I have a Security and Compliance need to restrict who can authenticate/access a domain user connection via a direct access tunnel.
According to policy (based entirely on lack of direct access knowledge and structured around tradition VPN requirements) I am asked to allow only specific user accounts access via direct access. I also have to restrict the access to one session per user (user can't login to two different direct access connected machines at once). I found an older article that described an approach through group Policy that setup a custom user authentication under the Windows Advanced Firewall/IPSEC Tunnel Authorization. This invloved creating a list of Denied users that included all users not allowed Direct Access. This does not seem manageable if I read it correctly. I was wondering if any other solutions have been discovered.