none
Exchange Server Access and DirectAccess 2012

    Question

  • Hi all,

    I don't normally operate at this layer of the network stack so please excuse me in advance if I ask any dumb questions here. :-).

    I have 3 public IP addresses available from my ISP and I currently have two routers/firewalls connected to the external network and to my internal network. My internal network is all on one subnet - 192.168.1.0/24. I have a single DA server running Server 2012 behind router A and router A is port forwarding 443 to the DA server. DA is working great for a few Windows 8.1 and Windows 7 clients, absolutely no complaints with DA.

    I have an Exchange 2010 server on the network as well which is also working very well through DA.

    The problem I have is with clients that don't currently work with DA such as some Windows Phone 8 devices, a couple of Kindle Fires, and a Xoom tablet. To get them to work I've got router A configured to forward 9191 external requests to my Exchange server on 443 internal. This works for most of the devices, but some don't like port 9191.

    What I'd like to do is to have external requests for the Exchange server to go through router B which would forward 443 external to 443 internal to my Exchange server. If I change the default gateway on my Exchange server to the internal address of router B, this works great for the non-DA capable devices, however, my DA-capable devices can no longer communicate with the Exchange server as they're still trying to go through router A as that's how the FQDN of the Exchange server resolves for DA clients.

    I've tried using a hosts file entry but when I do that and flush the DNS cache, my DA clients simply can't resolve that FQDN. It would appear that they don't even look at the hosts file.

    I think that what I need to do is to somehow tell my DA clients that when trying to resolve the FQDN of the mail server to not use DA to do so. Is that the right way to go about this? If so, how do I do that? If not, can anyone suggest a better way to accomplish what I'm trying to do here?

    Thanks!

    Saturday, November 09, 2013 2:46 PM

Answers

  • To accomplish what you are trying to do, you are correct that it is a DNS change that needs to happen, and the right place to make that change is the NRPT, which is the "DNS" screen inside Step 3 of the DirectAccess config wizards. This naming table basically tells all DirectAccess client computers what names to send inside the DirectAccess tunnels, and what names not to. So you can input the name of your Exchange server, making sure that no DNS server address is listed, and that should be it. That will tell any DA client that whenever they try to contact that name, to do so using the laptop NIC's local DNS servers, so that traffic will then flow over the regular internet rather than inside the DirectAccess tunnels.

    So that should take care of it. However, I'm not sure that from a security perspective this is your "best" solution, as keeping Exchange inside an IPsec DirectAccess tunnel is more secure than doing it over the internet through the HTTPS mechanism, but for a small business it is viable enough.

    • Marked as answer by Paul AdareMVP Thursday, November 21, 2013 11:39 AM
    Wednesday, November 20, 2013 9:24 PM

All replies

  • To accomplish what you are trying to do, you are correct that it is a DNS change that needs to happen, and the right place to make that change is the NRPT, which is the "DNS" screen inside Step 3 of the DirectAccess config wizards. This naming table basically tells all DirectAccess client computers what names to send inside the DirectAccess tunnels, and what names not to. So you can input the name of your Exchange server, making sure that no DNS server address is listed, and that should be it. That will tell any DA client that whenever they try to contact that name, to do so using the laptop NIC's local DNS servers, so that traffic will then flow over the regular internet rather than inside the DirectAccess tunnels.

    So that should take care of it. However, I'm not sure that from a security perspective this is your "best" solution, as keeping Exchange inside an IPsec DirectAccess tunnel is more secure than doing it over the internet through the HTTPS mechanism, but for a small business it is viable enough.

    • Marked as answer by Paul AdareMVP Thursday, November 21, 2013 11:39 AM
    Wednesday, November 20, 2013 9:24 PM
  • To accomplish what you are trying to do, you are correct that it is a DNS change that needs to happen, and the right place to make that change is the NRPT, which is the "DNS" screen inside Step 3 of the DirectAccess config wizards. This naming table basically tells all DirectAccess client computers what names to send inside the DirectAccess tunnels, and what names not to. So you can input the name of your Exchange server, making sure that no DNS server address is listed, and that should be it. That will tell any DA client that whenever they try to contact that name, to do so using the laptop NIC's local DNS servers, so that traffic will then flow over the regular internet rather than inside the DirectAccess tunnels.

    So that should take care of it. However, I'm not sure that from a security perspective this is your "best" solution, as keeping Exchange inside an IPsec DirectAccess tunnel is more secure than doing it over the internet through the HTTPS mechanism, but for a small business it is viable enough.

    Exactly what I was looking for Jordan, thanks so much!

    I'll have to think about the security implications (and I have been doing so) but at least now I know that I have a viable alternative.

    Frankly, my biggest problem here is my new Surface 2. Since I can't domain-join it, I need to configure the Outlook client with an alternate port and that is a PITA since Microsoft has decided that the use of a ":" is not allowed when specifying a server in Outlook so some.host.com:9191 can't be entered in the client config. Instead, I have to enter some.host.com-9191 and then remember where this value is stored in the registry and use regedit to change the "-" to ":".

    Thanks again!

    Thursday, November 21, 2013 11:46 AM