I was involved in some DirectAccess pre-sale & projects with One-Time Password feature. For a while we have a dedicated Technet web page for special cases / requests or scenarios DirectAccess Unsupported Configurations. I used to have a look at it some time to time to check if I missed something. Today, I was surprised to discover new section related to OTP scenarios :
I understand for the second one. We must establish a SSL session excluded from the IPSEC tunnel, that is not possible with force tunneling. IMO, force tunneling feature need to be reviewed (a wish for Windows V.Next). From a technical point of view we can replace it with the Web Filtering for DirectAccess users approach.
For the first one, it’s a surprise. I was about to consider the SSL Offload for IP-HTTPS DirectAccess Traffic from Windows 7 Clients using F5 BIG-IP proposed by Richard Hicks for a project of mine including OTP. I will have to forget SSL Offload. In some way it’s logic, we cannot have different way to manage SSL authentication for the same endpoint (ISAPI filter used by OTP and IPHTTPS endpoint).
BenoîtS – Simple and Secure by Design but Business compliant.
Les derniers articles par Benoit (tout voir)
- Azure Managed Application – Astuces de debug - 18 mai 2019
- Publier une application Azure Managed Application avec BluePrint - 22 avril 2019
- Consommer un Storage Account avec une authentification Azure AD - 14 avril 2019