Direct Access - Security Issue?

Hello Everyone,

I would like to implement Direct Access in my company's environment but through researching Direct Access/Remote Access I've found contradicting statements/articles.

The optimum deployment would be to follow the company's architecture guidelines, and place the Direct Access Server behind our Firewall with a NAT in the DMZ *not* joined to the domain with one NIC/Network Adapter facing the DMZ.  I found a couple articles claiming that you can place the DA/RA server in the DMZ not joined to the Domain.  Although when running the Remote Access configuration it requires you to add the server to a Domain or work group.  When selecting a workgroup it of course requires a reboot.  After rebooting I've confirmed the machine is work group although going through the configuration wizard I'm still prompted with adding the server to a domain or workgroup.

Is there a work around for this pre-req? I.e. Add the machine to the domain, configure the DA server and then remove it from the domain? Or is there no way to have a DA server that isn't a domain member? 

Is a DMZ DA proxy a possibility?  I.e. having a DA server in our internal network with traffic routed through the proxy server in the DMZ.  So External client on the internet => Firewall => DMZ Proxy => DA Server (internal)?

  • Moved by TP []MVP Friday, May 22, 2015 12:48 PM Security question
May 22nd, 2015 12:24pm

Brian,

Do you have any experience with using a Proxy in the DMZ to forward the traffic to the Internal DA server?

I have a couple questions regarding how to that up:

What ports should be open in the firewall for this communication? 

Should the DA role be installed and configured on both the DMZ proxy server and the internal server? 

Free Windows Admin Tool Kit Click here and download it now
May 26th, 2015 10:02am

Hi Phil-

Which reverse proxy server do you plan to use? If using UAG, you should install DirectAccess on that server.  If you plan on using a third-party solution, you won't (although there are third-party appliances that have everything already built in).

For the ports, these are documented already.  You just need to match up your planned deployment with the port requirements.  Start by looking at https://technet.microsoft.com/en-us/library/jj134204.aspx#ConfigFirewalls.

Historically, I've liked to reverse proxy everything in - whether the destination was a DA server, web server, or other service.  But not everything works in such a setup and sometimes not everything is supported.  Others prefer to multi-home a DA server or UAG/DA server in the DMZ and use that for DirectAccess.  I think much will depend on whether you already have reverse proxy services, what your organization's policy is on multi-homing servers in the DMZ, what your forest/domain environments looks like (important to know if DMZ servers can join the domain or if they can't and whether there is an existing DMZ dedicated forest/domain), etc.  These days, I prefer to simplify as much as possible so that the ongoing administrative overhead is low (and this route typically leads to a DMZ deployment).

Brian

May 27th, 2015 12:19am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics