Microsoft came up with this Remote Access Solution named “Direct Access ” in Windows 2008 R2 Platform , it was very hard for IT Administrators to adapt this technology , as it is mandate requirement to have IPv6 Network Infrastructure.
But With Windows 2012 Microsoft has eliminated the IPv6 Network Infrastructure – Now Direct Access can be deployed by doing some few Clicks ! ..Sound’s Simple ! but few administrators still face issues while configuring Direct Access 2012
Here are some Suggestions –
First of all you would require a Windows 2012 Server with recent patches . The Network Placement Plays the Key role here , the most secure way is to Keep your server in DMZ Zone behind NAT , meaning your Private DMZ IP will be bind to Public IP behind the edge firewall.Microsoft 2012 Direct Access allow to configure it using Single NIC Behind NAT and Dual NIC Behind NAT .
Single NIC is pretty Straight forward – But drawback is you need to open lots of ports for your Direct Access clients to access the internal resource from internet .This is little painful if you have huge number of application and some applications like Outlook which runs on random ports can force you to open wide range of Ports , for which you may have to justify to Information Security folks.
Best Practices would be to go with Dual NIC behind NAT topology – One NIC connected to Internal Network and Second one connected to DMZ Network as a External NIC.
Internal Network – NIC will have IP , Subnet ,BUT NO GATEWAY , you will also have to assign the internal DNS to the NIC .External NIC – Will have IP , Subnet and DMZ Gateway – NO DNS HERE
you may ask without Gateway how Internal NIC will communicate to internal Network ??..you are right ! they can’t ..But you may be aware only one gateway can be assigned if you have dual NIC enabled , for Internal NIC gateway you would need to add routes by using route add command . Syntax would be somewhat i have mentioned below .
route add 10.0.0.0 mask 255.0.0.0 YOURGATEWAYIP -p
This will allow your internal NIC to communicate with internal Network – now you can go ahead and add your Direct Access to domain.
Once this is done initiate the configuration of Direct Access server , you may receive an error stating both the NICs are in Domain Profile .That’s a problem now ! , the reason for this is most of the Network Administrators keep Active Directory ports open for all VLANs including DMZ , since DMZ NIC here is acting as External network- it should have Public profile instead of Domain.This is because your DMZ NIC IP have connection to Active Directory ports , So all you need to do is break this connection by blocking 389 LDAP port from your DMZ IP to AD IP address on your Internal leg firewall .This will define your External NIC as Public after this.
Make Sure the Direct Access Public IP is registered in External DNS before you configure Direct Access.
Post this just few Clicks and you are Done !!
Cheers to MS ! for bringing such an amazing Remote Access Solution !
Soon to Come – How to Install Direct Access with Least Privileges ? Stay Connected !
Please feel free to comment – if you have any queries on the above topic .