topic Re: Microsoft Direct Access - is user Identification possible? in General Topics

Microsoft Direct Access - is user Identification possible?

LCMember3410 — Thu, 31 Jan 2013 09:36:52 GMT

Hi,

We have user identification working nicely using user ID agents on a few of our active directory domain members.

I've been looking at MS Direct Access (and formerly UAG) and it seems that a DA implementation would show all connected users as having the same source IP address and therefore user ID. (The private IP address of the DA server.)

Do PA firewalls have a way of identifying which user the traffic inside the DA 'tunnel' is from?

I guess what I'm probably asking for is a 'DA Server User Agent' in the same way that there is a MS Terminal Server Agent which does a similar job.

Thanks

Matt

Re: Microsoft Direct Access - is user Identification possible?

gwhyte — Thu, 31 Oct 2013 18:54:52 GMT

Bump on this. Thanks for asking this, Matt. We are looking for the same answer.

Re: Microsoft Direct Access - is user Identification possible?

james.pyatt — Mon, 19 May 2014 11:36:27 GMT

Just testing Direct Access and having the exact same issue - any updates?

Re: Microsoft Direct Access - is user Identification possible?

LCMember4540 — Mon, 16 Nov 2015 20:21:16 GMT

We have the same issue.

Re: Microsoft Direct Access - is user Identification possible?

TSchworer — Thu, 16 Jul 2020 14:23:54 GMT

same problem - any news on this?

Re: Microsoft Direct Access - is user Identification possible?

nbutter — Fri, 17 Jul 2020 14:52:44 GMT

I'm thinking that you might try to monitor it before it gets to the DA server. There should be a way to map the user public IP address to their user-id, e.g. if there are logs somewhere in either: DA server, AD, some other security tool, or similar, you could push that into user-id. Not simple or elegant though. I wouldn't try to monitor the traffic within the tunnel directly, but anything traversing your firewall going to the IP address of the DA server.