We have a requirement for access to certain public web sites to be tunnelled internally over DirectAccess. This is due to those services being white-listed using our own organisation's public IP or are directed through a VPN.
DirectAccess is currently configured on Server 2012 R2 using split tunnelling and IP-HTTPS. We have tested this with a client side proxy and pure cloud internet proxy. The browsers reference a PAC file in order to determine if connected to the corporate network.
Richard
Hicks' Article has been a good basis for "selective tunnelling", steps so far:
- The domain is white-listed in our PAC file and a firewall policy allows this traffic out
- The public domain has been added to the NRPT using the detected IPv6 DNS address
- We've checked that the DA connected client can resolve the public domain address using NSLOOKUP with IPv6 DNS server as the server
- We've experimented with the "DAProxyType". We've tried all 3 options starting with our client side proxy. We've then tried the NoProxy and UseDefault options and have had no success. Note: the browser (IE) reports a DNS server time-out so traffic is being tunnelled. We'd see a forbidden message previously as it tried to access the site through the client's Internet connection.
What is confusing, apart from us not having a clear understanding of the DA workflow, is how this request is then routed out through internal facing NIC on the DA server and not the DMZ facing NIC.
Any advice or guidance will be very much appreciated.