locked
Safety issue for DirectAccess 2012 RRS feed

  • Question

  • I'm curious around the safety for DirectAccess.

    What is the safest topology to setup DirectAccess? EDGE, two adapters behind NAT or one adapter behind NAT?

    If you use one adapter behind NAT, you would have to directly portforward those specific ports from the external IP to to the remote access server. Correct me if I'm wrong here, but that would open up a hole wouldn't it? 

    Same goes for two adapters behind NAT, where one is in the perimeter network. If you have a server that is domainjoined that can speak to DMZ, you have a big hole right there aswell. It is theoretically easier to hack into the perimeter network.

    What about the last one, edge? Where one adapter is connected directly to the internett (behind a firewall ofcourse, but still have to open specific ports and such). Isn't this the biggest safety issue of them all?

    Any thoughts around this? What would be the safest method to use? Let's say that I will not be using any of the features that require two networkadapters, just to keep things open.

    Thursday, October 4, 2012 7:32 AM

Answers

  • When you deploy UAG it first installs TMG and then UAG. Everything is integrated. In fact UAG uses out-of-the-box DirectAccess functionality of Windows Server 2008 R2. Currently it does not support Windows Server 2012.

    It is possible to use an additional firewall on the internal network. Keep in mind that DirectAccess Clients only communicate from and to IPv6. Because their source IPv6 IP address cannot be routed on your internal IPv4 only network, traffic is translated by means of NAT. In fact your DirectAccess Clients will communicate to your internal network by using the internal IP Address of your DirectAccess Server. Because of that it is almost impossible for your internal firewall to recognize the difference between a DirectAccess Server or DirectAccess Client. It is not unusual to use an internal firewall. I am now working at a customer who uses an additional external and internal firewall.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Thursday, October 4, 2012 3:21 PM

All replies

  • It depends on many factors. Such as the firewall type/brand in between, you network topology and such. In my opinion having a DirectAccess Server with two network interfaces is always the best option. Of course security can never be guaranteed. It is easier to harden a server with two network interfaces than one. For example you are able to unbind certain services on your external network interface. There are many other reasons for having benefit of a second interface.

    In general a NAT device does not offer firewall filtering as you might expect. I most cases it does not even offer filtering for the required protocols. In general a firewall which does 1:1 routing offers more security between the perimeter.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Thursday, October 4, 2012 8:33 AM
  • Aha okey, yeah I can see why two adapters is a more sufficient choice. 

    What if you installed some sort of firewall (SEP, TMG) on the server itself aswell, just for the extra protection. Any point in doing this? 

    Thursday, October 4, 2012 9:58 AM
  • That is exactly what UAG does. UAG hosts the DirectAccess role and uses TMG on top.

    You can install TMG on a DirectAccess Server based on Windows Server 2008 R2. But as far as I know TMG in unsupported on Windows Server 2012. So that is no option. By the way, the Windows Firewall with Advanced Security is a certified/qualified firewall out-of the box. But personally still prefer TMG. I wonder what the future will bring us.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Thursday, October 4, 2012 11:22 AM
  • Can UAG host the new DirectAccess? I thought that was the "old" version.

    I've got another question, what if you deploy DirectAccess in the perimeter network and open ports from the perimeter network to the internal network? So the server is still domain joined. Is this possible? Both network adapters would be in the perimeter network.

    Thursday, October 4, 2012 11:33 AM
  • When you deploy UAG it first installs TMG and then UAG. Everything is integrated. In fact UAG uses out-of-the-box DirectAccess functionality of Windows Server 2008 R2. Currently it does not support Windows Server 2012.

    It is possible to use an additional firewall on the internal network. Keep in mind that DirectAccess Clients only communicate from and to IPv6. Because their source IPv6 IP address cannot be routed on your internal IPv4 only network, traffic is translated by means of NAT. In fact your DirectAccess Clients will communicate to your internal network by using the internal IP Address of your DirectAccess Server. Because of that it is almost impossible for your internal firewall to recognize the difference between a DirectAccess Server or DirectAccess Client. It is not unusual to use an internal firewall. I am now working at a customer who uses an additional external and internal firewall.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Thursday, October 4, 2012 3:21 PM