Direct Access: Server 2016, Dual NIC, DMZ - What Is The Best Way? RRS feed

  • Question

  • I have a block of 15 WAN IP, x.x.x.177 on up with a GW of x.x.x.190. I have a vmware ESXI 6.5 server running some stuff. I have 4 VMNIC cabled into a Sonicwall TZ600, with 2 ports on my LAN. One port is on a different subnet (LAN DMZ) which I keep a Natted webserver in. I have a root CA on my DC which actively hands out my PKI.

    I am attempting to deploy Direct Access. I have tried for days to deploy it with a single NIC using IP-HTTPS. I can connect, 100% green lights. I can see my client in the monitor on the server, and I can see my active connection on the client. I can even ping the private LAN IPv6 address of my DA server, which is fd00:2::252. But I cannot reach anything else, or resolve anything else.

    So on a whim, I decided to get more complex in an attempt to get this working. While reading forums, I read that Toredo is superior performance. So, I added another virtual NIC to my Server 2016 box, and plugged it into a DMZ port on my Sonicwall. I turned that port into transparent, and assigned it two consecutive static public IP, x.x.x.187 and x.x.x.188.

    I then assigned those two IP addresses to the external NIC on my DA. On the internal NIC, I gave it a LAN IP, which is It IS domain joined, of course. I then completely blocked Windows Firewall rules, and only allowed through DA stuff. On the Sonicwall, I have nothing NAT'd, but I have only opened up DA stuff.

    Is this an OK setup? Is there some major security risk, beyond someone hacking in through DA? Will this setup work? would it make sense to make it a true DMZ machine by creating a second firewall in vmware to block access to my LAN AD? Or, can I just use Windows Firewall on the DA, and block outbound except for authentication and DNS and stuff?

    Am I making this horribly more complex than it needs to be just to use Toredo, instead of IP-HTTPS?

    I will be using DA personally for my laptop and my wifes, so we have access to corporate resources and some LAN-only databases, etc.

    And as a side note, while troubleshooting single NIC NAT'd DA over IP-HTTPS, I ready seriously every single article on setup, both technet and otherwise (and all of these commands come out ok: What was failing in the DCA was failure to contact the domain.local and failure to resolve the sysvol, everything else was green.

    Basically, with the resources I have (unlimited VMs, Hardware Firewall, lots of IP space), what should my best setup be?

    "Sadly most places want the Porche fastness and reliablity, but only pay for a used 74 pinto, then they are "Shocked" that it wont run, and blame the IT guy"

    Thursday, August 24, 2017 1:45 AM

All replies

  • Hi Christopher! In my opinion, you are definitely taking the right approach by going to the dual-NIC implementation. Single NIC DA is never a real option in my books, it is something Microsoft added into 2012 in order to make POCs fast and easy, but I've seen too many weird things happen in single NIC mode to ever use it myself.

    As to whether or not you should use Teredo - the biggest deciding factor on this is whether or not you still have Windows 7 clients that you want to connect through this. If you do, then you should have Teredo available. If everyone is Win8 or Win10, then it's much less of an issue. As long as you don't disable the NULL cipher suites on your DA server (a lot of companies do this because the silly Qualys scanner tells them to) - then speed of IP-HTTPS is on par with Teredo. If you do disable the NULL cipher suites, then IP-HTTPS will be slower than Teredo, even for Win8/10 clients.

    Setting up in two-NIC approach is definitely the better way to go, but it is very important to make sure you are getting the network config of multi-homing right. As in - only one Default Gateway and it must go on the External NIC. There are a few other criteria, but that one is key. Many people put Default Gateways on both NICs and wonder why things get weird. :)

    If you're interested, not trying to push you this direction, but questions like yours are exactly the reason I put this resource together years ago, and it all still applies directly to DirectAccess in Server 2016. The first two chapters are basically making sure that the DA server gets setup properly in the first place, before you even try to enable DA on it: (or of course continue to ask me questions here and I'll respond as often as possible!)

    Friday, September 8, 2017 7:53 PM