DirectAccess Force Tunneling and Proxy Server Configuration

By default, DirectAccess is configured to use split tunneling. In this scenario, a remote DirectAccess client is connected to the internal corporate network and the public Internet at the same time. Some security administrators perceive split tunneling as a security risk, and the use of split tunneling may be prohibited by corporate security policy. In addition, enforcing web browsing policies on remote DirectAccess clients might be desired to reduce the risk of exposure from browsing unapproved web sites. In either case, force tunneling can be configured to meet these requirements.

When force tunneling is enabled, DirectAccess administrators can also define an on-premises proxy server for DirectAccess clients to use. The following is guidance for enabling force tunneling and configuring DirectAccess clients to use a proxy server to access the Internet.

Enabling Force Tunneling

To enable force tunneling, open the Remote Access Management console and perform the following steps.

  1. Expand Configuration and select DirectAccess and VPN.
  2. Click Edit on Step 1 Remote Clients.
  3. Click Select Groups in the navigation tree.
  4. Select the option to Use force tunneling.

DirectAccess Force Tunneling and Proxy Server ConfigurationFigure 1. Enable DirectAccess force tunneling in the Remote Access Management console.

Alternatively, force tunneling can quickly be enabled by opening an elevated PowerShell command window and running the following command.

Set-DAClient -ForceTunnel Enabled -PassThru

DirectAccess Force Tunneling and Proxy Server ConfigurationFigure 2. Enable DirectAccess force tunneling using PowerShell.

Configure a Proxy Server

Once force tunneling has been enabled, run the following PowerShell script to configure an on-premises proxy server for DirectAccess clients to use. Be sure to substitute the fully-qualified domain name (FQDN) and port for your proxy server in the $proxy variable below.

$gpo = (Get-RemoteAccess).ClientGpoName
$gpo = $gpo.Split(‘\’)[1]

$proxy = “proxy.corp.example.net:8080”

$rule = (Get-DnsClientNrptRule -GpoName $gpo | Where-Object Namespace -eq “.” | Select-Object -ExpandProperty “Name”)

Set-DnsClientNrptRule -DAEnable $true -DAProxyServerName $proxy -DAProxyType “UseProxyName” -Name $rule -GpoName $gpo

If multisite is enabled and Windows 7 clients are supported, run the following PowerShell script on one DirectAccess server in each entry point.

$downlevelgpo = (Get-RemoteAccess).DownlevelGpoName
$downlevelgpo = $downlevelgpo.Split(‘\’)[1]

$proxy = “proxy.corp.example.net:8080”

$downlevelrule = (Get-DnsClientNrptRule -GpoName $downlevelgpo | Where-Object Namespace -eq “.” | Select-Object -ExpandProperty “Name”)

Set-DnsClientNrptRule -DAEnable $true -DAProxyServerName $proxy -DAProxyType “UseProxyName” -Name $downlevelrule -GpoName $downlevelgpo

Remove Proxy Server

Run the following PowerShell script to remove the proxy server, if necessary.

$gpo = (Get-RemoteAccess).ClientGpoName
$gpo = $gpo.Split(‘\’)[1]

Set-DnsClientNrptRule -DAEnable $true -DAProxyType “UseDefault” -Name $rule -GpoName $gpo

$downlevelgpo = (Get-RemoteAccess).DownlevelGpoName
$downlevelgpo = $downlevelgpo.Split(‘\’)[1]

Set-DnsClientNrptRule -DAEnable $true -DAProxyType “UseDefault” -Name $downlevelrule -GpoName $downlevelgpo

Disable Force Tunneling

To disable force tunneling completely, run the following PowerShell command.

Set-DAClient -ForceTunnel Disabled -PassThru

Force Tunneling Caveats

When force tunneling is enabled, the user experience is typically poor when accessing the Internet. Web browsing performance is significantly reduced because of the added protocol overhead imposed by DirectAccess IPv6 transition technologies and IPsec encryption. This problem is further compounded when users access resources that are already encrypted, such as secure web sites. Increased packet fragmentation, along with the additional network latency caused by suboptimal network paths and increased network load on the server and Internet connection all contribute to degraded network performance for DirectAccess clients.

Force Tunneling Alternatives

Instead of enabling force tunneling, consider alternative solutions to address the security concerns associated with split tunneling. For example, implement technologies that enforce web browsing policies on the client. Many secure web gateways and next-generation firewalls (NGFW) have remote filtering capabilities that allow administrators to enforce web browsing policies on remote client machines. In addition, there are some excellent cloud-based solutions such as Zscaler and OpenDNS that can protect DirectAccess clients without the drawbacks associated with force tunneling.

Additional Information

Planning and Implementing DirectAccess with Windows Server 2016 video training course on Pluralsight
Managing and Supporting DirectAccess with Windows Server 2016 video training course on Pluralsight
Implementing DirectAccess with Windows Server 2016 Book

Leave a comment

22 Comments

  1. carlos

     /  November 8, 2017

    Hi
    We have a problems with force tunneling, when i activated force tunnelig, the connection is ok but i can resolve any hostname, internal or internet, without force tunneling work correctly.

    Regards

    Reply
    • That’s unusual, and it could be caused by any number of things. I can only suggest that you make sure you are testing with a client that has updated group policy while on the LAN after enabling force tunneling. I can tell you from experience though that force tunneling can be temperamental, and it quite often doesn’t work like you expect it to. :/

      Reply
  2. Jay

     /  January 22, 2018

    when force tunneling is enabled, does all the internet-bound client traffic simply go out through the DA server(s), or is the separate outbound proxy required?

    Reply
    • With force tunneling enabled, all client traffic is routed over the DirectAccess connection. For traffic bound for the Internet it will be routed through the DirectAccess server, but because of the limitations of the IPv6 translation technologies it typically doesn’t work. In most cases you’ll need to define a proxy server for Internet traffic to work correctly.

      Reply
  3. Wojciech

     /  April 4, 2018

    Hi Richard.
    This is one of the challenges we are facing. We use a proxy server, but we also use WPAD to specify what traffic should go through the proxy and what should go directly to the Internet. This is mostly for traffic like Office 365. I understand that split tunneling would be better in this scenario? Do you know if adding WPAD to the NRPT table will be enough to allow a DA client detect it?
    Kind regards,
    Wojciech

    Reply
    • There are a couple of ways to approach this. First, you could add the specific domains you want to route over the VPN connection using the DomainNameInformation node and then specify the WebProxyServer information there. You could also define a proxy using the Proxy node and then specify either Manual or AutoConfigUrl. You’ll have to do some testing to see which works best in your case.

      Reply
  4. Tina

     /  April 20, 2018

    Hi Richard,
    Apologises if i missed it but is there a way to have the scripts run automatically once a connection to DA is established. Our issue is we manually set proxies but running into issues when users are connecting to wifi systems that require authentication through splash/landing pages so they cant authenticate. so looking for alternatives. Also looking into wpad.

    Reply
    • You could probably do something on the client using event triggers, but that’s not something I’ve ever done. Not sure if WPAD is going to work like you expect, unfortunately. DirectAccess force tunneling is terribly inelegant and quite difficult to make work correctly. :/

      Reply
  5. Kerr Avon

     /  June 3, 2018

    Hi Richard,
    Should the line to disable force tunneling be
    Set-DAClient -ForceTunnel Disabled ?

    Reply
  6. Benoit Machiavello

     /  November 6, 2018

    I’m just testing this to use force tunneling. It works great BUT it seems to work only with IE. All others browsers (tested with chrome, Firefox and Vivaldi) doesn’t seem to get the proxy server that I set in the DA connection
    Can’t go on the Internet with them.
    Is there a solution for third party browsers to work (without having to define the proxy in these browsers, we want this proxy to be used only when connecting through directaccess)

    Reply
    • Correct. The limitation with this configuration is that third-party browsers don’t work with it. I’m not aware of any alternatives either, unfortunately.

      Reply
  7. Benny Doerksen

     /  December 19, 2018

    Hi Richard,

    First of all, thanks for all of your instructions! You’ve been so helpful!

    Second, i have questions about the proxy needed for forced tunneling. You say to add the proxy server to the client configuration, but we never set up a proxy server. Where does that get set up at? What type of proxy server is this? Is the DA server already a proxy server, we just need to point the clients to the DA server, or is there another server we need to be configuring with some other proxy service that will do this translation for us?

    Thank you!

    Reply
    • The assumption here is that you have some sort of on-premises proxy server to use. If you don’t have one, you’ll need to implement one. Quickest/easiest way to do this is to stand up a Squid proxy. Squid is open source and free. They even have a Windows port if you aren’t comfortable with Linux. πŸ™‚

      Reply
      • Benny Doerksen

         /  January 30, 2019

        Thank you very much, that helped and I was able to stand up a squid server and got it going…! well… partly. It seems as though any physical clients, windows 10 enterprise, will not connect via DA.

        In my test lab, I’m setting up my domain controllers, DA server, and proxy server inside of Microsoft Azure (i know, not supported…). When I enabled forced tunneling and got the proxy server settings configured properly, my windows VM client(residing on my physical machine here at home, Windows 10, version 1709, LTSB), works just fine. I am able to use an internet browser on the VM and reach the internet, confirmed in squid logs, while still accessing internal corporate resources.

        If I go through the same process on an actual physical laptop with Windows 10, 1709, enterprise, it does not allow me to connect to the internet or corporate resources. Collecting a log seems to hang and never completes, but running through basic troubleshooting doesn’t display anything obvious wrong.

        I realize this is a long winded question, so maybe we need to do some actual consulting through you or maybe there is some other way we can get more advanced help..

        Thank you!

      • Typically if a DirectAccess server will support one connection, it will support many. If some clients can connect and others can’t, that would seem to indicate something wrong with the client configuration. I’d look closely at your client to make sure it has met all the prerequisites (firewall on, certificates provisioned, has the DirectAccess client policy, etc.).

  8. Benny

     /  February 14, 2019

    Turns out that my VM on Windows 10 Enterprise 1709 LTSB worked fine without a computer certificate issued.

    After creating an internal CA and issuing the correct certificates, my Windows 10 Enterprise 1809 laptop also began working fine with forced- tunneling enabled.

    Your books troubleshooting section pointed me in the correct direction. Once I found that the laptop’s IPSec connections were not being made, yet I was able to ping the remote endpoints, it all clicked.

    Thank you!

    Reply
  9. Cyril

     /  April 15, 2019

    Hello.
    Thank you Richard for your blogs.
    I activated the force tunneling, all traffic go to direct acces tunnel and the ressource access works. However, the workstation indicate “no internet access” !
    Do a proxy is mandatory with force tunneling ? i have no execute the command set-dadnsclientconfiguration for example.
    Thank you.

    Reply
    • This is one of those irritating side effects of enabling force tunneling. :/ If you have enabled force tunneling it is highly recommended that you configure all of your client web traffic to use a proxy server. Sometimes this fixes the NCSI behavior, sometimes it doesn’t. Typically it’s nothing more than an annoyance, but sometimes it does negatively affect client connectivity. You might also consider making some changes to the way NCSI performs detection. For example, you could try disabling active probing to see if that helps. Details here: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc766017(v=ws.10).

      Reply
  1. NetMotion Mobility for DirectAccess Administrators – Split vs. Force Tunneling | Richard M. Hicks Consulting, Inc.
  2. DirectAccess Selective Tunneling | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: