Can somebody verify that this is in fact the ports needed to be opened to the internal network when DA is in the DMZ? I'd hate to tell my client this if it is not needed.

• ISATAPProtocol 41 inbound and outbound
• TCP/UDP for all IPv4/IPv6 traffic

It Depends on what protocols you are using. Are you only using IP-HTTPS? Then only TCP 443 is needed.
Is Load Balancing in use?

Sorry Steve, I should have mentioned that but yes it will be strictly IP-HTTPS. We are opening 443 for external network but would it be the same for the internal? No load balancing as it is just a proof-of-concept.

Then you only need to allow 443 from the outside to the DA server. Traffic from internal AD Clients/servers to the DA server should be open just like a standard Domain Member server, since DA is a member of the domain. Single or dual-nic? 

Thank you Steve, thats what I thought. I think the client was trying to limit internal access as much as possible. It is a dual nic setup.

Great! Than you only need to open 443 on the external interface, and make the Windows firewall on the internal interface behave like all the other Windows servers you have internally. Maybe you already know, but DA needs the Windows Firewall running on both the DA server and the DA clients.

• Marked as answer by Frank Trout Tuesday, February 10, 2015 8:12 PM

Great! Than you only need to open 443 on the external interface, and make the Windows firewall on the internal interface behave like all the other Windows servers you have internally. Maybe you already know, but DA needs the Windows Firewall running on both the DA server and the DA clients.

• Marked as answer by Frank Trout Tuesday, February 10, 2015 8:12 PM

Steve, thank you for all the help. It is much appreciated and I do know about the firewall.