locked
UAG -- Direct Access -- Networking/routing question RRS feed

  • Question

  • using UAG and Direct Access would a user at home connect to CorpNet have the ability to split tunnel? Or if they make and internet request would they be routed to the internet via the CorpNet FW/gateway or they home ISP connection??

    TIA,

    GmFlanagan

    Thursday, April 29, 2010 3:42 PM

Answers

  • The default configuration ensures that only corpnet traffic will pass via the DA tunnel. All other traffic will access the internet directly.

    Obviously, if you use some form of proxy definition on the clients, this may change the outcome.

    If needed you can define a "forced tunnel" to route all traffic via corpnet, but you lose performance for native Internet access.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Tuesday, May 4, 2010 12:13 AM
    Thursday, April 29, 2010 11:01 PM
  • That's right. However, the issue of split tunneling as understood in the world of VPN, in the context of users "bridging" connections won't happen with DA, because the user will not be able to establish the IPsec tunnel required. In an overall analysis, whether split tunneling is enabled or not makes very little difference in the overall security posture of the DA client. When you compare the nominal security advantage (if any) to disabling split tunneling with the potentiall profound negative impact of forcing your entire population of users to use IP-HTTPS and the significant hit on your corporate Internet bandwidth, you'll soon find that there was a good reason why we dedicated to leave split tunneling as the default.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Tuesday, May 4, 2010 12:13 AM
    Friday, April 30, 2010 12:34 PM

All replies

  • The default configuration ensures that only corpnet traffic will pass via the DA tunnel. All other traffic will access the internet directly.

    Obviously, if you use some form of proxy definition on the clients, this may change the outcome.

    If needed you can define a "forced tunnel" to route all traffic via corpnet, but you lose performance for native Internet access.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Tuesday, May 4, 2010 12:13 AM
    Thursday, April 29, 2010 11:01 PM
  • That's right. However, the issue of split tunneling as understood in the world of VPN, in the context of users "bridging" connections won't happen with DA, because the user will not be able to establish the IPsec tunnel required. In an overall analysis, whether split tunneling is enabled or not makes very little difference in the overall security posture of the DA client. When you compare the nominal security advantage (if any) to disabling split tunneling with the potentiall profound negative impact of forcing your entire population of users to use IP-HTTPS and the significant hit on your corporate Internet bandwidth, you'll soon find that there was a good reason why we dedicated to leave split tunneling as the default.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Tuesday, May 4, 2010 12:13 AM
    Friday, April 30, 2010 12:34 PM
  • Perfect, clearly explained and understood.

     

    thank you Tom and Jason

    Friday, April 30, 2010 6:34 PM
  • Hi GM,

    You bet!

    I have some information on the "Edge Man" blog on split tunneling.

    I'll have an even more detailed analysis of this situation on the UAG Team Blog sometime this week - so keep your eyes out for that. It'll cover some other security considerations for DA as well.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, May 3, 2010 2:31 PM