Most of our customers wants to force their users to use the internal proxy when they are connected to the corporate network through DirectAccess.
There are different ways to provide this service. The first one is the “force tunneling” option. With this option activate, all the traffic is routed inside the corporate network (excepted local ip addresses). This UAG SP1, configuring Force Tunneling is very easy, as you can see with the following print screens.
Activate the force tunneling option :
Specify the proxy server :
An that’s it. There are benefits and disadvantage to activate force tunneling. Have a look on this article by the Edge Man (Tom Shinder) : More on DirectAccess Split Tunneling and Force Tunneling
What we can retain is :
- When Force Tunneling is enabled, all traffic is sent over the DA client tunnel using the IP-HTTPS protocol, but IP-HTTPS is the slowest transition technology protocol for DA
- When Force Tunneling is enabled, user cannot use the “local name resolution” option.
So, I found that this not the right think to do if you only want to route web traffic through the corporate proxy.
Automatic Proxy Configuration Script
Let’s say that your corporate has a Forefront TMG proxy. You can use the automatic proxy configuration script provided by TMG to configure your clients when they are inside the company. This script is automatically created during TMG configuration. The default URL is : http://proxy.vnext.lab:8080/array.dll?Get.Routing.Script.
In order to configure your clients, you use a Group Policy to force the proxy configuration. But when the users come back home, they say that internet isn’t working. The reason is that this script return the static ipv4 address of the proxy to the browser when there is a request. You can that see in the following capture. The ipv4 address of my proxy is 192.168.1.10, and the local ipv4 address of my DA client 192.168.100.101. Of course, the remote ipv4 address is unreachable.
Have a look inside the script. Proxy list is build with the ipv4 address :
A workaround is to create you own proxy.pac. In this script, put the proxy dns name instead of the ipv4 address. Forefront TMG doesn't support ipv6 for the moment. But if the internal network card as an ipv6 address, you can also return this ipv6 address. You can add some conditions (for example the source Ip) to return different addresses. But my advise is : When you are using DirectAccess, always use full qualified domain name. UAG will translate this dns name into an ipv6 address.
With the automatic configuration script you can :
- Force the configuration of the proxy with a proxy.pac for DirectAccess users. Whatever they are inside or outside the network, it will be working.
- DA Clients are still using teredo or 6to4 when it’s possible
- Users can use “local name resolution” if the DA server is down. Therefore, the proxy is unreachable. If the proxy is unreachable, the browser switch to direct connection (no proxy).
The WPAD entry and wpad.dat file
You can also use your DNS to store the address of the proxy as a WPAD entry. Don’t forget to unblock this kind of entry in dns (dnscmd /config /globalqueryblocklist), and remember that you can only request the wpad server which publish the wpad.dat file on tcp port 80. You cannot set the 8080 port for example with the dns entry.
Be careful, have a look inside the wpad.dat file. You can also find some ipv4 entry :
And if you don’t want to force the proxy ?
Let’s assume that you want to force the use of the proxy for the users when they are inside the network, but not when they are outside, connected with DirectAccess. I think that the best way is to use WPAD entry within DHCP.
An other way is to use the WPAD entry in the DNS, and add an exception in the NRPT for wpad.vnext.lab. Thanks to Tom Shinder for this nice idea
Published by Olivier DETILLEUX