What source IP address will network devices see for DA Clients? (Full Version)

All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess



Message


tshinder -> What source IP address will network devices see for DA Clients? (26.Apr.2010 12:14:09 PM)

What IP address will network devices see related to DA client connections?

The answer is "it depends"

If you're using NAT64/DNS64, then like with other NAT solutions, you'll see the source IP address to be the IP address of the internal interface of the UAG server.

For non-IPv4 communications, you'll see IPv6 addresses.
6to4 uses 2002::/16
Teredo uses 2001::/32 with the next 32 bits as the v4 address of the DA server.
IP-HTTPS would have a specified prefix that you can see when you do a ipconfig or you can find that information in the DA configuration console in the UAG management console.

While I consider this interesting and potentially useful information, it does seem to carry on some legacy thinking about VPN clients and trying to equate them with DA clients. This is a mistaken way of thinking and isn't consistent with how you should think of DA clients. The right way to think of DA clients is that *they are no different than any other clients - including those clients that are currently connected to the corpnet*

As discussed in a security paper that we'll be releasing soon as DA client security - the DA client should be considered no more or less secure than any other hosts on or off your network. Since there are relatively few client systems that never leave the corpnet these days, the DA client security model representsthe new defacto standard.

HTH,
Tom




Page: [1]