Remove From My Forums

DirectAccess external access

Question
0

Sign in to vote

Hi,

We are using DirectAccess on Server 2012 for a while now, and I can't seem to put together two things:

- I have a server on the external network that only responds to traffic from our wan interface, can I somehow route access to this machine using DirectAccess, I have already looked through the forums and found some indications that this will not work at all. I hope I am mistaken :)

- I also have an environment that is not resolvable by the company DNS, this environment has its own DNS server, it is however located in the internal network. How can I access this environment through DirectAccess - I add *.domain.com to the NRPT - what should the Name Server be IPv4 of the Server or something else?

Regards,

S

Thursday, December 13, 2012 9:06 PM

Answers

0

Sign in to vote
Hi,

When you say "from our wan interface", do you mean through the standard outgoing internet access that internal users connect through?

If so, can you have your DA clients connect to this specific site through an internal proxy of some sort?

Regarding your other question about the separate DNS internally, does this DNS server have IPv6 addresses registered for its hosts?
Otherwise you somehow need to get those queries to go through the DNS64/NAT64 setup on your DA server.
Is it not possible to configure your standard DNS-server to be able to query these DNS servers (ie, a conditional forwarder between the DNS servers)
That way your DA server can query its configured DNS servers that will resolve the queries for it.

Jonas Blom | Relevo AB | http://blog.nrpt.se
- Proposed as answer by Jonas Blom Sunday, December 16, 2012 7:51 PM
- Marked as answer by Aiden_CaoMicrosoft community contributor, Moderator Thursday, December 20, 2012 4:47 AM
Friday, December 14, 2012 9:38 PM
0

Sign in to vote
When you say IPv6 6to4 do you mean that the external server actually has that IPv6 address configured or that the prefix you get when running Get-NetNatTransitionConfiguration lists and 6to4 range as your prefix (Look at the value "PrefixMapping")?

My suggestion was that you had the DA server NAT64 the connection through it's internal IPv4 address (the pool for IPv4 addresses are also shown in the powershell command). For this to work the client needs to connect to an IPv6 address that is listed in the NAT64/DNS64 configuration (Get-NetNatTransitionConfiguration) and where the last two blocks is related to the IPv4 address of your external server.

If it does not work with the connection going out through the external interface of your WS2012/DA server, try adding a static route for that single host through your internal network instead.
Jonas Blom | Relevo AB | http://blog.nrpt.se
- Marked as answer by Simon Simcic Thursday, December 20, 2012 10:38 AM
Sunday, December 16, 2012 9:14 PM

All replies

0

Sign in to vote
Hi,

When you say "from our wan interface", do you mean through the standard outgoing internet access that internal users connect through?

If so, can you have your DA clients connect to this specific site through an internal proxy of some sort?

Regarding your other question about the separate DNS internally, does this DNS server have IPv6 addresses registered for its hosts?
Otherwise you somehow need to get those queries to go through the DNS64/NAT64 setup on your DA server.
Is it not possible to configure your standard DNS-server to be able to query these DNS servers (ie, a conditional forwarder between the DNS servers)
That way your DA server can query its configured DNS servers that will resolve the queries for it.

Jonas Blom | Relevo AB | http://blog.nrpt.se
- Proposed as answer by Jonas Blom Sunday, December 16, 2012 7:51 PM
- Marked as answer by Aiden_CaoMicrosoft community contributor, Moderator Thursday, December 20, 2012 4:47 AM
Friday, December 14, 2012 9:38 PM
0

Sign in to vote

HI, Jonas,

We administer client machines over the internet using either RDP or SSH for Linux machines, no VPNs. We allow administrative access only from our public IPs. But as I tried it, it doesn't work. I allowed traffic from the DirectAccess server - or its public NAT, but still does not work. Access from the Server works, but it does not work from the DirectAccess server. Is this even supposed to work?

Thanks for confirming the second part, I somehow need to configure DirectAccess server to resolve those names, as the servers in question do not have IPv6 addresses.

Sunday, December 16, 2012 5:30 PM
0

Sign in to vote

Hi again,

When you tried accessing the machine on the external network. Did you generate a NAT64 IPv6 address that you tried to access?

If you don't know the prefix used for NAT64 addresses you can run "Get-NetNatTransitionConfiguration" on your DA server.
(Or look at the address for a regular address and remove that last blocks of hexnumbers)

Jonas Blom | Relevo AB | http://blog.nrpt.se

Sunday, December 16, 2012 7:51 PM
0

Sign in to vote

Yes I tried pinging the address, the address was a Ipv6 6to4 but no reply from the server on the other end.

Are there any special considerations for this to work? The server on external network is being accessed through the external interface on the DirectAccess server.

Sunday, December 16, 2012 8:56 PM
0

Sign in to vote
When you say IPv6 6to4 do you mean that the external server actually has that IPv6 address configured or that the prefix you get when running Get-NetNatTransitionConfiguration lists and 6to4 range as your prefix (Look at the value "PrefixMapping")?

My suggestion was that you had the DA server NAT64 the connection through it's internal IPv4 address (the pool for IPv4 addresses are also shown in the powershell command). For this to work the client needs to connect to an IPv6 address that is listed in the NAT64/DNS64 configuration (Get-NetNatTransitionConfiguration) and where the last two blocks is related to the IPv4 address of your external server.

If it does not work with the connection going out through the external interface of your WS2012/DA server, try adding a static route for that single host through your internal network instead.
Jonas Blom | Relevo AB | http://blog.nrpt.se
- Marked as answer by Simon Simcic Thursday, December 20, 2012 10:38 AM
Sunday, December 16, 2012 9:14 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

DirectAccess external access

Question

Answers

All replies