Morning All, I'm trying to install Direct Access server into our medium sized organisation, I fully understand the requirement on how to use two consecutive public IP address. I have standard DMZ with OWA server behind our modem (DM111P) and firewall (FVX538). (Nothing special) Here's my question: Has Microsoft gone mad!!! You can't seriously expect any business to plug a unfiltered internet access directly into a LAN side server in the corporate network with full access and expect windows 2008 R2 firewall to block all external threats coming in VIA the internet connection? I'm sure by now your all saying well it's not that hard just put the DA server in the DMZ and pay for consecutive IP from your ISP and put in an additional NIC in your server and then open up the entire world to hack your unfiltered internet connection and then setup a DMZ switch to issue the second consecutive IP from your ISP (We have ADSL2+ link so IP is gained by the PPOE so we would need a second PPOE device to make the connection). OR Microsoft could allow Direct Access to run off one firewalled public IP address? (Surely this product will bomb with such difficult to meet requirements, great idea thou) Covers

Hi Covers, Thanks for posting here. >You can't seriously expect any business to plug a unfiltered internet access directly into a LAN side server in the corporate network with full access and expect windows 2008 R2 firewall to block all external threats coming in VIA the internet connection? Actually there are few topology options could help protect DA server and internal network and avoid potential attack form internet. You may refer to the blog post below, it discussed some UAG base DirectAccess implementation options that basically same architecture as Windows Server: UAG DirectAccess Server Deployment Scenarios http://blogs.technet.com/b/tomshinder/archive/2010/04/01/uag-directaccess-server-deployment-scenarios.aspx >Microsoft could allow Direct Access to run off one firewalled public IP address? I’m afraid that it is impossible because DA server have to need two internet addresses to support some IPv4-IPv6 translation technologies ,for example Teredo, a technology to support clients to access internal network when it is connected in NAT network. Where to Place the DirectAccess Server http://technet.microsoft.com/en-us/library/ee382264(WS.10).aspx Why Do I Need Two IP Addresses on the External Interface of the UAG DirectAccess Server? http://blogs.technet.com/b/tomshinder/archive/2011/01/19/why-do-i-need-two-ip-addresses-on-the-external-interface-of-the-uag-directaccess-server.aspx Hope my explanation is helpful. Thanks. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Covers, Please feel free to let us know if the information was helpful to you. Thanks, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.