Windows Server 2012 R2 DirectAccess Edge Traversal

Hello,

I have a Windows Server 2012 R2 Standard server on the internal network with a single adapter, and have installed the "Remote Access" role, then the "DirectAccess and VPN (RAS)" role service.

I then used the "Run the Getting Started Wizard" and accepted the default/correctly detected "behind an edge device (with a single network adapter".

Everything completed successfully.

The "Remote Access Dashboard" shows all green ticks.

NETSTAT shows...

C:\>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:443            [servername]:0             LISTENING

... so the server is listening for IP-HTTPS on port 443.

My colleagues have configured network address translation from the public IPv4 address to the internal IPv4 address, and added a DNS record in the public DNS server.

GPRESULT shows the DirectAccess server has received and applied the "DirectAccess Server Settings" policy.

HOWEVER, if I try to test if the port is available on the Internet, for example using http://mxtoolbox.com/PortScan.aspx, then it is closed.

Similarly, telnet from an intranet client to the DirectAccess server's port 443 fails.

A closer look at "Windows Firewall with Advanced Security > Inbound Rules" shows rules called "Core Networking - IPHTTPS (TCP-In) that are enabled and allow traffic.  One appears to be "local", and one is from the "DirectAccess Server Settings" group policy.  If I examine either rule, then look at the Advanced tab, there is an "Edge traversal" section, and both rules are set to "Block edge traversal".

I haven't seen references to this anywhere, except one or two references associated to 2008 R2

Configure Packet Filters to Allow Management Traffic to DirectAccess Clients

http://technet.microsoft.com/en-us/library/ee649264(v=ws.10).aspx

I think that Edge Traversal should be enabled, but am surprised that it is not; there is no mention of this anywhere, and everything else appears to have been configured correctly.  Am I OK to enable it?

Is this because I deployed DirectAccess, before I had configured NAT and added the DNS record?

Thanks in advance.

Anwar

November 26th, 2014 7:19am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics