DirectAccess - How to configure force tunneling for DA so that client are forced to use IP-HTTPS

  • Article

Q. How to configure force tunneling for DA so that client are forced to use IP-HTTPS

A. To configure force tunneling, you must enable force tunneling on DirectAccess clients through Group Policy and add a special entry in the NRPT.

To enable force tunneling with Group Policy, enable the Computer ConfigurationPoliciesAdministrative TemplatesNetworkNetwork ConnectionsRoute all traffic through the internal network setting in the Group Policy object for DirectAccess clients.

For More Info: Choose an Internet Traffic Separation Design https://technet.microsoft.com/en-us/library/ee382262(WS.10).aspx

You can configure DirectAccess clients to send all of their traffic through the tunnels to the DirectAccess server with force tunneling. When force tunneling is configured, DirectAccess clients that detect that they are on the Internet modify their IPv4 default route so that default route IPv4 traffic is not sent. With the exception of local subnet traffic, all traffic sent by the DirectAccess client is IPv6 traffic that goes through tunnels to the DirectAccess server.

Enabling force tunneling has the following consequences:

 - DirectAccess clients use only Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) to obtain IPv6 connectivity to the DirectAccess server over the IPv4 Internet. IP-HTTPS-based connections have lower performance and higher overhead on the DirectAccess server than 6to4 and Teredo-based connections.

- The only locations that a DirectAccess client can reach by default with IPv4 traffic are those on its local subnet. All other traffic sent by the applications and services running on the DirectAccess client is IPv6 traffic sent over the DirectAccess connection. Therefore, IPv4-only applications on the DirectAccess client cannot be used to reach Internet resources, except those on the local subnet.

- Connectivity to the IPv4 Internet must be done through servers and devices on the intranet that translate the IPv6 traffic from DirectAccess clients to IPv4 traffic for the IPv4 Internet. If you do not have the appropriate servers or translators, your DirectAccess clients will not have access to IPv4 Internet resources, even though they are directly connected to the IPv4 Internet.