DirectAccess for 1 single FQDN

Hello,

I don't know of it's possible withing the utilisation of DirectAccess. But hereby my question:

Is it possible to configure DirectAccess in such a way, that for 1 particular FDQN it uses the tunnel, while all others are connected directly.

In fact the oposite of what's done with NLS.

Any ideas?

Daniel

September 29th, 2014 9:23am

Hello Daniel, 

If I understand you correctly, JUST for Site1.contoso.com you need the traffic to flow through DA Tunnel?

It can be done, you can add the FQDN to the NRPT in UAG or 2012 DA Server and point it to DA Server's DNS64 address. 

Also make sure you have a proper route to Site1.contoso.com from your internal adapter of DA Server.

HTH,

Vasu Deva

  • Proposed as answer by Vasu Deva Monday, September 29, 2014 12:57 PM
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2014 3:49pm

Hello Daniel, 

If I understand you correctly, JUST for Site1.contoso.com you need the traffic to flow through DA Tunnel?

It can be done, you can add the FQDN to the NRPT in UAG or 2012 DA Server and point it to DA Server's DNS64 address. 

Also make sure you have a proper route to Site1.contoso.com from your internal adapter of DA Server.

HTH,

Vasu Deva

  • Proposed as answer by Vasu Deva Monday, September 29, 2014 12:57 PM
September 29th, 2014 3:49pm

Hello Daniel, 

If I understand you correctly, JUST for Site1.contoso.com you need the traffic to flow through DA Tunnel?

It can be done, you can add the FQDN to the NRPT in UAG or 2012 DA Server and point it to DA Server's DNS64 address. 

Also make sure you have a proper route to Site1.contoso.com from your internal adapter of DA Server.

HTH,

Vasu Deva

  • Proposed as answer by Vasu Deva Monday, September 29, 2014 12:57 PM
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2014 3:49pm
also make sure, your Internal DNS Can resolve the above said FQDN.
September 29th, 2014 3:56pm

That's the problem. When you fill in the FQDN name (for example test.domain.com). Then in the namespace policy is it stated as .test.domain.com.

With other words it consider the dns name .test.domain.com instead of the host test.domain.com.

Daniel

Free Windows Admin Tool Kit Click here and download it now
September 29th, 2014 5:14pm

Well, It all depends on the option you chose when you try to add the entry in NRPT.

In this case, you can use the below option and try and let me know, how it goes.

NRPT Screen
  • Edited by Vasu Deva Tuesday, September 30, 2014 7:15 AM
September 30th, 2014 10:12am

Well, It all depends on the option you chose when you try to add the entry in NRPT.

In this case, you can use the below option and try and let me know, how it goes.

NRPT Screen
  • Edited by Vasu Deva Tuesday, September 30, 2014 7:15 AM
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2014 10:12am

Well, It all depends on the option you chose when you try to add the entry in NRPT.

In this case, you can use the below option and try and let me know, how it goes.

NRPT Screen
  • Edited by Vasu Deva Tuesday, September 30, 2014 7:15 AM
September 30th, 2014 10:12am

I know this option in UAG, but in Windows 2012R2 do you not have this option.

Daniel

Free Windows Admin Tool Kit Click here and download it now
September 30th, 2014 10:18am

AFAIK, there is NO option in 2012 DA to tell that you are explicitly adding a FQDN and NOT a DNS Suffix.

Instead, you can add the entry (in my case site1.contoso.com) in URA console , apply the configuration and edit the GPOs created by 2012 DA. (Good thing unlike UAG, 2012 DA URA doesn't overwrite the GPO during the next activation and adds ONLY the new changes, so your patch will be persistent)

You can follow the below steps, if you chose to do so.

  1. Open up the correspoding GPO for DA clients, the default name should be "DirectAccess Client Settings" unless you have changed when setting up DA.
  2. Right click edit and navigate it to Computer Configuration\Policies\Windows Settings\Name Resolution Policy\
  3. Look for the table  with title "Name Resolution Policy Table" and pick up the entry (site1.contoso.com)
  4. And choose the option "FQDN"
  5. To verify this, you can update GPO in any client machine and run the command "Netsh name show policy"



Site1

Let me know, how it goes!



  • Edited by Vasu Deva Wednesday, October 01, 2014 2:55 PM
  • Proposed as answer by Vasu Deva Thursday, October 02, 2014 10:04 AM
  • Marked as answer by Daniel Paessens Monday, October 20, 2014 12:45 PM
October 1st, 2014 5:53pm

AFAIK, there is NO option in 2012 DA to tell that you are explicitly adding a FQDN and NOT a DNS Suffix.

Instead, you can add the entry (in my case site1.contoso.com) in URA console , apply the configuration and edit the GPOs created by 2012 DA. (Good thing unlike UAG, 2012 DA URA doesn't overwrite the GPO during the next activation and adds ONLY the new changes, so your patch will be persistent)

You can follow the below steps, if you chose to do so.

  1. Open up the correspoding GPO for DA clients, the default name should be "DirectAccess Client Settings" unless you have changed when setting up DA.
  2. Right click edit and navigate it to Computer Configuration\Policies\Windows Settings\Name Resolution Policy\
  3. Look for the table  with title "Name Resolution Policy Table" and pick up the entry (site1.contoso.com)
  4. And choose the option "FQDN"
  5. To verify this, you can update GPO in any client machine and run the command "Netsh name show policy"



Site1

Let me know, how it goes!



  • Edited by Vasu Deva Wednesday, October 01, 2014 2:55 PM
  • Proposed as answer by Vasu Deva Thursday, October 02, 2014 10:04 AM
  • Marked as answer by Daniel Paessens Monday, October 20, 2014 12:45 PM
Free Windows Admin Tool Kit Click here and download it now
October 1st, 2014 5:53pm

AFAIK, there is NO option in 2012 DA to tell that you are explicitly adding a FQDN and NOT a DNS Suffix.

Instead, you can add the entry (in my case site1.contoso.com) in URA console , apply the configuration and edit the GPOs created by 2012 DA. (Good thing unlike UAG, 2012 DA URA doesn't overwrite the GPO during the next activation and adds ONLY the new changes, so your patch will be persistent)

You can follow the below steps, if you chose to do so.

  1. Open up the correspoding GPO for DA clients, the default name should be "DirectAccess Client Settings" unless you have changed when setting up DA.
  2. Right click edit and navigate it to Computer Configuration\Policies\Windows Settings\Name Resolution Policy\
  3. Look for the table  with title "Name Resolution Policy Table" and pick up the entry (site1.contoso.com)
  4. And choose the option "FQDN"
  5. To verify this, you can update GPO in any client machine and run the command "Netsh name show policy"



Site1

Let me know, how it goes!



  • Edited by Vasu Deva Wednesday, October 01, 2014 2:55 PM
  • Proposed as answer by Vasu Deva Thursday, October 02, 2014 10:04 AM
  • Marked as answer by Daniel Paessens Monday, October 20, 2014 12:45 PM
October 1st, 2014 5:53pm

Hi There - actually using powershell on the DA Server you can add a FQDN and force it through the DA Tunnel and also specify a proxy server if required. This has been done on quite a few sites where for example misco.co.uk had to go thorugh the tunnel and out of the corporate firewall so the request came from a specific ip address for example. This is not the case for you but the same principle applies.

Running Get-DAClientDNSConfiguration  show the DA Server Config.

Running this command would allow test.misco.co.uk through the DA Tunnel and not direct

Set-DAClientDNSConfiguration DNSSuffix test.misco.co.uk

If you wanted to use a Proxy Server add ProxyServer 'Proxy:8080' to the end

Reference link that may help you - http://technet.microsoft.com/en-us/library/hh918389.aspx

Although as mentioned before doing so make sure the DA Server can resolve the fqdn you need

Kr

Free Windows Admin Tool Kit Click here and download it now
October 2nd, 2014 6:07pm
Hi, Why note considering the remote management only option of DirectAccess. If you add your URL to the infrastructure tunnel allowed list (Step 3 if I remember well). In this mode there is a single tunnel, the infrastructure tunnel. If you add your URL to the list, users will be allowed to access your ressource, and only this ressource.
October 5th, 2014 5:36pm

Hello,

as you can see the powershell command doesn't work. It has only the option of dnssuffix, while it should be something like FQDN.

Daniel

Free Windows Admin Tool Kit Click here and download it now
February 24th, 2015 1:38am

Hi Daniel - agreed it states as DNSSuffix which means that if you wanted to add the test.misco.co.uk through the tunnel to go out of your corporate firewall through the DA Tunnel you would have to specify the *.misco.co.uk meaning any traffic bound for that website would come through the tunnel. Sorry if that doesn't meet your requirements but is a limitation but a valid workaround.

February 24th, 2015 4:31am

Therefor working through the GPO is working fine. As mentioned must I only allow 1 host to go into the tunnenl. While the rest of it should stay outside.

This work fine for me.

Daniel

Free Windows Admin Tool Kit Click here and download it now
February 24th, 2015 4:51am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics