Hello!
Apparently my DirectAccess server use default GPO for connexion security rules.
The GPO linked to infrastructure tunnel is the following:
DirectAccessPolicyClientToDNS64NAT64 : Endpoint 1=any , Endpoint2=IPv6::/96, no authentication
As far as I know, this rule allow the computer to build an infrastructure tunnel. Could we harden it in order to restrict the IP to the one corresponding to the DNS server, and DCs?
Because this way, once the infrastructure tunnel is built, you have full access to the intranet (with the ACL limitation), isn't it?
Thanks
