DirectAccess Force Tunneling and Proxy Server Configuration

By default, DirectAccess is configured to use split tunneling. In this scenario, a remote DirectAccess client is connected to the internal corporate network and the public Internet at the same time. Some security administrators perceive split tunneling as a security risk, and the use of split tunneling may be prohibited by corporate security policy. In addition, enforcing web browsing policies on remote DirectAccess clients might be desired to reduce the risk of exposure from browsing unapproved web sites. In either case, force tunneling can be configured to meet these requirements.

When force tunneling is enabled, DirectAccess administrators can also define an on-premises proxy server for DirectAccess clients to use. The following is guidance for enabling force tunneling and configuring DirectAccess clients to use a proxy server to access the Internet.

Enabling Force Tunneling

To enable force tunneling, open the Remote Access Management console and perform the following steps.

  1. Expand Configuration and select DirectAccess and VPN.
  2. Click Edit on Step 1 Remote Clients.
  3. Click Select Groups in the navigation tree.
  4. Select the option to Use force tunneling.

DirectAccess Force Tunneling and Proxy Server ConfigurationFigure 1. Enable DirectAccess force tunneling in the Remote Access Management console.

Alternatively, force tunneling can quickly be enabled by opening an elevated PowerShell command window and running the following command.

Set-DAClient -ForceTunnel Enabled -PassThru

DirectAccess Force Tunneling and Proxy Server ConfigurationFigure 2. Enable DirectAccess force tunneling using PowerShell.

Configure a Proxy Server

Once force tunneling has been enabled, run the following PowerShell script to configure an on-premises proxy server for DirectAccess clients to use. Be sure to substitute the fully-qualified domain name (FQDN) and port for your proxy server in the $proxy variable below.

$gpo = (Get-RemoteAccess).ClientGpoName
$gpo = $gpo.Split(‘\’)[1]

$proxy = “proxy.corp.example.net:8080”

$rule = (Get-DnsClientNrptRule -GpoName $gpo | Where-Object Namespace -eq “.” | Select-Object -ExpandProperty “Name”)

Set-DnsClientNrptRule -DAEnable $true -DAProxyServerName $proxy -DAProxyType “UseProxyName” -Name $rule -GpoName $gpo

If multisite is enabled and Windows 7 clients are supported, run the following PowerShell script on one DirectAccess server in each entry point.

$downlevelgpo = (Get-RemoteAccess).DownlevelGpoName
$downlevelgpo = $downlevelgpo.Split(‘\’)[1]

$proxy = “proxy.corp.example.net:8080”

$downlevelrule = (Get-DnsClientNrptRule -GpoName $downlevelgpo | Where-Object Namespace -eq “.” | Select-Object -ExpandProperty “Name”)

Set-DnsClientNrptRule -DAEnable $true -DAProxyServerName $proxy -DAProxyType “UseProxyName” -Name $downlevelrule -GpoName $downlevelgpo

Remove Proxy Server

Run the following PowerShell script to remove the proxy server, if necessary.

$gpo = (Get-RemoteAccess).ClientGpoName
$gpo = $gpo.Split(‘\’)[1]

Set-DnsClientNrptRule -DAEnable $true -DAProxyType “UseDefault” -Name $rule -GpoName $gpo

$downlevelgpo = (Get-RemoteAccess).DownlevelGpoName
$downlevelgpo = $downlevelgpo.Split(‘\’)[1]

Set-DnsClientNrptRule -DAEnable $true -DAProxyType “UseDefault” -Name $downlevelrule -GpoName $downlevelgpo

Disable Force Tunneling

To disable force tunneling completely, run the following PowerShell command.

Set-DAClient -ForceTunnel Enabled -PassThru

Force Tunneling Caveats

When force tunneling is enabled, the user experience is typically poor when accessing the Internet. Web browsing performance is significantly reduced because of the added protocol overhead imposed by DirectAccess IPv6 transition technologies and IPsec encryption. This problem is further compounded when users access resources that are already encrypted, such as secure web sites. Increased packet fragmentation, along with the additional network latency caused by suboptimal network paths and increased network load on the server and Internet connection all contribute to degraded network performance for DirectAccess clients.

Force Tunneling Alternatives

Instead of enabling force tunneling, consider alternative solutions to address the security concerns associated with split tunneling. For example, implement technologies that enforce web browsing policies on the client. Many secure web gateways and next-generation firewalls (NGFW) have remote filtering capabilities that allow administrators to enforce web browsing policies on remote client machines. In addition, there are some excellent cloud-based solutions such as Zscaler and OpenDNS that can protect DirectAccess clients without the drawbacks associated with force tunneling.

Additional Information

Planning and Implementing DirectAccess with Windows Server 2016 video training course on Pluralsight
Managing and Supporting DirectAccess with Windows Server 2016 video training course on Pluralsight
Implementing DirectAccess with Windows Server 2016 Book

Leave a comment

9 Comments

  1. carlos

     /  November 8, 2017

    Hi
    We have a problems with force tunneling, when i activated force tunnelig, the connection is ok but i can resolve any hostname, internal or internet, without force tunneling work correctly.

    Regards

    Reply
    • That’s unusual, and it could be caused by any number of things. I can only suggest that you make sure you are testing with a client that has updated group policy while on the LAN after enabling force tunneling. I can tell you from experience though that force tunneling can be temperamental, and it quite often doesn’t work like you expect it to. :/

      Reply
  2. Jay

     /  January 22, 2018

    when force tunneling is enabled, does all the internet-bound client traffic simply go out through the DA server(s), or is the separate outbound proxy required?

    Reply
    • With force tunneling enabled, all client traffic is routed over the DirectAccess connection. For traffic bound for the Internet it will be routed through the DirectAccess server, but because of the limitations of the IPv6 translation technologies it typically doesn’t work. In most cases you’ll need to define a proxy server for Internet traffic to work correctly.

      Reply
  3. Wojciech

     /  April 4, 2018

    Hi Richard.
    This is one of the challenges we are facing. We use a proxy server, but we also use WPAD to specify what traffic should go through the proxy and what should go directly to the Internet. This is mostly for traffic like Office 365. I understand that split tunneling would be better in this scenario? Do you know if adding WPAD to the NRPT table will be enough to allow a DA client detect it?
    Kind regards,
    Wojciech

    Reply
    • There are a couple of ways to approach this. First, you could add the specific domains you want to route over the VPN connection using the DomainNameInformation node and then specify the WebProxyServer information there. You could also define a proxy using the Proxy node and then specify either Manual or AutoConfigUrl. You’ll have to do some testing to see which works best in your case.

      Reply
  4. Tina

     /  April 20, 2018

    Hi Richard,
    Apologises if i missed it but is there a way to have the scripts run automatically once a connection to DA is established. Our issue is we manually set proxies but running into issues when users are connecting to wifi systems that require authentication through splash/landing pages so they cant authenticate. so looking for alternatives. Also looking into wpad.

    Reply
    • You could probably do something on the client using event triggers, but that’s not something I’ve ever done. Not sure if WPAD is going to work like you expect, unfortunately. DirectAccess force tunneling is terribly inelegant and quite difficult to make work correctly. :/

      Reply
  1. NetMotion Mobility for DirectAccess Administrators – Split vs. Force Tunneling | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: