none
Server 2012 Direct Access publishing rules

    Domanda

  • Is there any documentation on the rules for publishing a Server 2012 Direct Access server behind TMG?  DA now supports location behind a NAT device.  I was wondering if there is a corresponding guide on how to set up TMG to support such a configuration?


    Rob

    mercoledì 20 giugno 2012 01:16

Risposte

  • I would say that you need to publish TCP443 (SSL, I know) but I believe you need to create a custom protocol defintion that does not use the web filter and use server publishing to publish the server.

    This in order to prevent the webfilter from breaking the SSL connection on TMG.

    I haven't tried this but it seems to what needs to be done.

    As far as documentation goes, this is as close as I get http://technet.microsoft.com/en-us/library/hh831416 (section "Support for DirectAccess behind a NAT device")


    Hth, Anders Janson Enfo Zipper

    • Contrassegnato come risposta ip-rob mercoledì 20 giugno 2012 14:53
    mercoledì 20 giugno 2012 08:48

Tutte le risposte

  • I would say that you need to publish TCP443 (SSL, I know) but I believe you need to create a custom protocol defintion that does not use the web filter and use server publishing to publish the server.

    This in order to prevent the webfilter from breaking the SSL connection on TMG.

    I haven't tried this but it seems to what needs to be done.

    As far as documentation goes, this is as close as I get http://technet.microsoft.com/en-us/library/hh831416 (section "Support for DirectAccess behind a NAT device")


    Hth, Anders Janson Enfo Zipper

    • Contrassegnato come risposta ip-rob mercoledì 20 giugno 2012 14:53
    mercoledì 20 giugno 2012 08:48
  • That seems to allow the tunneling to work.  I was able to ping the DirectAccess server ipv6 address from the internet once I set up a rule with a custom 443 protocol (no inspection) and server publishing.  That appears to allow the tunnel to work.  Of course, now comes all the rest of the configuration work!  Thanks for the tip.

    Rob


    Rob

    mercoledì 20 giugno 2012 14:55
  • That seems to allow the tunneling to work.  I was able to ping the DirectAccess server ipv6 address from the internet once I set up a rule with a custom 443 protocol (no inspection) and server publishing.  That appears to allow the tunnel to work.  Of course, now comes all the rest of the configuration work!  Thanks for the tip.

    Rob


    Rob

    Can you please tell me how to do this??

    Please help

    domenica 26 agosto 2012 21:25
  • That seems to allow the tunneling to work.  I was able to ping the DirectAccess server ipv6 address from the internet once I set up a rule with a custom 443 protocol (no inspection) and server publishing.  That appears to allow the tunnel to work.  Of course, now comes all the rest of the configuration work!  Thanks for the tip.

    Rob


    Rob

    Can you please tell me how to do this??

    Please help


    Keep in mind that if the server is behind NAT, only IP over HTTPS will be deployed, so yes, only 443 needs to be forwarded.  But IP over HTTPs is the slowest DirectAccess method; if you can put it on the edge direct, Teredo is the preferred method.
    venerdì 7 settembre 2012 19:09
  • Hi

    Can I ask how exactly you set up the TMG rule(s)?

    I tried publish 443 - but I get this:

    PS J:\> Get-DAConnectionStatus

    Status    : Error
    Substatus : CouldNotContactDirectAccessServer

    When connected to internal LAN I get Substatus: Connected Internally..

    Thanks.

    mercoledì 26 settembre 2012 11:33
  • I didn't really spend much time on this since we are holding off on Direct Access...mainly due to the Windows 7 Enterprise requirements.  All I did was create a custom protocol that uses port 443 (no filters selected), inbound, and then created a standard publishing rule to my Server 2012 machine behind TMG.  I can't recall if I modified the "To" tab to appear to come from the TMG server or not. 

    Sorry I can't be of more help.


    Rob

    mercoledì 26 settembre 2012 12:42