MS DirectAccess

[brainchylde]

Setting this up at work - as you may know it needs a number of protocols forwarded to it's public IP addresses (there are two NICs which have two public IPs connected to the interweb on one card and two private on the other connected to the LAN).

Now, one of the protocols is protocol 41. At work we use a Cisco ASA 5510. This will only allow you to specify protocol 41 if the ASA version is 8.3 or above. The ASA version is currently 8.0(4). In order to move up to 8.3 it needs a ram upgrade, flash memory upgrade and then some downtime in order to carry out the upgrades. No problem, but the next option could be easier and quicker.......

My other option is I hang the DA server directly off the interweb, outside of the ASA. However, I'm worried about this from a security point of view. Obviously the W2K8 firewall will be enabled etc... but just wanted to garner some thoughts on this before I even consider it any further.

 

[brainchylde]

Personally I wouldn't be comfortable with a Windows server connected directly to the Internet, but everyone has different levels of risk with which they are comfortable. If you must do this, I would at least place the internal NICs in a DMZ off your ASA so that your firewall isn't being bridged in it's entirety. I'm actually about to look at the Direct Access stuff myself shortly - is this your first implementation of it, or have you trialled it first? I would be interested to hear any positive and negative comments you have on it.

I started looking at it a long time ago - for a lot of people it's a no go as you need to put in a lot of infrastructure work first (2008 R2 upgrades, PKI.. etc).

To be honest I was looking at it off my own back, rather than it being a requirement and I couldn't get it working first time around. Having now (a few months later) looked into it a little further I've uncovered some of these requirements (such as allowing certain protocols to your public IPs). The documentation was extremely thin on the ground to begin with so this info was either unavail or hard to find. So this is my second go

I know of a University that is in the middle of a fairly large implementation including Forefront and ISA - from what I've heard it has involved some fairly large scale network changes. I'm not sure of the detail.

I think Microsoft may have been blinded by their idea (which is excellent) and not looked at it widely enough. The networking configuration has clearly been poorly thought out and, as I said, IMO is very poorly documented.

That said... the idea of always on VPN for users is an exciting one, especially if you have machines which rarely come back to the home network and therefore become unmanaged. For that reason, I won't be giving up on it just yet. I'm hoping to get it working and to run a small pilot. If successful, I'll go back and look at high availability and a further rollout.

I'd be interested to know how you get on if you do decide to take a look anytime soon