Azure DP and DirectAccess

We are rolling out Direct Access for our company and since more then half of our users work off site we felt an Azure DP for CM12 R2 would make sense for those field employees to use as a DP.

My question is, since they will be connecting with DA which in turn makes them appear as "intranet" clients from a CM standpoint - does that change the implementation of Azure as a DP?  Obviously a management cert is needed for communication between CM and Azure, but is a client cert still required.

I guess in my head, the field laptops would report to the MP, but we would have a boundary defined for the DA clients that points to the Azure DP... does that make sense?  Thanks for any thoughts!

February 7th, 2014 8:31pm

The client only need to trust the cloud based DP. A Client Cert is not required.

Yes, you need to define a boundary for this clients and make them use Cloud based DP, because the following things.

1.A client that is configured to use cloud-based distribution points always attempts to obtain content from a preferred distribution point first.

2. When a preferred distribution point is not available, the client uses a remote distribution point, if the deployment supports this option, and if a remote distribution point is available.

3. When a preferred distribution point or remote distribution point is not available, the client can then fall back to obtain the content from a cloud-based distribution point.

So, if you want the clients to download contents from Cloud DP, the contents cannot be available on Prefered DP and Remote DP, and then clients would fall back to Cloud DP.

Free Windows Admin Tool Kit Click here and download it now
February 10th, 2014 6:09pm

Thanks for the info, I guess I'm still confused a little.  If the client is a Direct Access client, it's going to get the content from the DP site it was signed to (lets say the primary site as an example), because a DA client doesn't know it is not in that particular site.  So in that event, it would have no reason to go to a fallback DP (Azure)... correct?  Our goal would be that a client connecting through DA and not on-site would access the cloud DP... and then of course the site DP should they be on site.  Since a DA client resides on a different AD site, couldn't I define that boundary and then set the cloud DP as the default?

The cloud as a fallback would make sense if they were native internet manages clients, but not DA.  Hope I am not missing the obvious.

February 11th, 2014 12:18am

I've been looking into this exact same issue.

At the moment I am experimenting with a zone in AD Sites and Services that covers the HTTPS IPv6 address space allocated to the connected clients. Using that Site name you should theoretically be able to configure your cloud DP to be the first port of call for clients in that inferred boundary.

I'll feedback some more once we have tested and ascertained where the DA client is connecting to.

regards

Rob

Free Windows Admin Tool Kit Click here and download it now
February 9th, 2015 5:56am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics