• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Can I send all traffic through the DirectAccess Connection?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> Can I send all traffic through the DirectAccess Connection? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Can I send all traffic through the DirectAccess Connect... - 4.May2010 11:58:48 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Yes - we call that "Force Tunneling" in DirectAccess (DA) lingo. Force Tunneling allows you to force all traffic through the DA connection. Some admins consider Force Tunneling to be the last link in the chain of true DirectAccess client security and what truely separate the threat model of a traditional "bolted-in" corpnet clent from a roaming client. When you Force Tunnel your DA clients, all traffic always goes through the DA tunnels. That means you can enforce your Internet connection policies on DA clients like you do on clients that are connected directly to the corpnet. The locks down the threat posed by downloading malware (which is the most often source of zero-day threats) from the Internet.

Force tunneling requires that you always use IP-HTTPS, so there might be a performance hit. Also, you will need to use a Web proxy device that understands IPv6, or use the UAG NAT64/DNS64 to insure seamless Internet connectivity. Finally, you need to consider the perfomance requirements on your corporate Internet link, since all your coprnet and DA clients are going to have to use it.
HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: Can I send all traffic through the DirectAccess Con... - 27.Jan.2011 8:09:30 AM   
PatrickM

 

Posts: 111
Joined: 23.May2001
From: Skutskär, Sweden
Status: offline
Hi,

I have some questions on this setup. (Force tunneling)

Is it possible to route traffic through the tunnel originating from IPv4-addresses? ,if you have an application accessing IP-address instead of FQDNs.

Is it possible to make all DNS lookups go throuh DNS64? (maybe except da.xdom.real & crl.xdom.real??)
..like add something of a wildcard to make all DNS-querys end up at UAG (DNS64)??.
Name Suffix
*.* [DNS64]

Existing today:
Name Suffix
*.xdom.real [DNS64]
da.xdom.real [Excluded]
crl.xdom.real [Excluded]
internal-check-website.xdom.real [Excluded]

Thanks

< Message edited by PatrickM -- 27.Jan.2011 10:13:09 AM >


_____________________________

Patrick.M
MCP on Microsoft Proxy 2.0

(in reply to tshinder)
Post #: 2
RE: Can I send all traffic through the DirectAccess Con... - 27.Jan.2011 11:41:32 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Patrick,

Good question.

All domains that you list on the NRPT (except for the exemptions) go through DNS64. And DNS64 always returns an IPv6 address to the DirectAccess client, because the DirectAccess client only understands IPv6 when connecting to the intranet. If you try to use IPv4 addresses, the connection will fail. If all DNS queries go to DNS64, then all the connection requests will go through the DirectAccess server - which means you either need to bounce the connections off the UAG DirectAccess server or configure the DirectAccess clients to use a proxy through your intranet.
HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to PatrickM)
Post #: 3
RE: Can I send all traffic through the DirectAccess Con... - 31.Jan.2011 9:48:07 AM   
PatrickM

 

Posts: 111
Joined: 23.May2001
From: Skutskär, Sweden
Status: offline
Tom, thanks for explaining..

I tried som stuff in the NRPT registry values:
Test 1: *.net (resolve the root-domain .net)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient\DnsPolicyConfig
Key: "UAGDA Rule 1"
"Name" .net

Test 2: * (whole Internet)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient\DnsPolicyConfig
Key: "UAGDA Rule 1"
"Name" . <---One Dot!

In both cases ping resolvs throu DNS64 on UAG (passing it on to internal DNS servers) and everything resolves OK. (*.net in test 1. & all DNS querys in test2)

But surfing through ie (proxy enabled) fails as explained:
In test 1 DA client can access all webpages exept pages ending with .net (ex. java.net fails)
looking at ipconfig /displaydns you can see that java.net is present with a IPv6 address, but ex. hp.com is not present in DNS cache which works just fine in ie. (hp.com is not resolvet at client)
Looking at UAG (DA) java.net is denied with its IPv6

In test 2 DA client cannot access any webpages at all. And it looks lite nothing is sent to proxy, UAG denys it all with IPv6-addresses
ipconfig /displaydns you can see all lookups to the faild webpages, and there is nothing sent to proxy.

Does DNS64 lookup take presence over proxy in ie?

Any guidence regarding this behavour?

Thank You.

_____________________________

Patrick.M
MCP on Microsoft Proxy 2.0

(in reply to tshinder)
Post #: 4
RE: Can I send all traffic through the DirectAccess Con... - 1.Feb.2011 6:58:07 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This odd because the DNS64 service in a web proxy scenario isn't doing any name resolution - the web proxy typically does name resolution on behalf of the client.

The NAT64 component will enable you to connect to an IPv4 web proxy server, such as the TMG firewall, since it will translate the IPv4 address of the web proxy listener. But name resolution takes place in the client/server web proxy "tunnel".

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to PatrickM)
Post #: 5
RE: Can I send all traffic through the DirectAccess Con... - 2.Feb.2011 2:38:00 AM   
PatrickM

 

Posts: 111
Joined: 23.May2001
From: Skutskär, Sweden
Status: offline
quote:

ORIGINAL: tshinder
This odd because the DNS64 service in a web proxy scenario isn't doing any name resolution - the web proxy typically does name resolution on behalf of the client.

I totaly agree!
And nameresolution of sites visited should not typically get DNScached at DA client at all (ipconfig /displaydns)

quote:

ORIGINAL: tshinder
The NAT64 component will enable you to connect to an IPv4 web proxy server, such as the TMG firewall, since it will translate the IPv4 address of the web proxy listener. But name resolution takes place in the client/server web proxy "tunnel".

Yes, as in this case an internal ISA proxy (on same DMZ as the UAG-DA server)
And when in this case, NRTP table contains <"Name" *.net> the ISA proxy does not receve any "proxy traffic" regarding *.net-websites from DA client at all. Seems like DA client tryes to "surf" outside "proxy tunnel" and therefore doing the nameresolution itself. Traffic to *.com sites is confirmed as going through "proxy tunnel"
I have now confirmed FW/Proxy-Logs on ISA, TMG(DA) and Netmon traces that this behavour is occuring.

Either;
1. this is an effect of something beeing micongured or.
2. Or NRTP config with DNS64 lookup take presence over proxy in ie.

Anyone else seen this behavour?
..........
EDIT: figured that maybe "Bypass proxyserver for local addresses" might be involved in this, and somehow IE would consider all websites in *.net "zone" as internal,
Tried to uncheck, but no success still.
..........
Cheers =)

< Message edited by PatrickM -- 2.Feb.2011 7:42:53 AM >


_____________________________

Patrick.M
MCP on Microsoft Proxy 2.0

(in reply to tshinder)
Post #: 6
RE: Can I send all traffic through the DirectAccess Con... - 10.Feb.2011 6:57:52 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Patrick,

When you configured the UAG SP1 DirectAccess server, did you configure force tunneling to use a web proxy, or did you configure it to "bounce" the connection off the DirectAccess server?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to PatrickM)
Post #: 7
RE: Can I send all traffic through the DirectAccess Con... - 10.Feb.2011 7:41:33 AM   
PatrickM

 

Posts: 111
Joined: 23.May2001
From: Skutskär, Sweden
Status: offline
Hi!

First, we're not up on SP1.. yet..

I did set the IE proxy on the client (manually) if that's what you mean?
&Interenet& <----> |ISAproxy| <-ipv4-> |UAG-DA-srv| <-ipv6/IPHTTPS-> /Client\


With "bounce" you mean no proxy and that traffic would flow like this?:
&Interenet& <-------> |GW| <---ipv4---> |UAG-DA-srv| <-ipv6/IPHTTPS-> /Client\


Thanks

_____________________________

Patrick.M
MCP on Microsoft Proxy 2.0

(in reply to tshinder)
Post #: 8
RE: Can I send all traffic through the DirectAccess Con... - 25.Oct.2011 3:07:18 AM   
PatrickM

 

Posts: 111
Joined: 23.May2001
From: Skutskär, Sweden
Status: offline
Just pinging back that the step-up to UAG2010SP1 solved it, now proxy autoconfig on clients works lika a charm when DA tunnel is ut.

:)

_____________________________

Patrick.M
MCP on Microsoft Proxy 2.0

(in reply to PatrickM)
Post #: 9
RE: Can I send all traffic through the DirectAccess Con... - 9.Jan.2014 5:09:25 AM   
armia741

 

Posts: 1
Joined: 9.Jan.2014
From: java
Status: offline
The NAT64 component will enable you to connect to an IPv4 web proxy server, such as the TMG firewall, since it will translate the IPv4 address of the web proxy listener.

_____________________________

Play online

(in reply to PatrickM)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> Can I send all traffic through the DirectAccess Connection? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts