunneling. As per my environment security standards, we need to disable internet browsing while direct access connected. i know if i would enable a group policy to disable proxy settings this can be achieved. however if the user doesn't connect to Direct access,  user should be able to browse the internet. i would like to whether i can use a script to disable the internet browse while direct access client connect and enable internet browse as soon as direct access disconnects.


    Sanka Perera

    Monday, March 16, 2015 4:16 PM

All replies

  • Hi,

    Complex problem. If it's not possible to enable force tunneling with DirectAccess or force a proxy, only solution I found is to restrict outgoing protocols at DirectAccess client firewall level. HTTP/HTTPS would be allowed at subnet level only (to allow to connect to the Wifi portal). Internet destinations would be blocked. But Watch out to allow an exception for IP-HTTPS.

    This need to be fully tested on some clients before you put that in production at larger scale.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Proposed as answer by BenoitSMVP Monday, March 16, 2015 7:38 PM
    Monday, March 16, 2015 7:38 PM
  • Hi Benoit,

    Thanks for the reply,

    how can i achieve this "HTTP/HTTPS would be allowed at subnet level only"

    Internet destinations would be blocked.( but direct access site is on internet)

    kindly help me on firewall rules


    Sanka Perera

    Tuesday, March 17, 2015 5:32 PM
  • In the Windows Firewall console go on the outbound rules and create a new rule for : TCP 80 protocol that allow the connection for the public and Private windows Firewall profile. If you customize this rule on the scope. Just add RFC 1918 addresses in the remote IP addresses. Do the same for HTTPS.

    Next move is to configure a block rule for HTTP and HTTPS whatever the destination and a final rule that allow access to the IP-HTTPS interface of the DirectAccess Gateway.

    I do not have time to test but it could work. One other solution would be to use connection Security rule that allow HTTP/HTTPS on local subnet (AKA Local subnet) and another that block HTTP/HTTPS on another predifined set of computers called Internet.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, March 17, 2015 6:28 PM