Some new DirectAccess unsupported scenarios

I was involved in some DirectAccess pre-sale & projects with One-Time Password feature. For a while we have a dedicated Technet web page for special cases / requests or scenarios DirectAccess Unsupported Configurations. I used to have a look at it some time to time to check if I missed something. Today, I was surprised to  discover new section related to OTP scenarios :


I understand for the second one. We must establish a SSL session excluded from the IPSEC tunnel, that is not possible with force tunneling. IMO, force tunneling feature need to be reviewed (a wish for Windows V.Next). From a technical point of view we can replace it with the Web Filtering for DirectAccess users approach.

For the first one, it’s a surprise. I was about to consider the SSL Offload for IP-HTTPS DirectAccess Traffic from Windows 7 Clients using F5 BIG-IP proposed by Richard Hicks for a project of mine including OTP. I will have to forget SSL Offload. In some way it’s logic, we cannot have different way to manage SSL authentication for the same endpoint (ISAPI filter used by OTP and IPHTTPS endpoint).


BenoîtS – Simple and Secure by Design but Business compliant.


Simple, yes, Secure Maybe, by design for sure, Business compliant always!

Les derniers articles par Benoit (tout voir)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.