Hello Everyone,

I would like to implement Direct Access in my company's environment but through researching Direct Access/Remote Access I've found contradicting statements/articles.

The optimum deployment would be to follow the company's architecture guidelines, and place the Direct Access Server behind our Firewall with a NAT in the DMZ *not* joined to the domain with one NIC/Network Adapter facing the DMZ.  I found a couple articles claiming that you can place the DA/RA server in the DMZ not joined to the Domain.  Although when running the Remote Access configuration it requires you to add the server to a Domain or work group.  When selecting a workgroup it of course requires a reboot.  After rebooting I've confirmed the machine is work group although going through the configuration wizard I'm still prompted with adding the server to a domain or workgroup.

Is there a work around for this pre-req? I.e. Add the machine to the domain, configure the DA server and then remove it from the domain? Or is there no way to have a DA server that isn't a domain member? 

Is a DMZ DA proxy a possibility?  I.e. having a DA server in our internal network with traffic routed through the proxy server in the DMZ.  So External client on the internet => Firewall => DMZ Proxy => DA Server (internal)?

• Moved by TP []MVP Friday, May 22, 2015 12:48 PM Security question

Your last idea is the best.  External/internet client through firewall, through proxy, through other firewall (optional, you didn't mention this), to internal network where your DirectAccess server is. The DirectAccess server must be joined to the domain.  See https://technet.microsoft.com/en-us/library/jj134148.aspx#bkmk_1_6_AD which covers the AD DS requirements for DirectAccess in Windows Server 2012 and Windows Server 2012 R2.  I'm not aware of support for non-domain joined DirectAccess servers (but I almost exclusively work in domain environments).

Brian

• Proposed as answer by Steven_Lee0510Microsoft contingent staff, Moderator 4 hours 22 minutes ago

Hi Phil-

Which reverse proxy server do you plan to use? If using UAG, you should install DirectAccess on that server.  If you plan on using a third-party solution, you won't (although there are third-party appliances that have everything already built in).

For the ports, these are documented already.  You just need to match up your planned deployment with the port requirements.  Start by looking at https://technet.microsoft.com/en-us/library/jj134204.aspx#ConfigFirewalls.

Historically, I've liked to reverse proxy everything in - whether the destination was a DA server, web server, or other service.  But not everything works in such a setup and sometimes not everything is supported.  Others prefer to multi-home a DA server or UAG/DA server in the DMZ and use that for DirectAccess.  I think much will depend on whether you already have reverse proxy services, what your organization's policy is on multi-homing servers in the DMZ, what your forest/domain environments looks like (important to know if DMZ servers can join the domain or if they can't and whether there is an existing DMZ dedicated forest/domain), etc.  These days, I prefer to simplify as much as possible so that the ongoing administrative overhead is low (and this route typically leads to a DMZ deployment).

Brian

• Proposed as answer by Steven_Lee0510Microsoft contingent staff, Moderator 4 hours 23 minutes ago

Hi Phil-

Must the solution be open source?  You can try working with Squid (OSS proxy/reverse proxy).  Otherwise, you can use the Web Application Proxy role that is built into Windows Server 2012 R2.  I often recommend going with the simplest solution that meets your company requirements so that administrative overhead is low moving forward.  The third-party solution would provide very low administrative overhead but the entry cost isn't in your budget.  In that case, I'd look at the potential of having the DA server in the DMZ - maybe a chat with your network/security guys about potential options.

Brian

• Proposed as answer by Steven_Lee0510Microsoft contingent staff, Moderator 4 hours 22 minutes ago

Hi,

We've not heard from you yet. I assume the information provided by Brian has helped. I am marking the reply as answered now.

In case the information did not help, please feel free to unmark the answer and come back to us with your comments.

Best Regards.