locked
Direct Access Issues and Public IP Addresses on All Interfaces - Server 2008 R2 RRS feed

  • Question

  • Greetings,

    I have been tasked with exploring Direct Access as a VPN solution for a campus in a highly secured environment. We will not be using NAT, RFC 1918 addresses, or IPv6 addresses per the client's existing addressing and security requirements. All servers and clients will have publicly routable IPv4 addresses.

    I have been banging my head against the wall trying to get a Server 2008 R2/Windows 7 Enterprise solution working in my test lab. Since the Internal resources ("Intranet") do not have IPv6 addressing, I have installed UAG/TMG SP1 on my DA server for the IPv4 to IPv6 translations. I have left IPv6 enabled on the clients and the DA server.

    To make a long story short, the IPSEC tunnels will not come up. After researching the issue, I came across this: http://pcmusings.wordpress.com/2011/07/29/lessons-learnt-deploying-directaccess/. This article states that Direct Access does not support environments where Internal and External addresses are routable (i.e. non-RFC 1918). Can anyone confirm this is the case?

    For background, my CRL is published on an internal server with a trunk on the UAG server and accessible by any client from an IP address on the external subnet of the UAG server. DNS resolution on the "External" subnet resolves da, crl, and other critical names without issue. The PKI seems to working with Auto Enrollment of Computer certs with the CRL locations, and client machines can access the CRL both internally and externally.

    This is a bit of an odd setup in that the client machines will not be leaving the campus, but need to be secured with VPN tunnels internally. It was suggested that Direct Access serve as an IPSEC tunnel solution between resources on the "inside" (servers, internal resources), and the client machines.

    If anyone can tell me if this is a feasible solution, I would appreciate it. I have spent quite a bit of time working on the lab and would like to know if there is a way to make this work in production or if I should look at another solution.

    Thank you in advance...

    Sunday, May 11, 2014 5:17 AM

Answers

  • Hi,

    You simply describe my first DirectAccess project back in 2009 with UAG RTM. For sure it's not easy but we ware able to to it. I can provide you more détails if you wish but not on forums. Solution developped worked but was supported by Microsoft at limit. Today, RFC1918 compliance is one of my first question i ask to network teams in pre-sale phase.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by Jah Say Wednesday, May 14, 2014 8:14 PM
    Wednesday, May 14, 2014 5:37 PM

All replies

  • Hi,

    I got the same situation once with a complete network composed of IPv4 public adresses. That lead to routing issues. The only solution i had was to rely on ISATAP. Each ressource to be reachable from DirectAccess clients connected on Internet must have an ISATAP address delivered from an ISATAP router (included in UAG/Windows server 2012). Ressources must be registred in DNS with this address. If you plan to move to Windows Server 2012, there is a little change : http://danstoncloud.com/blogs/simplebydesign/archive/2013/01/12/dns64-behavior-change-in-windows-server-2012.aspx.

    So solution is to rely on an IPv6 network.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Sunday, May 11, 2014 6:47 AM
  • Hi,

    To be more precise, only ressources with ISATAP client configured will be reachable.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, May 13, 2014 9:00 PM
  • Greetings,

    Thank you for replying. I have come to the conclusion that Direct Access probably won't work in this situation. The client doesn't have IPv6 configured, and I was hoping the UAG server would eliminate the need for it. But having routable IP space on the Internal network through me for a loop...

    Anyway, the search for a solution continues. L2TP/IPSEC is working, I just wish there was a way to start the tunnels in a multi-user environment without dragging shortcut into the startup menu or other hacks like that. I'll probably wind up going with a 3rd party solution.

    Again, thanks for the input.

    Tuesday, May 13, 2014 11:32 PM
  • Hi

    You dont need to have a full native IPv6 network with network devices configured for IPv6. ISATAP is a transition technology that encapsulate IPv6 trafic into IPv4 frames. So from a network point of view, it's just IPv4 frames. Only deep inspection appliances will identify IPv6 content in the frames. In your situation resources that will be reachable throught DirectAccess must be able to have IPv4 and IPv6 (ISATAP) address and it would work.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, May 14, 2014 8:04 AM
  • Understood...

    I just couldn't get Direct Access to work in testing. I tried putting an ISATAP DNS entry pointing to the Internal interface of the UAG/TMG server, disabled IPv6 in the Interface configuration of the internal machines (which mimics the client's environment). PKI was set up per Microsoft's directives, and Group Policy was configured to Auto Enroll computer certs to all machines, which I verified.

    Per my original post, having non-RFC 1918 addresses on the Internal subnet are what though me for a loop. I checked, double checked, and triple checked the configuration and that is the only thing that was was different from the Test Lab configuration Microsoft released.

    Wednesday, May 14, 2014 3:43 PM
  • Hi,

    You simply describe my first DirectAccess project back in 2009 with UAG RTM. For sure it's not easy but we ware able to to it. I can provide you more détails if you wish but not on forums. Solution developped worked but was supported by Microsoft at limit. Today, RFC1918 compliance is one of my first question i ask to network teams in pre-sale phase.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by Jah Say Wednesday, May 14, 2014 8:14 PM
    Wednesday, May 14, 2014 5:37 PM
  • Hi,

    Well, I'm glad to see I'm not the only person who has had issues with this... : )   I was going slightly crazy for the past week....

    I'm going to check with my team to see if they still want to go down this route. It was suggested I evaluate Server 2012 R2 even though we don't have confirmation from the client we can bring it into their environment.

    I will get with you offline if it's decided to pursue Direct Access.

    I really appreciate your responsiveness with my question...

    Wednesday, May 14, 2014 8:17 PM
  • My pleasure,

    If you want to have more détails about DirectAccess, have a look at my blog, http://danstoncloud.com/blogs/simplebydesign/default.aspx, all DirectAccess content is available in english


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, May 14, 2014 8:22 PM