DA, force tunnelling and www.msftncsi.com

At a client – 2012 R2 IPHTTPS DA and win 10 1511…..

Client wants force tunnelling so all traffic is routed back through the internal network and the web filter etc….

Issue is, www.msftncsi.com cannot be contacted as soon as force tunnelling is enabled.

Tried a couple of basic things, such as adding msftncsi.com into the excluded DNS suffixes, no dice.

Found this article from a poor guy with the same issue – http://wmug.co.uk/wmug/b/mattwhite/archive/2014/12/18/directaccess-force-tunneling-and-a-corporate-proxy

Tried the suggestions in the article – and while the situation got better – it was still too unpredicatble for production use.

Force tunnelling isn’t something that we have asked to switch on at many clients – in fact, i think this is the first time…. its disappointing to see, what comes across a quite simple issue. Unless im missing something, MS could simply hard code clients to ignore force tunnelling only for www.msftncsi.com and make the issue go away…. which does open potential for users with local admin to use the hosts file to obtain “direct” internet access – but hey – maybe im looking at it too simplistically myself.

I think the take away here is “don’t use force tunnelling”


Leave a Reply