Your network contains an Active Directory domain named contoso.com. The domain contains multiple
sites.
You plan to deploy DirectAccess.
The network security policy states that when client computers connect to the corporate network from
the Internet, all of the traffic destined for the Internet must be routed through the corporate network.
You need to recommend a solution for the planned DirectAccess deployment that meets the security
policy requirement.
Solution: You enable split tunneling.
Does this meet the goal?
A.
Yes
B.
No
Explanation:
DirectAccess by default enables split tunneling. All traffic destined to the corpnet is sent over the DA
IPsec tunnels, and all traffic destined for the Internet is sent directly to the Internet over the local
interface. This prevents DA clients from bringing the corporate Internet connection to its knees.
is DA split tunneling really a problem? The answer is no.
Why? Because the risks that exist with VPNs, where the machine can act as a router between the
Internet and the corporate network is not valid with DirectAccess. IPsec rules on the UAG server require
that traffic be from an authenticated source, and all traffic between the DA client and server is protected
with IPsec.
Thus, in the scenario where the DA client might be configured as a router, the source of the traffic isn’t
going to be the DA client, and authentication will fail – hence preventing the type of routing that VPN
admins are concerned about.
Why Split Tunneling is Not a Security Issue with DirectAccess
I think correct answer is B
(split tunnel needed)
Sorry:
Answer B (FORCE tunnelig needed)
I agree. “all of the traffic destined for the Internet must be routed through the corporate network”.
Right, I agree with you guys. Split-tunneling will route corporate data over the DA connection and Internet Traffic will go out through your ISP. In order to meet the requirement of routing all Internet traffic through the corporate network, you need forced tunneling enabled.
Correct answer is ‘B.’