Direct Access – routing non internal domains through the corporate network

I implemented Direct Access for a client of mine recently – and all went well, up until they tried to use force tunnelling.

This client has a couple of websites that their employees use – and traffic coming from their IP address’s gets additional access to these web tools, so it was preferable for them to present the company IP, rather than use split tunnelling.

Unfortunate thing is, force tunnelling has some issues, as we found out and as this guy talks about here – http://wmug.co.uk/wmug/b/mattwhite/archive/2014/12/18/directaccess-force-tunneling-and-a-corporate-proxy 

So, I tested another way….

Contrary to the wording of the dialogue box, which seems to say (at least to me) that the specified DNS server will be used (not that all traffic for the domain will be routed over the DA connection, which is implied, but not stated), adding in a domain name and the DNS6to4 server address, will result in traffic for that domain being routed over DA.

This solution does have a couple of drawbacks

1) If your internal network does not use an inline proxy or filter, then you are going to have to either open the firewall of your default gateway for these sites, or get force tunnelling working with a proxy.

2) If the site your visiting gets data and images from multiple locations (such as shacknews.com) then some traffic will be routed over DA and some wont. This is likely to be less of an issue if its for specific corporate web services as opposed to consumer gaming sites!

 

DA