LAN side firewall settings for Direct Access (Windows Server 2012 R2) in DMZ?

I am currently planning to set up our first Direct Access server (Windows Server 2012 R2). I will be in our firewall DMZ and we will be using the IP-HTTPS listener.

For the Internet facing rule only TCP 443 inbound/outbound is sufficient but for the LAN facing rules (not talking about the Windows server firewall) what would be the recommended firewall rules for a Direct Access server? Is there a best practice guideline to follow for this? Appreciate any advice or comments. Thank you.



  • Edited by Barkley Bees Tuesday, February 17, 2015 10:02 PM
February 17th, 2015 10:55pm

Hi There - The DirectAccess Server (in different of configuration) requires full access to all internal resources.

So for example if you have an internal firewall behind the DA Server a recommended practise I have used is to allow a rule allow the DA Server Access to internal resources. For example allow internal IP of DA Server to all VLAN's behind operating services and also apply the correct static routes to the DA Server to provide network routing. 

Internal IP of the DA Server ---> allow all traffic to selected VLAN's

The above rule is restricting traffic from the DA Server to the required VLAN's / Networks you specify, The reasoning being is that Direct Access requires full connectivity to your apps / infrastructure unless you want to create Firewall Rules for every application and port. The suggested answer limits the DirectAccess Server Internal IP full access only to internal resources. A good example of opening ports on the backend Firewall for each application (and the difficulties you may encounter) would be something like Active Directory Certificate Services which uses a full RPC high port range (TCP/IP) unless limited to a specific port.

See this link as an example if you go down the individual application firewall rules. - http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx

Kr

Free Windows Admin Tool Kit Click here and download it now
February 24th, 2015 4:39am

Hi Barkley

Please see this Technet Link which will backup your requirements - https://technet.microsoft.com/en-gb/library/jj574101.aspx

Section Reads - 

When using additional firewalls, apply the following internal network firewall exceptions for Remote Access traffic:
ISATAPProtocol 41 inbound and outbound
TCP/UDP for all IPv4/IPv6 traffic

Also another link from http://www.ironnetworks.com/blog/directaccess-network-deployment-scenarios#.VO3tfvmsVrU

"I have had a number of conversations with security administrators and network architects who have expressed a desire to place the DirectAccess server between two firewalls (firewall sandwich) in order to explicitly control access from the DirectAccess server to the internal corporate network. While at first this may sound like a sensible solution, it is often quite problematic and, in my opinion, does little to improve the overall security of the solution. Restricting network access from the DirectAccess server to the internal LAN requires so many ports to be opened on the inside firewall that the benefit of having the firewall is greatly diminished. Placing the DirectAccess servers internal network interface on the LAN unrestricted is the best configuration in terms of supportability and provides the best user experience."

Kindest R

March 2nd, 2015 2:52pm

As long as it is a requirement from MS that the DA servers are members of the domain, you need to make sure that the DA servers have the necessary ports open to the DC's (https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx) Don't forget TCP 1688 for KMS activation if you have a KMS host.

Also, if you want to make the DA Client behave like it's an internal Client, you need to both provide static routes on the DA servers to Your other internal Networks, plus all the ports necessary for normal Communications between the DA servers and the internal Networks. Usually that means at least SMB ports.

If you have an existing internal Client network already in Place, you need to copy those firewall rules and apply it from the DA server as well. If that is Your Company policy of course.

Free Windows Admin Tool Kit Click here and download it now
March 4th, 2015 9:18am

Hi Barkley - whilst Steve is also correct in his answer this would only allow access to Domain Controllers and file shares would not cater for all applications and their specfic ports. The technet link sent earlier by myself dies state all tcp / udp from the internal ip of the DA Server to the corp lan, and as Steve mentioned static routes to the required vlans. I have been on many deployments where security want to limit the fw ports and the deployment starts out this way until specific apps are required and then inevitably they end up opening the backend fw as I originally suggested.
March 4th, 2015 9:34am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics