DirectAccess clients use the Network Location Server (NLS) for trusted network detection. If the NLS can be reached, the client will assume it is on the internal network and the DirectAccess connection will not be made. If the NLS cannot be reached, the client will assume it is outside the network and it will then attempt to establish a connection to the DirectAccess server.

Critical Infrastructure

DirectAccess NLS availability and reachability is crucial to ensuring uninterrupted operation for DirectAccess clients on the internal network. If the NLS is offline or unreachable for any reason, DirectAccess clients on the internal network will be unable to access internal resources by name until the NLS is once again available. To ensure reliable NLS operation and to avoid potential disruption, the NLS should be highly available and geographically redundant. Close attention must be paid to NLS SSL certificate expiration dates too.

NetMotion Mobility

NetMotion Mobility does not require additional infrastructure for inside/outside detection as DirectAccess does. Instead, Mobility clients determine their network location by the IP address of the Mobility server they are connected to.

Unlike DirectAccess, NetMotion Mobility clients will connect to the Mobility server whenever it is reachable, even if they are on the internal network. There are some advantages to this, but if this behavior isn’t desired, a policy can be created that effectively replicates DirectAccess client behavior by bypassing the Mobility client when the client is on the internal network.

Configuring Trusted Network Detection

Follow the steps below to create a policy to enable trusted network detection for NetMotion Mobility clients.

Create a Rule Set

1. From the drop-down menu in the NetMotion Mobility management console click Policy and then Policy Management.
2. Click New.
3. Enter a descriptive name for the new rule set.
4. Click Ok.

Create a Rule

1. Click New.
2. Enter a descriptive name for the new rule.
3. Click Ok.

Define a Condition

1. Click on the Conditions tab.
2. In the Addresses section check the box next to When the Mobility server address is address.
   
3. In the Policy rule definition section click the equal to address(es) (v9.0) link.
   
4. Click Add.
5. Select Mobility server address.
6. Select the IP address assigned to the Mobility server’s internal network interface.
7. Click Ok.
8. Click Ok.

Define an Action

1. Click on the Actions tab.
2. In the Passthrough Mode section check the box next to Enable/disable passthrough mode.
   
3. Click Save.
4. Click Save.

Assign the Policy

1. Click on the Subscribers tab.
2. Choose a group to assign the policy to. This can be users, groups, devices, etc.
   
3. Click Subscribe.
4. Select the Trusted Network Detection policy.
5. Click Ok.

Validation Testing

The NetMotion Mobility client will connect normally when the client is outside of the network. However, if the Mobility client detects that it is connected to the internal interface of the Mobility server, all network traffic will bypass the Mobility client.

Summary

Trusted network detection can be used to control client behavior based on their network location. Many administrators prefer that connections only be made when clients are outside the network. DirectAccess clients use the NLS to determine network location and will not establish a DirectAccess connection if the NLS is reachable.

NetMotion Mobility trusted network detection relies on detecting the IP address of the Mobility server to which the connection was made. This is more elegant and effective than the DirectAccess NLS, and more reliable too.

Additional Information

Enabling Secure Remote Administrator for the NetMotion Mobility Management Console

NetMotion Mobility Device Tunnel Configuration

Deploying NetMotion Mobility in Azure