Server 2012 DirectAccess - Both NIC's show as Domain Network
I never found an official answer to this issue we had and was wondering if anyone here knows the best way to make the external NIC public.

During setup of DirectAccess 2012 we had to create a firewall rule to force the External NIC to be Public.  I saw many people commenting on ways to force it to Public but none seemed to work except for the firewall rule.

So my question.  What is the proper way to make my External NIC Public.  If it is the firewall rule how did you setup the rule?  We blocked outgoing TCP to our two consecutive external IP's.



I personally believe the firewall rule we created is causing Teredo to not work correctly.  See my previous post.



Thank you in advance


May 9th, 2013 2:18am

Hi

Public firewall profile is automatically assigned to interface having IP addresses that do not match RFC1918. I've seen such behavior but it was with UAG 2010 in very specific scenarios that i've never encountred in production environment.

Free Windows Admin Tool Kit Click here and download it now
May 9th, 2013 6:39am

Any chance that you have a rule in your external firewall between DMZ and LAN that allows LDAP query (TCP 389) from public NIC address to domain controllers? If you have this rule then the Network Location Awareness (NLA) service force the public NIC to domain profile. I have seen this problem with WS2012 DA and fix was deny those ldap queries.

If you cannot change the rule in your external firewall, then you can create a Windows Firewall Rule that prevents NLA queries from the public NIC to Domain Controllers IP addresses.


  • Edited by Jukka Kettunen Thursday, May 09, 2013 7:20 AM
  • Marked as answer by KentFar Monday, May 13, 2013 3:08 PM
May 9th, 2013 7:20am

Any chance that you have a rule in your external firewall between DMZ and LAN that allows LDAP query (TCP 389) from public NIC address to domain controllers? If you have this rule then the Network Location Awareness (NLA) service force the public NIC to domain profile. I have seen this problem with WS2012 DA and fix was deny those ldap queries.

If you cannot change the rule in your external firewall, then you can create a Windows Firewall Rule that prevents NLA queries from the public NIC to Domain Controllers IP addresses.


  • Edited by Jukka Kettunen Thursday, May 09, 2013 7:20 AM
  • Marked as answer by KentFar Monday, May 13, 2013 3:08 PM
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2013 7:20am

Thank you, that worked fine and now I just block 389 on my two external IP's going outbound using the Windows Firewall Rule.  Before I was blocking all TCP traffic to my domain controllers so just blocking 389 is more refined.

For others here is what I did

Windows Firewall with Advanced Security

  • Create new Outbound Rule
  • Block TCP port 389
  • Scope - Internal - Limit the scope to my external (Public) NIC with two consecutive IPv4 Address
  • Scope - External - Limit to my DC's.  I tested without this and it work but I thought I would be more precise.
  • Advanced - Public and Private networks checked

Thanks again,

Kent

May 13th, 2013 3:56pm

Thank you, that worked fine and now I just block 389 on my two external IP's going outbound using the Windows Firewall Rule.  Before I was blocking all TCP traffic to my domain controllers so just blocking 389 is more refined.

For others here is what I did

Windows Firewall with Advanced Security

  • Create new Outbound Rule
  • Block TCP port 389
  • Scope - Internal - Limit the scope to my external (Public) NIC with two consecutive IPv4 Address
  • Scope - External - Limit to my DC's.  I tested without this and it work but I thought I would be more precise.
  • Advanced - Public and Private networks checked

Thanks again,

Kent

  • Proposed as answer by Ed CrowleyMVP Wednesday, August 12, 2015 1:17 AM
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2013 3:56pm

Thank you, that worked fine and now I just block 389 on my two external IP's going outbound using the Windows Firewall Rule.  Before I was blocking all TCP traffic to my domain controllers so just blocking 389 is more refined.

For others here is what I did

Windows Firewall with Advanced Security

  • Create new Outbound Rule
  • Block TCP port 389
  • Scope - Internal - Limit the scope to my external (Public) NIC with two consecutive IPv4 Address
  • Scope - External - Limit to my DC's.  I tested without this and it work but I thought I would be more precise.
  • Advanced - Public and Private networks checked

Thanks again,

Kent

  • Proposed as answer by Ed CrowleyMVP Wednesday, August 12, 2015 1:17 AM
May 13th, 2013 3:56pm

The block rule fixed the exact same problem for me.  My customer had changed their ISP and they couldn't figure out why their routing allowed the DC connections over the Internet NIC.  Thanks for the great idea!
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2015 9:11pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics