Publishing a Direct Access 2012 R2 server via TMG 2010 - TMG requirements

Hi,

Hi I'm in the process of setting up Direct Access using a Windows 2012 R2 server internally to be published via a TMG 2010 server on Windows 2008 R2. And I'm trying to figure out what I need on my TMG 2010 server

I've looked various places and I can't seem to find this information out.  My questions are:

1. Does IPV6 protocol need to be enabled on my TMG server? 

2. Do I need to enable all the TMG IPV6 Direct Access rules I see in my system policy that are currently disabled?

3. When I setup the DA server publishing rule on TMG how should the listener I use be configured?  Should it be using HTTP or HTTPS?  And if it's using HTTPS what certificate should I use?

I think I know the answer to question 3 based on some searching these forums and the answer is that I need create a custom protocol that uses port 443 (no filters selected), inbound, and then created a standard publishing rule to my Server 2012 machine behind TMG.

I'd appreciate any answers on this stuff.

Thanks in advance

Nick

 

January 9th, 2014 2:18am

Hi,

it is possible to deploy DirectAccess behind a NAT Server (like TMG).
you must create a HTTPS-Server publishing rule (non Web Server publishing rule), so HTTPS traffic will be directly forwarded without any filtering to the internal DA Server.
you doesn't have to activate IPv6 or Ipv6 System policy rules on the TMG Server.
http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part1.html
in this constellation the DirectAccess Server provides only IP-HTTPS access

Free Windows Admin Tool Kit Click here and download it now
January 9th, 2014 10:20am

Hello,

Here's another how-to about it, writen by Benoit Sautiere: http://danstoncloud.com/blogs/simplebydesign/archive/2013/04/04/tmg-can-be-a-good-friend-of-directaccess.aspx

Regards,

January 9th, 2014 12:32pm

As Marc said, setting up a DirectAccess server behind any NAT means that you will only have the IP-HTTPS protocol available to your users. This may or may not be in your best interests, so keep that in mind. You definitely do not need to do anything with IPv6 in TMG, in fact I am pretty sure that TMG is not capable of manipulating IPv6 traffic anyway. All of the traffic that comes in through DirectAccess tunnels will be encapsulated in IPv4, so that is what TMG will be forwarding.
Free Windows Admin Tool Kit Click here and download it now
January 14th, 2014 6:40pm

Hi Jordan,

I've actually setup the publishing rule based on the links that Marc and the other responder provided and I'm trying to test DirectAccess now.  I'm having another issue related the DNS/NRPT which I believe is caused by the fact that my internal domain name is the same as our public domain name.  So I'm trying to figure out how to resolve that. 

In my network setup I don't think I could setup the Direct Access any other way than behind our TMG using NAT so it sounds like I'm going to be using IP-HTTPS.  Is there a downside to just using IP-HTTPS as opposed to the other protocols? 

And what controls which protocols are used by the way?

Thanks,

Nick

January 14th, 2014 7:36pm

A DirectAccess client automatically chooses what protocol to use to connect, depending on what kind of internet connection it is currently sitting behind. The three protocols that can be used are 6to4, Teredo, and IP-HTTPS. I typically give two reasons as to why it is beneficial to have multiple. First, if something happens to IP-HTTPS (most common problem is that someone lets the SSL cert expire) - you will either have a small percentage of your users go down, while the majority (Teredo) continue to work, or if you only have IP-HTTPS, then of course everyone goes down all at once. The second reason is that IP-HTTPS is a less efficient protocol than the others, it is doing more work to the packets as they flow in and out, and so it takes more processing power and time. This is particularly true for Windows 7 clients, where they actually do double encryption on IP-HTTPS packets. At least that doesn't happen in Win8 anymore, but Teredo is still a faster protocol than IP-HTTPS no matter what operating system we are talking about on the client side.

I try not to be too self-serving on these posts, but this info is exactly the kind of stuff that I stuck in the book below. :) It also walks through the way to setup DA so that you have all of the protocols available to you.

http://www.packtpub.com/microsoft-directaccess-best-practices-and-troubleshooting/book

Free Windows Admin Tool Kit Click here and download it now
January 14th, 2014 8:13pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics