Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Windows server 2012 Direct Access

Answered Windows server 2012 Direct Access

  • Saturday, October 06, 2012 9:27 AM
     
     
    Sign In to Vote
    0

    hi all,

    i had implemented Direct Access with windows 2008 R2 and UAG SP1 before and i want to deploy the DA with Windows server 2012 now i have some questions

    1- In the UAG or windows 2008 R2 we must have 2 Consecutive  Public IP addresses on the External NIC and create 2 DNS records pointing to the first IP but now in windows 2012 we can use NAT so do i need 2 IP's on the DMZ and NAT the 2 public IP's from the firewall to the 2 IP's on the DMZ and regarding the 2 DNS records do i still need to create them?

    2- and regarding my windows 7 clients i red that i must configure the same old CA configuration?

    Thanks

    Tarek Khairy

     

All Replies

  • Saturday, October 06, 2012 3:15 PM
     
     Answered
    Sign In to Vote
    0

    Hi,

    Question 1:
    When deploying DirectAccess with Windows Server 2012 in a NAT setup you only need one IPv4 address that you NAT.
    This is due to the fact that a NAT setup will only use IPHTTPS so the requirement for two IPs for Teredo is no long necessary.

    Regarding the DNS records that you needed to create in your WS2008/UAG setup, which two are these?
    The only DNS record that you should need is the one for IPHTTPS. This requirement is the same both for WS2008/UAG and WS2012.


    Question 2:
    Yes, you have the same CA/PKI requirements if you have Windows 7 clients

    Hope that answered your questions.
    Best wishes,
    Jonas Blom

    Jonas Blom | Relevo AB | http://blog.nrpt.se

     
  • Sunday, October 07, 2012 6:18 AM
     
     
    Sign In to Vote
    0

    Thanks for the reply i have one more question

    - as far as i know Teredo is used for the clients behind a NAT so they can connect to corp network so what will happen to these users now.?

    Thanks

    Tarek Khairy

     
  • Sunday, October 07, 2012 7:51 AM
     
     Answered
    Sign In to Vote
    0

    Hi again,
    Those clients can still connect with IPHTTPS.

    Jonas Blom | Relevo AB | http://blog.nrpt.se

     
  • Sunday, October 07, 2012 7:53 AM
     
     
    Sign In to Vote
    0
    thanks

    Tarek Khairy

     
  • Sunday, October 07, 2012 7:56 AM
     
     
    Sign In to Vote
    0

    i have one last question regarding the NIC's behind a NAT what is the difference between using 1 NIC and 2 NIC's?

    Thanks

    Tarek Khairy

     
  • Sunday, October 07, 2012 8:03 AM
     
     Answered
    Sign In to Vote
    0

    Hi,

    There are actually a number of differences between those two setups.

    The biggest according to me is that you get incoming and outgoing traffic on the same interface with a 1-nic setup.
    Another one is how the IPSec rules are built, but when it all comes down to it. It is only a matter of what requirements do you have on your setup and what setup do you like best.

    Personally I like the non-NAT solution since you still can use Teredo AND IPHTTPS, but that is only my own personal opinion.

    Jonas Blom | Relevo AB | http://blog.nrpt.se

     
  • Sunday, October 07, 2012 8:08 AM
     
     
    Sign In to Vote
    0
    thanks for the reply, for me i like to have all the options as well but having the DA server with 2 Public IP's facing the internet directly is not that much comfortable for all customers.

    Tarek Khairy

     
  • Monday, October 08, 2012 6:30 AM
     
     
    Sign In to Vote
    2

    I have Created Detail Videos and want to share on How to Install Windows Server 2012 Direct Access with Single Network Card Configuration and windows 8 Clients

    http://www.youtube.com/watch?v=CNJOziif03k

     And Windows Server 2012 Direct Access with Basic PKI Configuration and Windows 7 Clients

    http://www.youtube.com/watch?v=_jgamV0XDiM

    Hope this will help

    If you like these video please subscribe, like, and Share

     
  • Monday, October 08, 2012 8:45 AM
     
     
    Sign In to Vote
    0

    thanks for the reply i will watch the videos later today but i have another question

    - we configure direct access to apply to a security group and the polices are placed under the domain in the GPO console, i have a corporate that have OU's for each branch and if we moved the polices under the OU it doesn't work so can we apply the policy to the OU then filter with groups?

    Thanks

    Tarek Khairy

     
  • Monday, October 08, 2012 12:20 PM
     
     
    Sign In to Vote
    0

    Hi again,

    A suggestion for the future, create a separate thread for each question.
    That way other users with a similar problem/question can more easily find the answer in the existing threads.

    To answer you question though.
    There should be no problem to apply the DirectAccess client GPO to the respective OUs and also filter with AD groups.

    The GPO that contains the DirectAccess settings work like all other GPOs.
    The placing applies which OU and sub-OU's the GPO is evaluated for and the Security group filtering (and WMI filtering) is used to further limit to which objects the GPO is applied.

    Jonas Blom | Relevo AB | http://blog.nrpt.se