0

I'm looking at deploying DirectAccess in our network but have some concerns over the requirement to have the DirectAccess server be domain joined, particularly because it's going to be in the DMZ. The firewall rules on the external firewall are quite straightforward to me (pretty much just TCP443 as it's going to be NATted so 6to4 and teredo ports are not required) but the internal firewall is less clear.

Has anyone else deployed DA here? Short of opening up all IPv4 and IPv6 traffic from the DA server to the internal network as per Microsoft's recommendation (which we aren't going to get approved), what exactly needs to be opened up? All ports required for AD DS operation, plus whichever services/resources our clients need to access?

I thought about using an RODC in the DMZ, but apparently a read/write DC is required (despite threads suggesting it works in some cases).

peblos
  • 1
  • 2

1 Answers1

1

I've deployed DirectAccess a few times. ;) You are correct, all protocols/ports required for domain communication as well as those required for connected DirectAccess clients to use internal resources are required. As you can see, this is a pretty wide path that will have to be opened from the DMZ to the LAN. Definitely not a good idea. RODC isn't supported with DirectAccess, so that solution is out too.

Your options are to configure the DirectAccess server with two NICs and place the external NIC in the DMZ and the internal NIC on the LAN. Effectively you are bridging your LAN, and some administrators object to that.

Another option is to place the DirectAccess server on the LAN with a single NIC. That would require opening only a single port from the DMZ to the LAN - TCP port 443.

Hope that helps!

Richard M. Hicks
  • 101
  • 3
  • Yeah, we can't have traffic passing through the DMZ to an internal DA server nor can we have the domain joined DA server placed in the DMZ. So now, I'm looking at placing _something_ in the DMZ to authenticate requests before allowing traffic to the LAN and/or to terminate connections in and I've got the idea of using Web Application Proxy in the DMZ. If we want pre-authentication we need an internal AD FS server. If we're relying on the WAP for preauth, I've read that the WAP needs to be domain joined as well, so we're back to the start – peblos Jan 26 '16 at 22:00