Access web server in DMZ with DA force tunneling RRS feed

  • Question

  • Hi,

    I have DA 2012R2 server with 2-NIC topology, forced tunneling.
    Access to internal resources from clients works fine.
    I have also public web server on DMZ, on the external DA interface subnet.
    Now if I add this web server's fqdn to NRPT for resolving by DNS64, client's traffic can't reach DA External interface, as NAT64 translate addresses only for Internal interface (my assumption).
    If I add its fqdn as NRPT exemption, client can't reach it over internet because of forced tunneling.
    How then to make this webserver available to DA clients? 

    Thursday, November 2, 2017 9:09 PM

All replies

  • Well, I've digged some more info and revealed that NAT64 actually translates addresses only for internal interface (get-NetNatTransitionConfiguration shows it).

    To map addresses for external interface one should add new instance of NatTransitionConfiguration with corresponding parameters.
    The problem is that it's impossible to add the new "NatTransitionConfiguration" instance for the same dns prefix xxxx:yyyy:zzzz:7777::/96 as already existing for DNS64 (cmdlet throws an error "New-NetNatTransitionConfiguration : Invalid parameter: PrefixMapping/InboundInterface.")

    Possible solution is maybe to configure additional DNS64 scope with Set-NetDnsTransitionConfiguration, but I decided to stop furter investigation.

    Instead I've made proxied NRPT record for that webserver: Set-DAClientDNSConfiguration –DNSSuffix 'server.fqdn' –ProxyServer proxy.fqdn:8080 and that solved my problem.

    If anybody have managed to setup NAT64 for servers on external interface I'd be glad to know how to do it.
    Friday, November 3, 2017 5:03 PM