Has anyone here implemented Direct Access 2012?

Spooter

Spooter

Spooter

Associate
Joined
1 Aug 2007
Posts
1,065
Hi all,

I was wondering if we have any members on OCUK who have implemented Direct Access? I have a couple of questions that's all.

Do you have the DA server in the DMZ with one adapter and the other on the local lan?

How are you handling the certificates?
 
Last edited:
Spooter said:
Hi all,

I was wondering if we have any members on OCUK who have implemented Direct Access? I have a couple of questions that's all.

Do you have the DA server in the DMZ with one adapter and the other on the local lan?

How are you handling the certificates?
Click to expand...

We dont, but there's talk of creating one soon.

Do you have the DA server in the DMZ with one adapter and the other on the local lan?
Click to expand...

I asked this before, and someone on the cisco side told me that this was a security risk and would defeat the whole purpose of a DMZ... Not sure if that is true or not...

I'll be interested on what other people say.
 
Spooter said:
Hi all,

I was wondering if we have any members on OCUK who have implemented Direct Access? I have a couple of questions that's all.

Do you have the DA server in the DMZ with one adapter and the other on the local lan?

How are you handling the certificates?
Click to expand...

DA in 2008 used 2 servers and certificates, 2012 has thankfully done away with 90% of the hassle of 2008! In fact its stupidly easy to set-up/configure.

We have a DA server, connections go via NAT, you can put it through a TMG iirc but its not something we have seen the need for. Its also a self signed cert.
I guess the argument against using a DMZ would be similar for sticking your exchange edge in the DMZ, by the time you've punched all the holes through to make it work negates anything the DMZ brings to the table :)
 
It shouldn't have a leg directly into the internal network is what I guess you mean from the Cisco guy, it should have an internal DMZ leg which would be able to route back through a firewall but should never have direct attachment as yes that would defeat the purpose of the DMZ. As in if that server in the DMZ was compromised the attacker would also have access to everything inside the internal network assuming a directly routed/flat network.
 
Last edited:
Surely you need one leg in the network though to be able to access the network once the connection is established?

And to make the connection you need..

A laptop joined to the domain
User credentials
TPM module
Certificate

And only if you tick all those boxes will you actually create the connection to the DA server?

What ports are you forwarding to the DA server? Is it just 443?
 
Pedantic mode, You don't need a TPM unless your using a virtual smart card. :)

But yes, there are a lot of criteria to reach before the connection will establish. Everything goes over 443, DA uses the built in firewall to separate the traffic, and uses IPV6to4 to connect past the server. Theres a lot going on and MS did do a decent job of simplifying it all thats for sure!

You can now get hardware with an embedded server2012 and DA built in that may well be worth a look.

One thing we did find annoying is if you specify a proxy in IE then you might need to look into pac files as the machine trys to establish the DA connection via the proxy even if your on a remote network. But i guess if your users are use to unticking the proxy settings then it may not be to much of a headache for them to continue.
 
Thanks the heads up.

I would want to use the Virtual smart card as a form of Two factor authentication and it prevents the certificate from potentially been moved.

The more I read the more complicated it gets if we want all the bells and whistles.

For a start I would want to use multi-site so that means I need a PKI server after all.

I guess most people cant use Teredo because they implement their DA server behind a NAT device meaning only IPHTTPS can be used. I suppose this saves the need for two public facing IP addresses though.

How are you guys managing certificates?
 
We didnt have much need for Teredo as theres only a handfull of users who need remote access bit of a waste of 2 ip's. Certificates are auto enrolled in the CA, didn't take much to setup/admin. Had been trying to avoid using a CA for as long as possible though :(


We only have one site but will soon be 2 so would be interested in how you manage it.
 
You must log in or register to reply here.
Back
Top Bottom