DirectAccess Force Tunneling and Proxy Server Configuration

By default, DirectAccess is configured to use split tunneling. In this scenario, a remote DirectAccess client is connected to the internal corporate network and the public Internet at the same time. Some security administrators perceive split tunneling as a security risk, and the use of split tunneling may be prohibited by corporate security policy. In addition, enforcing web browsing policies on remote DirectAccess clients might be desired to reduce the risk of exposure from browsing unapproved web sites. In either case, force tunneling can be configured to meet these requirements.

When force tunneling is enabled, DirectAccess administrators can also define an on-premises proxy server for DirectAccess clients to use. The following is guidance for enabling force tunneling and configuring DirectAccess clients to use a proxy server to access the Internet.

Enabling Force Tunneling

To enable force tunneling, open the Remote Access Management console and perform the following steps.

  1. Expand Configuration and select DirectAccess and VPN.
  2. Click Edit on Step 1 Remote Clients.
  3. Click Select Groups in the navigation tree.
  4. Select the option to Use force tunneling.

DirectAccess Force Tunneling and Proxy Server ConfigurationFigure 1. Enable DirectAccess force tunneling in the Remote Access Management console.

Alternatively, force tunneling can quickly be enabled by opening an elevated PowerShell command window and running the following command.

Set-DAClient -ForceTunnel Enabled -PassThru

DirectAccess Force Tunneling and Proxy Server ConfigurationFigure 2. Enable DirectAccess force tunneling using PowerShell.

Configure a Proxy Server

Once force tunneling has been enabled, run the following PowerShell script to configure an on-premises proxy server for DirectAccess clients to use. Be sure to substitute the fully-qualified domain name (FQDN) and port for your proxy server in the $proxy variable below.

$gpo = (Get-RemoteAccess).ClientGpoName
$gpo = $gpo.Split(‘\’)[1]

$proxy = “proxy.corp.example.net:8080”

$rule = (Get-DnsClientNrptRule -GpoName $gpo | Where-Object Namespace -eq “.” | Select-Object -ExpandProperty “Name”)

Set-DnsClientNrptRule -DAEnable $true -DAProxyServerName $proxy -DAProxyType “UseProxyName” -Name $rule -GpoName $gpo

If multisite is enabled and Windows 7 clients are supported, run the following PowerShell script on one DirectAccess server in each entry point.

$downlevelgpo = (Get-RemoteAccess).DownlevelGpoName
$downlevelgpo = $downlevelgpo.Split(‘\’)[1]

$proxy = “proxy.corp.example.net:8080”

$downlevelrule = (Get-DnsClientNrptRule -GpoName $downlevelgpo | Where-Object Namespace -eq “.” | Select-Object -ExpandProperty “Name”)

Set-DnsClientNrptRule -DAEnable $true -DAProxyServerName $proxy -DAProxyType “UseProxyName” -Name $downlevelrule -GpoName $downlevelgpo

Remove Proxy Server

Run the following PowerShell script to remove the proxy server, if necessary.

$gpo = (Get-RemoteAccess).ClientGpoName
$gpo = $gpo.Split(‘\’)[1]

Set-DnsClientNrptRule -DAEnable $true -DAProxyType “UseDefault” -Name $rule -GpoName $gpo

$downlevelgpo = (Get-RemoteAccess).DownlevelGpoName
$downlevelgpo = $downlevelgpo.Split(‘\’)[1]

Set-DnsClientNrptRule -DAEnable $true -DAProxyType “UseDefault” -Name $downlevelrule -GpoName $downlevelgpo

Disable Force Tunneling

To disable force tunneling completely, run the following PowerShell command.

Set-DAClient -ForceTunnel Disabled -PassThru

Force Tunneling Caveats

When force tunneling is enabled, the user experience is typically poor when accessing the Internet. Web browsing performance is significantly reduced because of the added protocol overhead imposed by DirectAccess IPv6 transition technologies and IPsec encryption. This problem is further compounded when users access resources that are already encrypted, such as secure web sites. Increased packet fragmentation, along with the additional network latency caused by suboptimal network paths and increased network load on the server and Internet connection all contribute to degraded network performance for DirectAccess clients.

Force Tunneling Alternatives

Instead of enabling force tunneling, consider alternative solutions to address the security concerns associated with split tunneling. For example, implement technologies that enforce web browsing policies on the client. Many secure web gateways and next-generation firewalls (NGFW) have remote filtering capabilities that allow administrators to enforce web browsing policies on remote client machines. In addition, there are some excellent cloud-based solutions such as Zscaler and OpenDNS that can protect DirectAccess clients without the drawbacks associated with force tunneling.

Additional Information

Planning and Implementing DirectAccess with Windows Server 2016 video training course on Pluralsight
Managing and Supporting DirectAccess with Windows Server 2016 video training course on Pluralsight
Implementing DirectAccess with Windows Server 2016 Book

30 Comments
by Richard M. Hicks on July 27, 2017  •  Permalink
Posted in DirectAccess, IPv6, IPv6 Transition, multisite, PowerShell, Remote Access, Security, Windows 10, Windows 8, Windows 8.1, Windows Server 2012 R2, Windows Server 2016
Tagged , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on July 27, 2017

https://directaccess.richardhicks.com/2017/07/27/directaccess-force-tunneling-and-proxy-server-configuration/

Previous Post
Next Post
Leave a comment

30 Comments

  1. carlos

     /  November 8, 2017

    Hi
    We have a problems with force tunneling, when i activated force tunnelig, the connection is ok but i can resolve any hostname, internal or internet, without force tunneling work correctly.

    Regards

    Reply

    • Richard M. Hicks

       /  November 9, 2017

      That’s unusual, and it could be caused by any number of things. I can only suggest that you make sure you are testing with a client that has updated group policy while on the LAN after enabling force tunneling. I can tell you from experience though that force tunneling can be temperamental, and it quite often doesn’t work like you expect it to. :/

      Reply

  2. Jay

     /  January 22, 2018

    when force tunneling is enabled, does all the internet-bound client traffic simply go out through the DA server(s), or is the separate outbound proxy required?

    Reply

    • Richard M. Hicks

       /  January 27, 2018

      With force tunneling enabled, all client traffic is routed over the DirectAccess connection. For traffic bound for the Internet it will be routed through the DirectAccess server, but because of the limitations of the IPv6 translation technologies it typically doesn’t work. In most cases you’ll need to define a proxy server for Internet traffic to work correctly.

      Reply

  3. Wojciech

     /  April 4, 2018

    Hi Richard.
    This is one of the challenges we are facing. We use a proxy server, but we also use WPAD to specify what traffic should go through the proxy and what should go directly to the Internet. This is mostly for traffic like Office 365. I understand that split tunneling would be better in this scenario? Do you know if adding WPAD to the NRPT table will be enough to allow a DA client detect it?
    Kind regards,
    Wojciech

    Reply

    • Richard M. Hicks

       /  April 6, 2018

      There are a couple of ways to approach this. First, you could add the specific domains you want to route over the VPN connection using the DomainNameInformation node and then specify the WebProxyServer information there. You could also define a proxy using the Proxy node and then specify either Manual or AutoConfigUrl. You’ll have to do some testing to see which works best in your case.

      Reply

  4. Tina

     /  April 20, 2018

    Hi Richard,
    Apologises if i missed it but is there a way to have the scripts run automatically once a connection to DA is established. Our issue is we manually set proxies but running into issues when users are connecting to wifi systems that require authentication through splash/landing pages so they cant authenticate. so looking for alternatives. Also looking into wpad.

    Reply

    • Richard M. Hicks

       /  April 21, 2018

      You could probably do something on the client using event triggers, but that’s not something I’ve ever done. Not sure if WPAD is going to work like you expect, unfortunately. DirectAccess force tunneling is terribly inelegant and quite difficult to make work correctly. :/

      Reply

  5. Kerr Avon

     /  June 3, 2018

    Hi Richard,
    Should the line to disable force tunneling be
    Set-DAClient -ForceTunnel Disabled ?

    Reply

  6. Benoit Machiavello

     /  November 6, 2018

    I’m just testing this to use force tunneling. It works great BUT it seems to work only with IE. All others browsers (tested with chrome, Firefox and Vivaldi) doesn’t seem to get the proxy server that I set in the DA connection
    Can’t go on the Internet with them.
    Is there a solution for third party browsers to work (without having to define the proxy in these browsers, we want this proxy to be used only when connecting through directaccess)

    Reply

    • Richard M. Hicks

       /  November 9, 2018

      Correct. The limitation with this configuration is that third-party browsers don’t work with it. I’m not aware of any alternatives either, unfortunately.

      Reply

  7. Benny Doerksen

     /  December 19, 2018

    Hi Richard,

    First of all, thanks for all of your instructions! You’ve been so helpful!

    Second, i have questions about the proxy needed for forced tunneling. You say to add the proxy server to the client configuration, but we never set up a proxy server. Where does that get set up at? What type of proxy server is this? Is the DA server already a proxy server, we just need to point the clients to the DA server, or is there another server we need to be configuring with some other proxy service that will do this translation for us?

    Thank you!

    Reply

    • Richard M. Hicks

       /  December 19, 2018

      The assumption here is that you have some sort of on-premises proxy server to use. If you don’t have one, you’ll need to implement one. Quickest/easiest way to do this is to stand up a Squid proxy. Squid is open source and free. They even have a Windows port if you aren’t comfortable with Linux. 🙂

      Reply

      • Benny Doerksen

         /  January 30, 2019

        Thank you very much, that helped and I was able to stand up a squid server and got it going…! well… partly. It seems as though any physical clients, windows 10 enterprise, will not connect via DA.

        In my test lab, I’m setting up my domain controllers, DA server, and proxy server inside of Microsoft Azure (i know, not supported…). When I enabled forced tunneling and got the proxy server settings configured properly, my windows VM client(residing on my physical machine here at home, Windows 10, version 1709, LTSB), works just fine. I am able to use an internet browser on the VM and reach the internet, confirmed in squid logs, while still accessing internal corporate resources.

        If I go through the same process on an actual physical laptop with Windows 10, 1709, enterprise, it does not allow me to connect to the internet or corporate resources. Collecting a log seems to hang and never completes, but running through basic troubleshooting doesn’t display anything obvious wrong.

        I realize this is a long winded question, so maybe we need to do some actual consulting through you or maybe there is some other way we can get more advanced help..

        Thank you!

      • Richard M. Hicks

         /  January 31, 2019

        Typically if a DirectAccess server will support one connection, it will support many. If some clients can connect and others can’t, that would seem to indicate something wrong with the client configuration. I’d look closely at your client to make sure it has met all the prerequisites (firewall on, certificates provisioned, has the DirectAccess client policy, etc.).

  8. Benny

     /  February 14, 2019

    Turns out that my VM on Windows 10 Enterprise 1709 LTSB worked fine without a computer certificate issued.

    After creating an internal CA and issuing the correct certificates, my Windows 10 Enterprise 1809 laptop also began working fine with forced- tunneling enabled.

    Your books troubleshooting section pointed me in the correct direction. Once I found that the laptop’s IPSec connections were not being made, yet I was able to ping the remote endpoints, it all clicked.

    Thank you!

    Reply

  9. Cyril

     /  April 15, 2019

    Hello.
    Thank you Richard for your blogs.
    I activated the force tunneling, all traffic go to direct acces tunnel and the ressource access works. However, the workstation indicate “no internet access” !
    Do a proxy is mandatory with force tunneling ? i have no execute the command set-dadnsclientconfiguration for example.
    Thank you.

    Reply

    • Richard M. Hicks

       /  April 15, 2019

      This is one of those irritating side effects of enabling force tunneling. :/ If you have enabled force tunneling it is highly recommended that you configure all of your client web traffic to use a proxy server. Sometimes this fixes the NCSI behavior, sometimes it doesn’t. Typically it’s nothing more than an annoyance, but sometimes it does negatively affect client connectivity. You might also consider making some changes to the way NCSI performs detection. For example, you could try disabling active probing to see if that helps. Details here: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc766017(v=ws.10).

      Reply

  10. louis

     /  May 30, 2019

    Hi Richard,
    firstly many thanks for the very resourceful site for DirectAccess.
    if force tunneling is implemented and the DA server has 2 nics with the external nic behind a natted firewall/proxy, does the internet bound traffic route via the external nic on the DA server or go via the internal nic on the DA server to the proxy server?
    Would I be correct in assuming that it should route via the internal nic and the external nic is purely used for clients to connect to the DA server only?

    Reply

    • Richard M. Hicks

       /  June 7, 2019

      It will use whichever interface is configured with a default gateway, which is commonly the external interface. 🙂

      Reply

  11. Nagu Sittampalam

     /  April 20, 2020

    Hello Richard
    We have setup our DirectAccess with force tunneling and also configured a proxy server to be used for internet access as per NRTP. We want to add url to the NRTP for which we do not want it to go to the proxy server. What is the correct syntax to add a url so it bypasses the proxy on the Direct Acces server? We have not had much luck getting it to work so thinking we are not using the correct syntax. Any help would be much appreciated.

    Reply

    • Richard M. Hicks

       /  April 20, 2020

      I don’t believe you can bypass proxy selectively using NRPT. You’ll have to do that with a proxy autoconfiguration file.

      Reply

      • Nagu Sittampalam

         /  April 21, 2020

        Hello Richard
        Do you mean Proxy autoconfiguration file on the client browser or on the Direct Access server? So NRPT does not decide what goes to proxy and what does not? One of the option in adding an entry to NRPT is to specify a proxy so thought if we enter a url and not specify proxy it will try to send it directly but it does not work that way? Maybe that is why entries we added without proxy are not working as we thought. THere is nothing on the Direct Access server which automatically sends things to the proxy.

      • Richard M. Hicks

         /  April 22, 2020

        It would be configured on the client…

  12. Nagu Sittampalam

     /  April 30, 2020

    Hello Richard
    Configuring proxy with force tunneling is it possible to specify a pac file ? or to put exceptions to the proxy? Is there a command to find what the current settings are for proxy?

    Reply
  1. NetMotion Mobility for DirectAccess Administrators – Split vs. Force Tunneling | Richard M. Hicks Consulting, Inc.
  2. DirectAccess Selective Tunneling | Richard M. Hicks Consulting, Inc.

Leave a Reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading