MS DirectAccess

brainchylde · 5 Jan 2011 at 23:14

Setting this up at work - as you may know it needs a number of protocols forwarded to it's public IP addresses (there are two NICs which have two public IPs connected to the interweb on one card and two private on the other connected to the LAN).

Now, one of the protocols is protocol 41. At work we use a Cisco ASA 5510. This will only allow you to specify protocol 41 if the ASA version is 8.3 or above. The ASA version is currently 8.0(4). In order to move up to 8.3 it needs a ram upgrade, flash memory upgrade and then some downtime in order to carry out the upgrades. No problem, but the next option could be easier and quicker.......

My other option is I hang the DA server directly off the interweb, outside of the ASA. However, I'm worried about this from a security point of view. Obviously the W2K8 firewall will be enabled etc... but just wanted to garner some thoughts on this before I even consider it any further.

atomiser · 6 Jan 2011 at 21:02

Personally I wouldn't be comfortable with a Windows server connected directly to the Internet, but everyone has different levels of risk with which they are comfortable. If you must do this, I would at least place the internal NICs in a DMZ off your ASA so that your firewall isn't being bridged in it's entirety. I'm actually about to look at the Direct Access stuff myself shortly - is this your first implementation of it, or have you trialled it first? I would be interested to hear any positive and negative comments you have on it.

brainchylde · 6 Jan 2011 at 23:47

atomiser said:
Personally I wouldn't be comfortable with a Windows server connected directly to the Internet, but everyone has different levels of risk with which they are comfortable. If you must do this, I would at least place the internal NICs in a DMZ off your ASA so that your firewall isn't being bridged in it's entirety. I'm actually about to look at the Direct Access stuff myself shortly - is this your first implementation of it, or have you trialled it first? I would be interested to hear any positive and negative comments you have on it.

I started looking at it a long time ago - for a lot of people it's a no go as you need to put in a lot of infrastructure work first (2008 R2 upgrades, PKI.. etc).

To be honest I was looking at it off my own back, rather than it being a requirement and I couldn't get it working first time around. Having now (a few months later) looked into it a little further I've uncovered some of these requirements (such as allowing certain protocols to your public IPs). The documentation was extremely thin on the ground to begin with so this info was either unavail or hard to find. So this is my second go

I know of a University that is in the middle of a fairly large implementation including Forefront and ISA - from what I've heard it has involved some fairly large scale network changes. I'm not sure of the detail.

I think Microsoft may have been blinded by their idea (which is excellent) and not looked at it widely enough. The networking configuration has clearly been poorly thought out and, as I said, IMO is very poorly documented.

That said... the idea of always on VPN for users is an exciting one, especially if you have machines which rarely come back to the home network and therefore become unmanaged. For that reason, I won't be giving up on it just yet. I'm hoping to get it working and to run a small pilot. If successful, I'll go back and look at high availability and a further rollout.

I'd be interested to know how you get on if you do decide to take a look anytime soon

atomiser · 7 Jan 2011 at 20:13

thanks for the feedback, doesn't sounds like it's something that is easy to knock up a quick test environment of, as such i might have to go back to the drawing board. our live environment sounds like it's up to spec since infrastructure wise we're already at 2008 r2, and we already have a pki in place. we're about to do a laptop recall, culling the majority of them in the process, deploying whole disk encryption and rolling back out to those who really need them - direct access sounded like a good way to keep tabs on the inventory in the future. i will take a closer look on any documentation that is out there before embarking upon a trial build. would be much appreciated if you could keep this up to date as you progress...

Penguin · 7 Jan 2011 at 20:24

I've also been looking at & thinking about this as the idea of a always on VPN sounds great, especially as for some reason the people who are mobile users at my place seem to have trouble in wrapping their heads around having to connect to the VPN in the first place, despite being shown how etc...

PR. · 7 Jan 2011 at 23:38

I've been setting it up for a while as I want to use it rather than the current Cisco VPN when we upgrade to Windows 7, mostly because staff don't understand when the VPN is needed and when it's not.

It's certainly not an easy thing to setup, I found a series of videos on YouTube which has got me to the point where it says it's configured but the client can't see it over the net.

I've been distracted by DPM for the last few weeks so hopefully will get another chance to get it working...