I was involved in some DirectAccess pre-sale & projects with One-Time Password feature. For a while we have a dedicated Technet web page for special cases / requests or scenarios DirectAccess Unsupported Configurations. I used to have a look at it some time to time to check if I missed something. Today, I was surprised to discover new section related to OTP scenarios :
I understand for the second one. We must establish a SSL session excluded from the IPSEC tunnel, that is not possible with force tunneling. IMO, force tunneling feature need to be reviewed (a wish for Windows V.Next). From a technical point of view we can replace it with the Web Filtering for DirectAccess users approach.
For the first one, it’s a surprise. I was about to consider the SSL Offload for IP-HTTPS DirectAccess Traffic from Windows 7 Clients using F5 BIG-IP proposed by Richard Hicks for a project of mine including OTP. I will have to forget SSL Offload. In some way it’s logic, we cannot have different way to manage SSL authentication for the same endpoint (ISAPI filter used by OTP and IPHTTPS endpoint).
BenoîtS – Simple and Secure by Design but Business compliant.
Les derniers articles par Benoit (tout voir)
- Migrer une machine virtuelle entre régions Azure - 1 février 2019
- Stocker des clés SAS de Storage Account dans un KeyVault - 10 décembre 2018
- Sécuriser ses Storage Accounts dans Azure - 21 octobre 2018