The disappointment of lack of Direct Access development

<rant mode: on>

Direct Access (or DA) is awesome. Much like TMG before it, it fits into a segment of the market that nothing else covers in quite the same way.

DA is fully supported in 2016, but has had no new features added. I read somewhere that while it is still supported, it is no longer under active development (but I have no credible references to back that up).

DA could go from awesome (where it is now) to super-awesome (yes, that is my technical term for it) by:

  • Allowing network control based on group at the server side (i.e. if member of this group, users are only allowed to 10.10.10.x subnet etc.)
  • Allowing more control on the client side (i.e. a group policy to optionally allow the user to enable/disable multiple optional DA entries <or just the one>)
  • Allowing creation of a DA “package” that could be sent to non-domain machines to still allow DA connections (in conjunction with the above)

Outside of that, we also had a client recently pass on that their Microsoft TAM was ragging on DA, claiming that its out-dated technology… I can only assume because “everything should be in the cloud”. Organisations aren’t going (and technically cannot in many cases) to move everything to the cloud overnight….. even if they did, clients still need to be able to get onto the corporate network – and some things companies may not wish to make some apps/data available publically – even with MFA/certs etc.

 

Anyway, this is my plea…. MS, don’t fuck up with DA like you did with TMG. Its a good product, develop it.

<rant mode: off>

DA, force tunnelling and www.msftncsi.com

At a client – 2012 R2 IPHTTPS DA and win 10 1511…..

Client wants force tunnelling so all traffic is routed back through the internal network and the web filter etc….

Issue is, www.msftncsi.com cannot be contacted as soon as force tunnelling is enabled.

Tried a couple of basic things, such as adding msftncsi.com into the excluded DNS suffixes, no dice.

Found this article from a poor guy with the same issue – http://wmug.co.uk/wmug/b/mattwhite/archive/2014/12/18/directaccess-force-tunneling-and-a-corporate-proxy

Tried the suggestions in the article – and while the situation got better – it was still too unpredicatble for production use.

Force tunnelling isn’t something that we have asked to switch on at many clients – in fact, i think this is the first time…. its disappointing to see, what comes across a quite simple issue. Unless im missing something, MS could simply hard code clients to ignore force tunnelling only for www.msftncsi.com and make the issue go away…. which does open potential for users with local admin to use the hosts file to obtain “direct” internet access – but hey – maybe im looking at it too simplistically myself.

I think the take away here is “don’t use force tunnelling”