LAN side firewall settings for Direct Access (Windows Server 2012 R2) in DMZ?

I am currently planning to set up our first Direct Access server (Windows Server 2012 R2). I will be in our firewall DMZ and we will be using the IP-HTTPS listener.

For the Internet facing rule only TCP 443 inbound/outbound is sufficient but for the LAN facing rules (not talking about the Windows server firewall) what would be the recommended firewall rules for a Direct Access server? Is there a best practice guideline to follow for this? Appreciate any advice or comments. Thank you.



  • Edited by Barkley Bees Tuesday, February 17, 2015 10:02 PM
February 17th, 2015 10:55pm

 The DirectAccess Server (in different of configuration) requires full access to all internal resources.

Kr

Free Windows Admin Tool Kit Click here and download it now
February 24th, 2015 4:52pm

Hi Barkley

Please see this Technet Link which will backup your requirements - https://technet.microsoft.com/en-gb/library/jj574101.aspx

Section Reads - 

When using additional firewalls, apply the following internal network firewall exceptions for Remote Access traffic:
ISATAPProtocol 41 inbound and outbound
TCP/UDP for all IPv4/IPv6 traffic

Also another link from http://www.ironnetworks.com/blog/directaccess-network-deployment-scenarios#.VO3tfvmsVrU

"I have had a number of conversations with security administrators and network architects who have expressed a desire to place the DirectAccess server between two firewalls (firewall sandwich) in order to explicitly control access from the DirectAccess server to the internal corporate network. While at first this may sound like a sensible solution, it is often quite problematic and, in my opinion, does little to improve the overall security of the solution. Restricting network access from the DirectAccess server to the internal LAN requires so many ports to be opened on the inside firewall that the benefit of having the firewall is greatly diminished. Placing the DirectAccess servers internal network interface on the LAN unrestricted is the best configuration in terms of supportability and provides the best user experience."

Kindest Regards

February 25th, 2015 10:41am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics