TechNet Wiki Pick for the Week: Why Split Tunneling is Not a Security Issue with DirectAccess

ninja - lego Tom Shinder is a highly respected subject matter expert on networking, security and a variety of products that fall into those categories.  Tom joined Microsoft not long ago and I spotted one of his articles on the new TechNet Wiki.  Here’s an excerpt:

DirectAccess by default enables split tunneling. All traffic destined to the corpnet is sent over the DirectAccess IPsec tunnels, and all traffic destined for the Internet is sent directly to the Internet over the local interface. This prevents DirectAccess clients from bringing the corporate Internet connection to its knees.

However, it has left the issue of potential risks of split tunneling in the minds of administrators who are considering DirectAccess. One option is to use “force tunneling”.

See the full article at  This is a great read.  Feel free to add your experiences to the Wiki article. It’s the TechNet Wiki way!

Comments (2)

  1. Rob S says:

    I read the article and while I agree that split tunneling is less insecure than previous, it still presents some serious risks. For instance, if an application layer SOCKS or NAT deamon was running (let’s say dropped by some type of 0-day vulnerability), the traffic would be routable to your corporate network. Just because old fashion IP routing wouldn’t work, doesn’t mean there aren’t some very easy ways in. Either a system should be part of your corporate network or not. I think the always connected VPN that remains accessible to the Internet as well is bad news.

  2. thomas w shinder - msft says:

    Hi Rob S,

    You’re right about that – and I’m doing a follow up blog entry that discusses this issue in more detail, taking into account the scenario that you mention. If everything goes right, it’ll be up on the UAG Team Blog next week. If you would like to review the article before its published, send me a note at



Skip to main content