Separating Internet and intranet traffic

Updated: February 1, 2010

Applies To: Unified Access Gateway

To reduce unnecessary traffic on the corporate network, Forefront UAG DirectAccess can separate intranet traffic to the intranet from Internet traffic, as shown in Figure 4. Most VPNs send all traffic, even traffic that is destined for the Internet, through the VPN, which can slow both intranet and Internet access. Because communications to the Internet do not need to travel to the corporate network and back to the Internet, Forefront UAG DirectAccess does not slow down Internet access.

Figure 4: The default traffic flow for DirectAccess does not send Internet traffic through the Forefront UAG DirectAccess server

IT administrators can also choose to route all traffic, except traffic for the local subnet, through the Forefront UAG DirectAccess server and the intranet. When this option is enabled, all communications use the IP-HTTPS protocol, which creates an IP tunnel within the HTTPS protocol, allowing it to pass through firewalls and proxy servers. Combining this option with Windows Firewall with Advanced Security, IT administrators have complete control over which applications can send traffic and which subnets client computers can reach.

For example, IT administrators can use outbound Windows Firewall rules to:

• Allow client computers to connect to the entire Internet, but only one specific subnet on the intranet.

• Allow client computers to connect directly to the Internet using Internet Explorer®, but send traffic for all other applications through the intranet.

• Prevent intranet applications from sending communications to the Internet by restricting them to specific servers on your intranet.

While the default DirectAccess traffic configuration is optimized for performance, IT administrators have the flexibility required to meet their organization’s security requirements.