NetMotion Mobility for DirectAccess Administrators – Split vs. Force Tunneling

DirectAccess employs a split tunneling network model by default. In this configuration, only network traffic destined for the internal network (as defined by the administrator) is tunneled over the DirectAccess connection. All other network traffic is routed directly over the Internet.

Force Tunneling Use Cases

For a variety of reasons, administrators may want to configure DirectAccess to use force tunneling, requiring all client traffic be routed over the DirectAccess connection, including public Internet traffic. Commonly this is done to ensure that all traffic is logged and, importantly, screened and filtered to enforce acceptable use policy and to prevent malware infection and potential loss of data.

DirectAccess and Force Tunneling

Enabling force tunneling for DirectAccess is not trivial, as it requires an on-premises proxy server to ensure proper functionality when accessing resources on the public Internet. You can find detailed guidance for configuring DirectAccess to use force tunneling here.

NetMotion Mobility and Force Tunneling

With NetMotion Mobility, force tunneling is enabled by default. So, if split tunneling is desired, it must be explicitly configured. Follow the steps below to create a split tunneling policy.

Create a Rule Set

1. Open the NetMotion Mobility management console and click Policy > Policy Management.
2. Click New.
3. Enter a descriptive name for the new rule set.
4. Click Ok.

Create a Rule

1. Click New.
2. Enter a descriptive name for the new rule.
3. Click Ok.

Define an Action

1. Click on the Actions tab.
2. In the Addresses section check the box next to Allow network traffic for address(es)/port(s).
3. In the Base section select Pass through all network traffic.

Define the Internal Network

1. In the Policy rule definition section click the address(es)/port(s) link.
2. Click Add.
3. In the Remote Address column select Network Address.
4. Enter the network prefix and prefix length that corresponds to the internal network.
5. Click Ok.
6. Repeat the steps above to add any additional internal subnets, as required.
7. Click Ok.
8. Click Save.
9. Click Save.

Assign the Policy

1. Click on the Subscribers tab.
2. Choose a group to assign the policy to. This can be users, groups, devices, etc.
3. Click Subscribe.
4. Select the Split Tunneling policy.
5. Click Ok.

Validation Testing

With split tunneling enabled the NetMotion Mobility client will be able to securely access internal network resources over the Mobility connection, but all other traffic will be routed over the public Internet. To confirm this, first very that internal resources are reachable. Next, open your favor Internet search engine and enter “IP”. The IP address you see should be the IP address of the client, not the on-premises gateway.

Summary

I’ve never been a big fan of force tunneling with DirectAccess. Not only is it difficult to implement (and requires additional infrastructure!) the user experience is generally poor. There are usability issues especially with captive portals for Wi-Fi, and performance often suffers. In addition, enabling force tunneling precludes the use of strong user authentication with one-time passwords.

With NetMotion Mobility, force tunneling is on by default, so no configuration changes are required. The user experience is improved as NetMotion Mobility intelligently recognizes captive portals. Performance is much better too. In addition, NetMotion Mobility is more flexible, allowing for the use of OTP authentication with force tunneling. Also, with NetMotion Mobility force tunneling is not a global setting. You can selectively apply force tunneling to users and/or groups as necessary.

Additional Information

NetMotion Mobility as an Alternative for Microsoft DirectAccess

NetMotion Mobility for DirectAccess Administrators – Trusted Network Detection

Enabling Secure Remote Administration for the NetMotion Mobility Console

NetMotion Mobility Device Tunnel Configuration