Does this meet the goal?

Your network contains an Active Directory domain named contoso.com. The domain contains multiple sites.
You plan to deploy DirectAccess.
The network security policy states that when client computers connect to the corporate network from the Internet, all of the traffic destined for the Internet must be
routed through the corporate network.
You need to recommend a solution for the planned DirectAccess deployment that meets the security policy requirement.
Solution: You enable split tunneling.
Does this meet the goal?

Your network contains an Active Directory domain named contoso.com. The domain contains multiple sites.
You plan to deploy DirectAccess.
The network security policy states that when client computers connect to the corporate network from the Internet, all of the traffic destined for the Internet must be
routed through the corporate network.
You need to recommend a solution for the planned DirectAccess deployment that meets the security policy requirement.
Solution: You enable split tunneling.
Does this meet the goal?

A.
Yes

B.
No

Explanation:
DirectAccess by default enables split tunneling. All traffic destined to the corpnet is sent over the DA IPsec tunnels, and all traffic destined for the Internet is sent
directly to the Internet over the local interface. This prevents DA clients from bringing the corporate Internet connection to its knees.
is DA split tunneling really a problem? The answer is no.
Why? Because the risks that exist with VPNs, where the machine can act as a router between the Internet and the corporate network is not valid with DirectAccess.
IPsec rules on the UAG server require that traffic be from an authenticated source, and all traffic between the DA client and server is protected with IPsec.
Thus, in the scenario where the DA client might be configured as a router, the source of the traffic isn’t going to be the DA client, and authentication will fail hence
preventing the type of routing that VPN admins are concerned about.
Why Split Tunneling is Not a Security Issue with DirectAccess



Leave a Reply 3

Your email address will not be published. Required fields are marked *


Jay

Jay

B. Split tunneling does NOT force all the traffic over the corporate network but does the opposite.

“all of the traffic destined for the Internet must be
routed through the corporate network.” Force tunneling should be the choice

Corey

Corey

Agreed with Jay, the answer is B

Harby

Harby

correct answer is B force tunneling what you should enable I agree with jay and corey