I am currently planning to set up our first Direct Access server (Windows Server 2012 R2). I will be in our firewall DMZ and we will be using the IP-HTTPS listener.

For the Internet facing rule only TCP 443 inbound/outbound is sufficient but for the LAN facing rules (not talking about the Windows server firewall) what would be the recommended firewall rules for a Direct Access server? Is there a best practice guideline to follow for this? Appreciate any advice or comments. Thank you.

• Edited by Barkley Bees Tuesday, February 17, 2015 10:02 PM

Hi There - The DirectAccess Server (in different of configuration) requires full access to all internal resources.

So for example if you have an internal firewall behind the DA Server a recommended practise I have used is to allow a rule allow the DA Server Access to internal resources. For example allow internal IP of DA Server to all VLAN's behind operating services and also apply the correct static routes to the DA Server to provide network routing. 

Internal IP of the DA Server ---> allow all traffic to selected VLAN's

The above rule is restricting traffic from the DA Server to the required VLAN's / Networks you specify, The reasoning being is that Direct Access requires full connectivity to your apps / infrastructure unless you want to create Firewall Rules for every application and port. The suggested answer limits the DirectAccess Server Internal IP full access only to internal resources. A good example of opening ports on the backend Firewall for each application (and the difficulties you may encounter) would be something like Active Directory Certificate Services which uses a full RPC high port range (TCP/IP) unless limited to a specific port.

See this link as an example if you go down the individual application firewall rules. - http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx

Kr

 The DirectAccess Server (in different of configuration) requires full access to all internal resources.

Kr