Configuration of Direct Access 2012

Similar Messages

• Direct Access 2012 R2 - Problems with Force Tunneling and other questions

  I have just setup a Direct Access 2012 R2 server in my network, 2012 domain and all Windows 8 clients. 
  Internal CA environment (no external CRL) using a public issued cert for IPHTTPS tunnel, 2 interfaces for the DA server, 1 internal and 1 in the DMZ behind a NAT firewall (1 public IPv4 address) and my test clients are connecting fine to internal resources.
  1.  When I enable Force Tunneling the clients no longer are able to access the external internet.  Is there anything I need to add to make this work?
  2.  I am having trouble with our Remote Desktop Session Hosts.  I can only assume it has something to do with the DNS  as we have our AD domain performing internal DNS of the int.contoso.com domain and public DNS performing for the external
  Contoso.com domain (RDWA etc).  DA has only int.contoso.com set as a DNS Name Suffix in the Infrastructure Setup.  Should I add the external contoso.com Name Suffix in there too?
  3.  I have a Kaspersky Security Center server for centralized AV admin, can I still push out AV updates to the clients that connect with DA.  Do I add my KSC server to the Management Servers list in the Infrastructure Server Setup page on the DA
  setup.   Does that list allow those servers to access the DA clients?

  Hi,
  Let's solve problems one by one. Force tunneling. When enabled, all network trafic from DirectAccess clients goes throught IPSEC tunnels. Just configure a proxy on your DirectAccess clients (with a FQDN of course) and your clients should be able to surf
  internet again.
  RDS : Depend. Where are your RDS servers registred internal zone DNS or external DNS zone. If a DirectAccess client cannot resolve a name it does not know if it has to go throught the tunnel. At last can you ping your RDS Server?
  Remote Management : Right. Adding servers in this list allow them to use the IPSEC infrastructure tunnel (computer established tunnel) without users being logged.
  BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

• Enterprise DNS servers are not responding when using Windows NLB with Direct Access 2012

  Hi
  We have installed Direct Access 2012 as one server installation:
  - Two network cards. First one in DMZ and second one in internal network
  - Two consecutive IP addresses configured in DMZ because of Teredo
  - PKI because of Win7 Clients IPSec
  - Our corporate network is native IPv4 so we use DNS64/NAT64 and DA-server is configured as DNS
  - DA-servers are VMWare virtual machines 
  One server installation works fine and now we want to use Windows NLB as load balancing. NLB installation goes fine too,
  but problem is DNS. If we still try to use DA-server as DNS there comes error message below
  None of the enterprise DNS servers 2002:xxxx:xxxx:3333::1 used by DirectAccess clients for name resolution are responding. This might affect DirectAccess client connectivity to corporate resources.
  When trying to configure DNS using Infrastructure access setup, DNS cannot be validated when using DA-servers DIP or cluster VIP. Only domain local DNS looks to be ok but those have no IPv6 addressess. So how DNS should be configured when using multicast
  NLB? 
  Tried to remove name suffix then adding again => Detect DNS server => DA-server IPv6 address found => validate => The specified DNS server is not responding...
  Then tried to ping detected address => General failure
  NLB clusters are configured as multicast and static ARPs are configured too. Both clusters can be connected from those subnets as they should be. 
  Any clues how to fix this?
  ~ Jukka ~

  Hi,
  Your question falls into the paid support category which requires a more in-depth level of support.  Please visit the below link to see the various
  paid support options that are available to better meet your needs.
  http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone
  Regards,
  Mike
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Direct Access 2012 - Can it be set to use an alternate port to 443

  Hi all,
  Just wondering if it's possible to forward from a public IP on a port other that 443 to a Direct Access 2012 server and if so how best to go about configuring it?
  Thanks.

  Hi,
  As far as I know, we can't change the default port used by DirectAccess.
  If we change the default port in server side by port forwarding, DirectAccess will can't connect to the server. Because there is no option to specify the destination port used by client.
  Therefore, we can't change the default port used by DirectAccess.
  Best Regards.
  Steven Lee
  TechNet Community Support

• Direct Access 2012 R2 - route by IP address ?

  Hi all,
           Direct access on 2012 R2 implemented and working.
  We have one application, which after initially querying the server via DNS name (which works) - all further communication occurs via IP address....  which fails - I assume because DA simply doesn't know that the IP traffic should be sent across the
  tunnel.
  Is there any way of adding an IP (or set of IP's) that should always be sent across the DA tunnel ?

  Hi,
  First what is the DNS answer IPv6? If yes it goes throught the IPSEC tunnels. Otherwise, it does not.
  if application request DNS resolution but does not use IPv6 address provided, it's because application want to use IPv4. I had such case. I had a sort of solution for TCP IPv4 based communications :
  http://danstoncloud.com/blogs/simplebydesign/archive/2012/02/11/tcpv4-based-applications-with-directaccess.aspx. It may help but need some automation to detect if DirectAccess client is connected on LAN or on Internet to enable / disable the Portproxy trick
  I used.
  BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

• Direct Access 2012 -- Windows 8.1 -- ERROR_IPSEC_IKE_NO_POLICY

  Hello Everyone,
  hope someone can help out because i've tried all the troubleshhoting i could think of
  i have a DA 2012 insfrastructure (Single NIC signle Server)
  everything is working fine on my windows 7s but i can't seem to have my windows 8.1 to connect
  i can ping all my DA ipv6 Adresses fro the client but the ipsec negociation is failing,
  after lots of logging i managed to find this in the Firewall logs :
  <error>ERROR_IPSEC_IKE_NO_POLICY</error>
  <frequency>215</frequency>
  so i understant the negociation is failing but no idea why :s
  i though about the CRL but the windows 7 has the same certificate and is working fine...
  any ideas ?
  cheers
  Hitch Bardawil

  and the log 
  [9/8/2014 3:39:14 PM]: In worker thread, going to start the tests.
  [9/8/2014 3:39:14 PM]: Running Network Interfaces tests.
  [9/8/2014 3:39:14 PM]: Wi-Fi (Intel(R) Centrino(R) Advanced-N 6200 AGN): fe80::1026:d8f9:ded7:a2fb%3;: 192.168.1.124/255.255.255.0;
  [9/8/2014 3:39:14 PM]: Default gateway found for Wi-Fi.
  [9/8/2014 3:39:14 PM]: Teredo Tunneling Pseudo-Interface (Teredo Tunneling Pseudo-Interface): 2001:0:5ef5:79fb:65:2ac:92ff:d1b2;: fe80::65:2ac:92ff:d1b2%9;
  [9/8/2014 3:39:14 PM]: No default gateway found for Teredo Tunneling Pseudo-Interface.
  [9/8/2014 3:39:14 PM]: iphttpsinterface (iphttpsinterface): fddd:4cc:499:1000:b50f:a4fe:2c78:1299;: fddd:4cc:499:1000:6815:8f66:437e:ac7d;: fe80::b50f:a4fe:2c78:1299%10;
  [9/8/2014 3:39:14 PM]: No default gateway found for iphttpsinterface.
  [9/8/2014 3:39:14 PM]: Wi-Fi has configured the default gateway 192.168.1.1.
  [9/8/2014 3:39:14 PM]: Default gateway 192.168.1.1 for Wi-Fi replies on ICMP Echo requests, RTT is 5 msec.
  [9/8/2014 3:39:14 PM]: Received a response from the public DNS server (8.8.8.8), RTT is 55 msec.
  [9/8/2014 3:39:14 PM]: The public DNS Server (2001:4860:4860::8888) does not reply on ICMP Echo requests, the request or response is maybe filtered?
  [9/8/2014 3:39:14 PM]: Running Inside/Outside location tests.
  [9/8/2014 3:39:14 PM]: NLS is https://nls.grsea.priv/.
  [9/8/2014 3:39:14 PM]: NLS is not reachable via HTTPS, the client computer is not connected to the corporate network (external) or the NLS is offline.
  [9/8/2014 3:39:14 PM]: NRPT contains 2 rules.
  [9/8/2014 3:39:14 PM]: Found (unique) DNS server: fddd:4cc:499:3333::1
  [9/8/2014 3:39:14 PM]: Send an ICMP message to check if the server is reachable.
  [9/8/2014 3:39:14 PM]: DNS server fddd:4cc:499:3333::1 is online, RTT is 55 msec.
  [9/8/2014 3:39:14 PM]: Running IP connectivity tests.
  [9/8/2014 3:39:15 PM]: The 6to4 interface service state is default.
  [9/8/2014 3:39:15 PM]: Teredo inferface status is online.
  [9/8/2014 3:39:15 PM]: The configured DirectAccess Teredo server is win8.ipv6.microsoft.com..
  [9/8/2014 3:39:15 PM]: The IPHTTPS interface is operational.
  [9/8/2014 3:39:15 PM]: The IPHTTPS interface status is IPHTTPS interface active.
  [9/8/2014 3:39:15 PM]: IPHTTPS is used as IPv6 transition technology.
  [9/8/2014 3:39:15 PM]: The configured IPHTTPS URL is https://da2012.thelem-assurances.fr:443.
  [9/8/2014 3:39:15 PM]: IPHTTPS has a single site configuration.
  [9/8/2014 3:39:15 PM]: IPHTTPS URL endpoint is: https://da2012.thelem-assurances.fr:443.
  [9/8/2014 3:39:15 PM]: Successfully connected to endpoint https://da2012.thelem-assurances.fr:443.
  [9/8/2014 3:39:15 PM]: No response received from grsea.priv.
  [9/8/2014 3:39:15 PM]: Running Windows Firewall tests.
  [9/8/2014 3:39:15 PM]: The current profile of the Windows Firewall is Private.
  [9/8/2014 3:39:15 PM]: The Windows Firewall is enabled in the current profile Private.
  [9/8/2014 3:39:15 PM]: The outbound Windows Firewall rule Gestion réseau de base - Teredo (Trafic sortant UDP) is enabled.
  [9/8/2014 3:39:15 PM]: The outbound Windows Firewall rule Réseau de base - IPHTTPS (TCP-Sortant) is enabled.
  [9/8/2014 3:39:15 PM]: Running certificate tests.
  [9/8/2014 3:39:15 PM]: Found 3 machine certificates on this client computer.
  [9/8/2014 3:39:15 PM]: Checking certificate [no subject] with the serial number [21BDEAFA00000000123F].
  [9/8/2014 3:39:15 PM]: The certificate [21BDEAFA00000000123F] contains the EKU Client Authentication.
  [9/8/2014 3:39:15 PM]: The trust chain for the certificate [21BDEAFA00000000123F] was sucessfully verified.
  [9/8/2014 3:39:15 PM]: Checking certificate [no subject] with the serial number [2292E531000000001240].
  [9/8/2014 3:39:15 PM]: The certificate [2292E531000000001240] contains the EKU Client Authentication.
  [9/8/2014 3:39:15 PM]: The trust chain for the certificate [2292E531000000001240] was sucessfully verified.
  [9/8/2014 3:39:15 PM]: Checking certificate CN=SA000003B.grsea.priv with the serial number [1DD5B26600000000123D].
  [9/8/2014 3:39:15 PM]: The certificate [1DD5B26600000000123D] contains the EKU Client Authentication.
  [9/8/2014 3:39:15 PM]: The trust chain for the certificate [1DD5B26600000000123D] was sucessfully verified.
  [9/8/2014 3:39:15 PM]: Running IPsec infrastructure tunnel tests.
  [9/8/2014 3:39:15 PM]: Failed to connect to domain sysvol share \\grsea.priv\sysvol\grsea.priv\Policies.
  [9/8/2014 3:39:15 PM]: Running IPsec intranet tunnel tests.
  [9/8/2014 3:39:15 PM]: Successfully reached fddd:4cc:499:1000::1, RTT is 58 msec.
  [9/8/2014 3:39:15 PM]: Successfully reached fddd:4cc:499:1000::2, RTT is 89 msec.
  [9/8/2014 3:39:15 PM]: Failed to connect to HTTP probe at http://directaccess-WebProbeHost.grsea.priv.
  [9/8/2014 3:39:15 PM]: Running selected post-checks script.
  [9/8/2014 3:39:15 PM]: No post-checks script specified or the file does not exist.
  [9/8/2014 3:39:15 PM]: Finished running post-checks script.
  [9/8/2014 3:39:15 PM]: Finished running all tests.
  Hitch Bardawil

• Direct Access 2012 -- method for disabling and re-enabling client access ?

  We have a reliably functioning DA 2012 setup (which is great), but I need a way to selectively Disable and later Re-Enable DA for particular clients. We use a security group for the Computer accounts of the clients and this is referenced both by Group Policy
  (to assign the right settings to the DA Clients) and by the DA Server (to grant the access).
  We had hoped that we could simply delete the client Computer account from the security group, but when we tried this the DA server seems to just ignore it, even after a reboot of the DA Server.
  We have looked all through the settings of the DA server to see if there is a "disconnect client" option, but can't find anything (which truly amazes me!).
  I have seen one blog post from Richard Hicks which recommends running some PowerShell commands (http://directaccess.richardhicks.com/2013/06/11/disconnecting-directaccess-clients-on-windows-server-2012)
  but after testing these it seems clear that this really only helps me in a scenario where (A) the client is offsite; and (B) I first Disable the Computer account in AD and then replicate AD.
  Wondering what my options are? What do I do when we want to Disable DA for a particular client and then turn it back on again some weeks later?

  When you remove the computer account from your group, it will stop DirectAccess from working, but only once the DA client machine receives it's next Group Policy refresh. The purpose of the group is to get those DirectAccess connectivity settings applied
  from the DA GPO. So if you remove the account, sometime over the next couple of hours Group Policy will refresh on that laptop, and the DirectAccess settings will be removed. If you do this, then later down the road when you want to turn DirectAccess back
  on, you'll need to get that laptop either back into the office or connected via some kind of VPN, because when you add the computer account back to the group, the client machine will have to receive the GPO settings all over again.
  I have been installing DirectAccess for years in tons of places, and I don't think I have ever heard of the business requirement to remove and re-add computers to DA like you are describing - do you mind sharing your reasoning behind this? (I'm just truly
  curious, I'm always interested in finding new ways that companies are using DA)
  The quickest way to disconnect a client machine from DirectAccess is to disable the computer account in AD. You could then re-enable the computer account later and DA would start working again, but of course if you leave a computer account disabled in Active
  Directory for a long period of time, it could cause other kinds of sync problems outside the scope of DA.
  DirectAccess, if designed properly, turns itself off whenever the computer is connected to the corp network, whether physically onsite or connected via another form of VPN. Given this behavior, I'm not sure why you would want to be able to disable DA for
  a while and then turn it back on again later...?

• Direct Access on windows 2012 with OTP

  Hello everyone,
  i've just finished setting up Direct Access 2012 with Gemalto's OTP solution for a client,
  i have an issue though, without OTP all is working fine, and when i activate OTP with all the certificates and stuff when i enter the OTP code on my client it looks like its not validating it.
  on the Direct Access Server i get this error:
  Erreur : Challenge returned.
  source: RemoteAccess-RemoteAccessServer
  ID: 10042
  i have absolutely no errors on my radius server... any idea on why the server is rejecting my requests ?
  thanks for the help
  Hitch Bardawil

  Hi
  I deployed this scenario for a Customer of mine a few months ago with GEMALTO. It's a little bit tricky but possible. For some trroubleshooting tips have a look at one of my blog posts :
  http://danstoncloud.com/blogs/simplebydesign/archive/2013/10/26/the-0x80040008-directaccess-otp-case.aspx.
  At last for your OTP operating in Challenge/response mode. It's not possible. It's a NPS limitation :
  http://technet.microsoft.com/fr-fr/library/jj618331.aspx"The OTP
  provider used requires the user to provide additional credentials in the form of a RADIUS challenge/response exchange, which is not supported by Windows Server 2012 DirectAccess OTP."
  BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

• Direct Access DNS resolution local domain network

  Hey guys,
  some information to my test environment...
  My direct access server and my DC are based on Windows Server 2012 R2. The direct access server has one nic. Port 443 requests are forwarded through an firewall to the direct access server. The configuration for direct access is based on the built in assistens
  to configure it.
  On client side i am using Windows 8.1 x64.
  Now the to my problem...
  If I do an ping or a gpupdate when i am not connected to my local company network, the server responds and gpupdate/ping works fine. As soon as i am connected to my local company network i am not able to do a gpupdate or a ping (error in resolving dns).
  But i am able to use nslookup to query names.
  Anyone a suggestion where the problem could be?

  Hi,
  It seems that this problem is caused by the issue of Network Location Server.
  Does the client know that it is connected to the local network?
  When the client connects to the local network, it should show "Connected to network locally or through VPN".
  Here is the screenshot of my lab server,
  Aslo, we can use the command below to verify this,
  netsh dns show state
  The Machine location should be "Inside corporate network"  when the client is connected to the local network.
  If the client doesn't know that it is inside the corporate network, please check if client can access the Network Location Server.
  Best Regards.
  Steven Lee
  TechNet Community Support

• Direct Access and WIndows Phone 8.1 for MySIte Resolution?

  Hi all –
  I am reaching out to the community here because I haven’t been able to find anything concrete. 
  The scenario is that we wish to have links which are sent through an on-prem SharePoint farm resolve on a user’s Windows Phone whilst roaming. 
  The root of the issue is that the client does not have split DNS in place. 
  Therefore when they send a link from the SharePoint site it’s URL is mysite.acme.int, for example, which is not resolvable from outside of the corporate network;
  Acme.com is however.
  We have Direct Access (2012 R2) in place and use Windows Phone 8.1. 
  What I am trying to determine is whether or not we can leverage a DA connection with the Windows Phones in order to attain URL resolution.
  Barring that does anyone have any bright ideas on how to conquer the problem?
  Kind regards and thanks in advance!
  Wren

  Hi Wren,
  For your issue, you can try to configure alternate access mappings with IP address for your MySite Web Application and then you can access your site with IP address.
  As I am not familiar with Windows Phone, you can connect with the Windows Phone support or post threads in Widnwos Phone forums to ask for more information:
  http://answers.microsoft.com/en-us/winphone/forum/wp8?tab=Threads
  Best Regards,
  Eric
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Direct Access and WIndows Phone 8.1?

  Hi all –
  I am reaching out to the community here because I haven’t been able to find anything concrete. 
  The scenario is that we wish to have links which are sent through an on-prem SharePoint farm resolve on a user’s Windows Phone whilst roaming. 
  The root of the issue is that the client does not have split DNS in place. 
  Therefore when they send a link from the SharePoint site it’s URL is mysite.acme.int, for example, which is not resolvable from outside of the corporate network;
  Acme.com is however.
  We have Direct Access (2012 R2) in place and use Windows Phone 8.1. 
  What I am trying to determine is whether or not we can leverage a DA connection with the Windows Phones in order to attain URL resolution.
  Barring that does anyone have any bright ideas on how to conquer the problem?
  Kind regards and thanks in advance!
  Wren

  Hi Wren,
  Agree with Rmknight. Windows Phone doesn't support DirectAccess at present.
  For detailed information, please refer to the link below:
  https://businessmobilitycenter.microsoft.com/en/webinars/Pages/Webinar-Managing-Enterprise-Content-and-Information-on-Lumia-Windows-Phone-8-1.aspx
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Direct Access on Windows Server 2012 R2 and IPV6

  I have a question about IPV6 and Direct Access in Server 2012 R2. Without using UAG is it still mandatory to have IPV6 enabled in the intranet?
  Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.

  Hi,
  DirectAccess uses IPv6 with IPsec to create a secure connection between DirectAccess client computers and the internal corporate network.
  However, DirectAccess does not necessarily require connectivity to the IPv6 Internet or native IPv6 support on internal networks. Instead, it automatically configures and uses IPv6 transition technologies to tunnel IPv6 traffic across the IPv4 Internet (6to4,
  Teredo, IP-HTTPS) and across your IPv4-only intranet (NAT64 or ISATAP).
  For detailed information, please view the link below,
  Plan the DirectAccess Infrastructure
  http://technet.microsoft.com/en-us/library/jj574101.aspx
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Server 2012 Direct Access Single NIC cant get it to work

  Hi,
  I am having some real issues with setting up Direct Access with Server 2012 and a Windows 8 client, it simply won’t work at all.
  First of all I should describe my setup:
  I have an internet connection with a static IPv4 address on the external network adapter of the router
  The internal network address (the address of the router which has the internet connection) is 192.168.1.1
  Server1 (windows 2008 R2 Standard) has a static IPv4 address 192.168.1.2 and has some ports forwarded from the router (443, 25, 80) this server is a domain controller, email server, and has the DNS, DHCP and
  certificate services
  Server 2 (Windows 2008 R2 standard) has static IPv4 address 192.168.1.3 it has no ports forwarded from the router as it has no services accessed externally, it is used as a file server and print server, backup
  domain controller and backup DNS.
  Server 3 (Windows 2012) has static IPv4 address 192.168.1.4 and has the Remote Access server role installed along with all the other default features and roles it requires in the setup process.
  These servers have all got an IPv6 address which I assume the server has configured automatically, there has been no deliberate configurations made to disable IPv6
  I have no UAG or proxy server or anything else to route packets to internal servers. Just this router which has the option for port forwarding (I assume that’s NAT isn’t it?) sorry don’t know much about that
  area.
  I go through the setup wizard in remote access to configure direct access, in the external URL I have entered da.mydomain.com and created a host A record in my external domain name providers DNS which points
  the da record to my external IP address. The wizard creates all the GPO’s, scoped correctly, and applied to a Windows 8 client. The operational status shows its all working and I got green ticks. However, when I connect the client to the internal network it
  doesn’t seem to have correctly got the DA settings. I run the following in powershell
  Get-DnsClientNrptPolicy
  Nothing displays – at all
  Get-NCSIPolicyConfiguration
  Description                   
  : NCSI Configuration
  CorporateDNSProbeHostAddress  
  : fdd8:dd4a:ea42:7777::7f00:1
  CorporateDNSProbeHostName     
  : directaccess-corpConnectivityHost.mydomain.local
  CorporateSitePrefixList       
  : {fdd8:dd4a:ea42:1::/64, fdd8:dd4a:ea42:7777::/96, fdd8:dd4a:ea42:1000::1/128,
  fdd8:dd4a:ea42:1000::2/128}
  CorporateWebsiteProbeURL      
  : http://directaccess-WebProbeHost.mydomain.local
  DomainLocationDeterminationURL : https://DirectAccess-NLS.mydomain.local:62000/insideoutside
  Get-DAConnectionStatus
  Get-DAConnectionStatus : Network Connectivity Assistant service is stopped or not responding.
  At line:1 char:1
  + Get-DAConnectionStatus
  + ~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo         
  : NotSpecified: (MSFT_DAConnectionStatus:root/StandardCi...onnectionStatus) [Get-DAConnect
     ionStatus], CimException
  + FullyQualifiedErrorId : Windows System Error 1753,Get-DAConnectionStatus
  I go into services.msc and find that the network connectivity assistant is not started, it wont start either something must trigger it but I have no idea how to get it triggered to start… this might be my only
  source of problem perhaps but on a more network level question:
  If I have such ports as 80, and 443 (which I assume DA uses in some form with a public IPv4 internet address) directed at server 1, how does the DA connection get to server 3 which has the DA role installed?
  I could create another record on the server which also opens port 443 to server as well as for server 1, but then how would the router know which server to pass the DA connection to if the same port is open for two different servers?
  Either way, this first issue is that the client doesn’t seem to have the ability to connect internally correctly yet, so maybe this connectivity service is a good place to start? My understanding is that the
  networks icon in the system tray should show that there is a corporate connection, but it doesn’t. also, the client seems to have the NLS certificate in the computer certificate store, so the cert side of things is working and the GPO side is working.
  Many thanks
  Steve

  ahh i see, so just to enlighten me even further...
  If a company has two web servers that would mean they would need two different public facing IP addresses so they can route to each internal web server. If, like the big companies have, they
  may have many web servers (possibly more than 100) I’m assuming that simply buying more public IP addresses would have a limit, especially since the IPv4 address space is pretty much exhausted. So is this where proxy systems come into play like ISA and Forefront,
  is this what they do?
  I assume if such a product was implemented you could go down to just one or two public IP addresses, point all traffic to the ISA server and that in turn would do all the routing of packets
  to each server behind the NAT/router (probably based on some sort of domain name or sub domain namespace as it’s parameter for forwarding?)
  Secondly, what I have done is installed windows server 2012 and used that as a direct access client (I read on another forum that the windows 8 RP doesn’t have the enterprise bits to make this
  work). I have got much further with the 2012 server acting as a client (installed on laptop, installed desktop experience and wireless LAN), 
  but when I run the following command on my DA client I get the following status
  Get-DAConnectionStatus
  Status:                 
  connectedlocally
  Substatus:          
  none
  This appears to work fine, when im connected to the local network. But then I disconnect and run the command again and I get the following:
  Status:                 
  Error
  Substatus:          
  NameResolutionFailure
  On my router what I did is temporarily disable port 443 going to my original server and instead opened it up pointing to my other server, so 443 traffic should be going to my DA server now, but I don’t understand why its giving the name resolution failure
  status. I have a host A record called “da” with my domain hoster, and entered the full domain namespace in the DA wizard as da.mydomain.com (the Host A record has been up there for more than a week so it’s propagated through the net)
  So, a bit further but stuck again.

• Network Positioning of a Windows Server 2012 R2 Direct Access & VPN Server

  Reposted moved from Windows Server Forums- Security
  Hi
  I'm in the process of creating a new active directory forest with a single domain using AD.Contoso.com to use the Microsoft example. The reason I have decided on AD.XXXXXXXXX.com is to get way from using split horizon (Split Brain) DNS. The requirements
  for our new domain are :-
  2012 R2 AD
  Direct Access & VPN
  Exchange 2013 OWA, Active Sync Outlook Anywhere (Possibly a Hybrid Config where we have on premises mailboxes and some exchange online mailboxes Office 365 etc)
  Lync 2013 ?
  SharePoint 2013 ?
  Microsoft Active Directory Certificate Services
  System Center Configuration Manager 2012 R2
  Two way trusts between old forest and new to enable Transition/Migration
  Ok so that's what I'm aiming for so now the question.
  They are allowing me to purchase a next Generation Firewall may be a Barracuda NG firewall or a Cisco ASA X series so I need some advice on what type of network topology I should configure. I've read that using the two NIC configuration for
  the 2012 R2 Direct Access Server is preferable, one nic on the internal network one on the perimeter. The problem I have with this is that it bridges the internal network and the perimeter bypassing the backend Firewall see image
  The other alternative is to dispense with the perimeter network use the Direct Access server with a single NIC and setup the NG Firewall in a three-legged config with the DA server on the DMZ.
  So all you security experts out there what would be your design for this simple domain? we don't need any HA or Load Balancing.
  Thanks
  Simon

  Ok I'm not sure we are going to get any advice on this subject but one last effort. Our budget can only stretch to one next generation firewall so I'm considering the following three legged firewall design with a two NIC 2012 R2 Direct
  Access server. If someone could validate this configuration or suggest an alternative then I would be grateful.

• LAN side firewall settings for Direct Access (Windows Server 2012 R2) in DMZ?

  I am currently planning to set up our first Direct Access server (Windows Server 2012 R2). I will be in our firewall DMZ and we will be using the IP-HTTPS listener.
  For the Internet facing rule only TCP 443 inbound/outbound is sufficient but for the LAN facing rules (not talking about the Windows server firewall) what would be the recommended firewall rules for a Direct Access server? Is there a best practice guideline
  to follow for this? Appreciate any advice or comments. Thank you.

  Hi Barkley
  Please see this Technet Link which will backup your requirements - https://technet.microsoft.com/en-gb/library/jj574101.aspx
  Section Reads - 
  When using additional firewalls, apply the following internal network firewall exceptions for Remote Access traffic:
  ISATAP—Protocol 41 inbound and outbound
  TCP/UDP for all IPv4/IPv6 traffic
  Also another link from http://www.ironnetworks.com/blog/directaccess-network-deployment-scenarios#.VO3tfvmsVrU
  "I have had a number of conversations with security administrators and network architects who have expressed a desire to place the DirectAccess server between two firewalls (firewall sandwich) in order to explicitly control access from the DirectAccess
  server to the internal corporate network. While at first this may sound like a sensible solution, it is often quite problematic and, in my opinion, does little to improve the overall security of the solution. Restricting network access from the DirectAccess
  server to the internal LAN requires so many ports to be opened on the inside firewall that the benefit of having the firewall is greatly diminished. Placing the DirectAccess server’s internal network interface on the LAN unrestricted is the best configuration
  in terms of supportability and provides the best user experience."
  Kindest Regards
  John Davies
  Thank for your reply and information John. I find it somewhat disappointing that Microsoft does not provide much more in the way of documentation and information regarding this topic. I required more information to show to our security team so they will allow
  us to have the internal facing NIC not have more restrictive rules in place as it is a security concern.