Disclaimer: I should clarify though that I have not personally implemented DA. I am looking into it to consider implementing it and I have only been reading about it so far. So please feel free to correct any of my information if it is inaccurate.
While DA does offer an option to force all traffic through the tunnel (source<http://blogs.technet.com/b/tomshinder/archive/2010/03/30/more-on-directaccess-split-tunneling-and-force-tunneling.aspx>), it appears that we should be able to add this IP sensitive service's DNS name to the NPRT<http://technet.microsoft.com/en-us/magazine/ff394369.aspx> so that the traffic flows through corpnet. And related, here is another site that also has some more information that may also offer some help: http://myitforum.com/cs2/blogs/forefrontsecurity/archive/2011/03/16/how-to-use-your-corporate-proxy-when-you-are-connected-with-directaccess.aspx -Aakash Shah From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith Sent: Tuesday, September 10, 2013 6:22 AM To: ntsys...@lists.myitforum.com Subject: [NTSysADM] RE: Problem - access based on your IP This is if you force Internet access through the DA link, yes? From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Aakash Shah Sent: Tuesday, September 10, 2013 9:07 AM To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com> Subject: [NTSysADM] RE: Problem - access based on your IP I haven't tested this, but I think that using DirectAccess and adding the service's DNS name to your Name Resolution Policy Table (NRPT)<http://technet.microsoft.com/en-us/magazine/ff394369.aspx> may do the trick. Since DirectAccess is automatic and transparent, this may provide you with a seamless "one-click" solution for your clients. -Aakash Shah From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of David Lum Sent: Monday, September 9, 2013 7:32 AM To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com> Subject: [NTSysADM] Problem - access based on your IP We have signed up to a service that gives access not via user accounts, but by "allowed inbound IP's". Easy enough for on-premise staff, but we have 100+ remote users, and for them we've been told to set up a proxy server to achieve this. I've been told by my boss that the ideal solution for our remote staff would be for them to just click a bookmark in their browser so it is just another site. Is there any other way to achieve this other than by proxy? Non one-click methods would be for our remote users to VPN to NWEA first, then hit their site, or to connect via RDS Gateway. Is there an slick little client-side piece that we might be able to stick on our remote users' machines or anything? I'm drawing a blank on how to achieve my boss' request other than a proxy (which I have no experience with but have asked my network team their opinion on it). David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764
