This does make some sense. The issue with VOIP might well be a problem at some point - we have a Shoretel system, and it's desired at some point to have remote folks use a soft phone remotely. I don't know if it uses IPv4 only, or if it can use v6, or even if it uses SIP for its native implementation. IIRC, it needs a SIP gateway to work with COTS SIP phones, so it might not be affected by that.
I'm not terribly worried about apps that don't use name resolution, as we don't have any. I'm actually a fan of disabling split tunneling, but I do recognize the drawbacks - especially when remote bandwidth is limited. However, I have to wonder if this starts to highlight problems with split DNS. That could prove, erm, interesting for us. Kurt On Mon, Jul 26, 2010 at 07:12, Malcolm Reitz <malcolm.re...@live.com> wrote: > Smart cards are optional for DirectAccess, not required. What I was trying > (poorly) to say was that Microsoft's internal implementation of DirectAccess > is set up to require smart card authentication (e.g. MSFT employees must use > smart cards). Our DirectAccess implementation currently does not require the > users to have a smart card. Smart cards (we use .NET cards - Gemalto is the > major vendor in the market) are a quite useful security tool, but they > require a distribution/maintenance infrastructure that complicates their use. > > Applications that don't work across a DirectAccess link are those which won't > work over IPv6. The first one I came across was the Communicator IM client. I > think VoIP apps that rely on the SIP protocol fall in to this category as > well. > > Also, internal applications that you access by IP address only will be a > problem. This is because DirectAccess makes it routing decisions based on > name resolution, not IP destination. Say your corporate network is using the > 10.x.x.x IPv4 address space and a domain name of "internal.mycorp.com". You > can tell DirectAccess to send all traffic to *.internal.mycorp.com over the > tunnel to your corporate network, but you can't tell it to route all traffic > to any 10.x.x.x address across the tunnel. The only way around this is to > force all communications across the tunnel (that is, disable > split-tunneling). Unfortunately, this has performance implications, as it > makes DirectAccess use a less-efficient protocol and increases the load on > the DirectAccess servers, not to mention it sends all Internet-bound traffic > from the client "the long way" through the corporate network and out the > corporate Internet connection. > > Hope that makes sense... > > -Malcolm > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: Friday, July 23, 2010 17:43 > To: NT System Admin Issues > Subject: Re: Anyone using Forefront UAG and Direct Access > > Ooooo... > > Actual field experience! > > Did not know about the smart card requirement. That's good to know. > What smart card technology are you using, if you can say? > > What kind of apps have you run into that don't play nice with it? > > Kurt > > On Fri, Jul 23, 2010 at 13:29, Malcolm Reitz <malcolm.re...@live.com> wrote: >> I won’t say DirectAccess is just another VPN, because it isn’t, but it >> is a VPN technology with pretty robust security. It isn’t an easy >> setup, as it requires working with IPv6 and certificates, however, >> once it is running, it is really slick in operation. Just connecting >> your laptop to the Internet and being instantly able to map corporate >> file shares and open intranet web apps or RDP sessions is great. >> Downsides to it are that not everything works with it, as not >> everything plays nice with IPv6, and the hardware requirements are >> more significant than for a traditional IPsec VPN. It also only works with >> Windows 7 clients. >> >> >> >> Microsoft has enhanced security on their DirectAccess implementation >> by requiring their people to use smart cards for DirectAccess authentication. >> We may do that as well. >> >> >> >> I can say that everyone using my DirectAccess POC setup is liking it so far. >> Because of its “always on” nature, I think it will be a great boon to >> our management of remote computers (they always be connected for >> patching, AV updates, inventory, etc.). >> >> >> >> -Malcolm >> >> >> >> From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] >> Sent: Friday, July 23, 2010 14:51 >> To: NT System Admin Issues >> Subject: Anyone using Forefront UAG and Direct Access >> >> >> >> Thoughts? >> >> Is it a big security hole? >> >> >> >> >> >> Luke L. Brumbaugh >> >> Network Engineer >> >> Butler Animal Health Supply >> >> Ph:(614) 659-1736 >> >> >> >> ********************************************************************** >> >> CONFIDENTIALITY NOTICE - The information transmitted in this message >> is intended only for the person or entity to which it is addressed and >> may contain confidential and/or privileged material. Any review, >> retransmission, dissemination or other use of this information by >> persons or entities other than the intended recipient is prohibited. >> If you received this in error, please contact the sender and destroy >> all copies of this document. Thank you. >> >> Butler Schein Animal Health >> >> ********************************************************************** >> >> >> >> >> >> >> >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
