Wednesday, June 06, 2012 2:06 PM
I do have a working DA 2.0 setup working for Windows 7/8 clients with an enterprise PKI. I do use IP-HTTPS and NAT64/DNS64. No ISATAP, no Toredo or 6to4. My DA is inbetween 2 firewalls.
While you can find plenty information about how to configure your front firewall for DirectAccess I didn't find any litterature about ports range used on a back-end firewall.
All client communications with the domain use source port 16000 (and incrementing) from the second network interface of the server.
What is the upper source port limit before the system start again at 16000 ? Do we have a way to change this port range?
Thursday, June 07, 2012 9:14 AMModerator
Thanks for posting here.
I think the introduction in the blog post below is worth to read first , it takes about the UAG deployment but I think should also work in windows base DA deployment :
UAG DirectAccess Server Deployment Scenarios
TechNet Community Support
Thursday, June 07, 2012 9:29 AM
None of those articles answers my question. They only cover communication between the front end firewall and the DA server. I did also mention my system was perfectly working but I am looking for more inside information how I can control traffic generated by DA Clients from the DA server to the Domain. I would like to predict what is going to be the ports consumption on my back-end firewall. I can not simply open ports 16000 to 65535 or I start wondering start why do I need a firewall again ?
Friday, June 08, 2012 8:29 AMModerator
Thanks for update.
> how I can control traffic generated by DA Clients from the DA server to the Domain.
I am not sure how will we control the traffic but we have a deployment that can restrict only certain internal server hosts can be access form DA client when outside :
Selected Server Access Example
And as you can see, we can restrict by setting IPsec policy on it.
TechNet Community Support
Friday, June 08, 2012 9:47 AM
Hello again ! :)
I am not worried about having a control on my destination machines. As You mention we can do it via DA or via my firewall a filtering on my firewall which in front of my domain. Something you don't want with your firewall is to leave open unecessary to destination IP or TCP/UDP ports.
While it is very easy to control a destination IP, it is not clear for UDP/TCP. As you know, with Vista and 2008 Microsoft decided to follow the IANA recommentation for its dynamic port attribution now it goes for port 49152 to 65535 instead of 1025 to 65355.
DirectAccess doesnt follow this IANA recommendation and start using from port 16000. I had to open those ports on my firewall between the DA DMZ and my domain. The problem is I don't know what is the port range DirectAccess is going to operate. 16000-17000 , 16000-2000 range. I assume the range is likely going to be defined by the number of clients who is going to use DirectAccess but its maximum?
I would like to know if there is currently a way to manually set the start port and the end port. I checked already netsh which can be used to define dynamic port range (http://support.microsoft.com/kb/929851) but there are no entry for DirectAccess port selection.
Friday, June 22, 2012 2:20 PM
I am not aware of a way to do this. As you have read, it is Microsoft's recommendation that when using a firewall on the inside part of the connection, to basically open it up for anything. I agree with you, this pretty much negates the purpose of the firewall being there in the first place.
The reason they have to make this recommendation is because everyone's environment is going to be different and the DirectAccess client computers are going to be doing different things in every install. DirectAccess shouldn't be thought of as "allowing the users in", but rather "extending the network to the users" - when you consider the traffic coming from the DirectAccess gateway you really should think of that as being all of the traffic that might come from client computers that are sitting in that DMZ trying to talk to internal resources.
In the installs I have done, it is more common for companies to put an IDS in-line on the inside part of the connection rather than a firewall. For those that have put firewalls there and attempted to lock it down, we have run into some crazy issues.
Sunday, June 24, 2012 12:02 PM
The port range is configured optimally to allow a maximum number of users to connect simultaneously.
You can see the port range and even update it using the PowerShell cmdlets: Get-NetNatTransitionConfiguration and Set-NetNatTransitionConfiguration.
Wednesday, June 27, 2012 9:18 AM
Thank you Yaniv