To reduce unnecessary traffic on the corporate network, Forefront UAG DirectAccess can separate intranet traffic to the intranet from Internet traffic, as shown in Figure 4. Most VPNs send all traffic, even traffic that is destined for the Internet, through the VPN, which can slow both intranet and Internet access. Because communications to the Internet do not need to travel to the corporate network and back to the Internet, Forefront UAG DirectAccess does not slow down Internet access.

DirectAccess client on the Internet

Figure 4: The default traffic flow for DirectAccess does not send Internet traffic through the Forefront UAG DirectAccess server

IT administrators can also choose to route all traffic, except traffic for the local subnet, through the Forefront UAG DirectAccess server and the intranet. When this option is enabled, all communications use the IP-HTTPS protocol, which creates an IP tunnel within the HTTPS protocol, allowing it to pass through firewalls and proxy servers. Combining this option with Windows Firewall with Advanced Security, IT administrators have complete control over which applications can send traffic and which subnets client computers can reach.

For example, IT administrators can use outbound Windows Firewall rules to:

While the default DirectAccess traffic configuration is optimized for performance, IT administrators have the flexibility required to meet their organization’s security requirements.