Configuring an Internet connectivity method in SP1

This topic describes how to configure an Internet connectivity method using the Forefront UAG DirectAccess Configuration Wizard. DirectAccess clients can be configured to use one of the following Internet connectivity methods:

Split tunneling—Traffic destined for the intranet is sent over the IPsec intranet tunnel to the Forefront UAG DirectAccess server. Other traffic destined for the Internet is sent directly to the Internet over the local interface configured on the DirectAccess client computer.

Note:

This is the default and recommended Internet connectivity method.
Force tunneling— All traffic leaving the DirectAccess client that is not destined for the local subnet is channeled through the Forefront UAG DirectAccess server over the intranet tunnel, even if that traffic is ultimately destined for the Internet.

All communications from the DirectAccess client to the Forefront UAG DirectAccess server are over IPv6. Therefore you must deploy one of the following solutions:
- An IPv6 aware corporate Web proxy server that DirectAccess clients can use to connect to the Internet.
- Forefront UAG DirectAccess integrated NAT64 and DNS64 that enable the DirectAccess client to connect to Internet resources.

Note:
This is the default and recommended Internet connectivity method.

Note:
If force tunneling was manually configured when using a previous version of Forefront UAG DirectAccess, ensure that you remove the "." suffix entry from the Identifying DNS Server page of the Forefront UAG DirectAccess Configuration Wizard, and that you remove any other GPO applied on the clients that has the Any suffix in the NRPT. Failure to do this may result in a corrupt NRPT and can result in DNS queries not working. Using force tunneling will impact on network performance.

Note:

If force tunneling was manually configured when using a previous version of Forefront UAG DirectAccess, ensure that you remove the "." suffix entry from the Identifying DNS Server page of the Forefront UAG DirectAccess Configuration Wizard, and that you remove any other GPO applied on the clients that has the Any suffix in the NRPT. Failure to do this may result in a corrupt NRPT and can result in DNS queries not working.
Using force tunneling will impact on network performance.

When force tunneling is configured, DirectAccess clients that detect that they are on the Internet, modify their IPv4 default route so that IPv4 traffic is not sent. With the exception of local subnet traffic, all traffic sent by the DirectAccess client is IPv6 traffic that goes through tunnels to the Forefront UAG DirectAccess server.

Important:
When force tunneling is enabled, settings might be applied to client’s computers that are located in internal networks and configured for DirectAccess. To avoid network and Internet problems caused by this issue do the following: Ensure that the FQDN of the Forefront UAG DirectAccess server cannot be resolved by internal DNS servers. If the client computer configured with DirectAccess accesses the internet via a proxy server, configure the proxy to disallow connections to the FQDN of the Forefront UAG DirectAccess server.

Important:

When force tunneling is enabled, settings might be applied to client’s computers that are located in internal networks and configured for DirectAccess. To avoid network and Internet problems caused by this issue do the following:

Ensure that the FQDN of the Forefront UAG DirectAccess server cannot be resolved by internal DNS servers.
If the client computer configured with DirectAccess accesses the internet via a proxy server, configure the proxy to disallow connections to the FQDN of the Forefront UAG DirectAccess server.

To configure an Internet connectivity method

Under Step 2, under Optional Settings, click Force Tunneling. The Connectivity Method page appears.
- To select split tunneling, click Use split tunneling, and then click Finish.
- To select Force tunneling, click Use force tunneling, and then click Next. The Force Tunneling page appears.

Configure force tunneling as follows:

To use a corporate Web Proxy server, click Route requests directly to a corporate Web Proxy server, type the Web Proxy Server name and Port, click Validate Connectivity and if the validation is successful, click Finish.

Note:
The Forefront UAG DirectAccess Configuration Wizard validates that: The Web Proxy server name does not contain an IP address. The Web Proxy server name is resolvable. The specified port is valid (Between 1 and 65535).

Note:
When two-factor authentication and force tunneling is configured, users will be required to enter their two-factor authentication credentials even if all they are doing is accessing the Internet. To prevent the request for two-factor credentials, add the Web Proxy server as a management server, and the user therefore will not need to access the intranet tunnel.This solution is not available if you configure force tunneling using NAT64 and DNS64.

Note:

When two-factor authentication and force tunneling is configured, users will be required to enter their two-factor authentication credentials even if all they are doing is accessing the Internet. To prevent the request for two-factor credentials, add the Web Proxy server as a management server, and the user therefore will not need to access the intranet tunnel.This solution is not available if you configure force tunneling using NAT64 and DNS64.

To use the Forefront UAG DirectAccess integrated NAT64 and DNS64, click Resolve and route requests using UAG DirectAccess DNS64 and NAT64, click Validate Connectivity to validate validates that the Forefront UAG DirectAccess server has Internet connectivity, and then click Finish.