Your network contains an Active Directory domain named contoso.com. The domain
contains multiple sites. You plan to deploy DirectAccess.
The network security policy states that when client computers connect to the corporate
network from the Internet, all of the traffic destined for the Internet must be routed through
the corporate network.
You need to recommend a solution for the planned DirectAccess deployment that meets the
security policy requirement.
What should you include in the recommendation?
A.
Set the ISATAP State to state enabled.
B.
Enable split tunneling.
C.
Set the ISATAP State to state disabled.
D.
Enable force tunneling.
Explanation:
http://blogs.technet.com/b/csstwplatform/archive/2009/12/15/directaccess-how-to-configureforcetunneling-forda-so-that-client-are-forced-to-use-ip-https.aspx
You can configure DirectAccess clients to send all of their traffic through the tunnels to the
DirectAccess server with force tunneling. When force tunneling is configured, DirectAccess
clients that detect that they are on the Internet modify their IPv4 default route so that default
route IPv4 traffic is not sent. With the exception of local subnet traffic, all traffic sent by the
DirectAccess client is IPv6 traffic that goes through tunnels to the DirectAccess server.
Correct answer: D
Explanation:
You can configure DirectAccess clients to send all of their traffic through the tunnels to the DirectAccess server with force tunneling. When force tunneling is configured, DirectAccess clients that detect that they are on the Internet modify their IPv4 default route so that default route IPv4 traffic is not sent. With the exception of local subnet traffic, all traffic sent by the DirectAccess client is IPv6 traffic that goes through tunnels to the DirectAccess server.
This is so badly worded it’s actually insulting. I sat here for like 30 minutes trying to figure out just what exactly it is they were asking.
Let poor, young, unqualified me do their job for them and reword it:
“The network security policy states that when client computers connect to the corporate
network from the Internet, all of THEIR (The client’s) traffic destined for the Internet must be routed through
the corporate network.”
Now it makes sense… enable force tunneling.
Basically, if I’m chilling at home and I use DA to connect to my corpnet, I can still browse the internet locally using my own personal internet connection. The policy states that If I connect from home and I want to browse the internet while connected via DA to the corpnet, I need to utilize my corpnet’s internet connection (basically using the DA tunnel as if it were a traditional vpn proxy).
So yeah, enable force tunneling will force the clients to use their corporate network’s internet connection, by proxy.
Think I need a break 🙁 These test are evil.