none
Directaccess - Can't reach some resources RRS feed

  • Question

  • Hi,

    We have set up a new DirectAccess environment; during the testing phase we notice that several resources were unavailable. That being said we found out that an large amount of the server is behind a firewall in another LAN. Now, internal resources works fine on the same subnet has the DA-server, were the domain controller and various other resources are located.<o:p></o:p>

    What kind of ports need to be open between DirectAccess server and the resources on that subnet. There are some limited information regarding setup within the infrastructure on technet.. <o:p></o:p>


    • Edited by Mindhunt3r Wednesday, September 10, 2014 3:09 PM
    Wednesday, September 10, 2014 3:09 PM

Answers

  • Not knowing what kind of DA environment you have (Single NIC/Dual NIC? Behind edge device? etc.), I'm wondering if you've got proper routes to the other subnets from the DA server. The resources on the same subnet as the internal NIC of the DA server probably work cause there is no need for static routes when on the same subnet.
    Firewall wise, if you have no problems accessing resources on the other subnet, from the subnet the internal NIC is on (from other machines on the DA subnet), there shouldn't be need for changes to the firewall, as iirc, all communication to other resources from the DA server will go over the standard ports for that resource.

    Could you explain some more about how your environment is setup, and if you have proper static routes set up for access to internal subnets? Could you add a printout of your routes with "route print" on the DA server?

    • Marked as answer by Mindhunt3r Monday, September 15, 2014 12:19 PM
    Thursday, September 11, 2014 8:19 AM
  • Hi There - as stated above by P.Molavi the DirectAccess Server (in different of configuration) requires full access to all internal resources. So for example if you have an internal firewall behind the DA Server recommended practises are to allow a rule allow the DA Server Access to internal resources. For example allow internal IP of DA Server to all VLAN's behind operating services and also apply the correct static routes to the DA Server to provide network routing. If there is no firewall behind the DA Server, then you will still require access to the VLAN's behind the DA Server and static routes also need to be applied. If there are no VLAN's behind the DA Server then the next option is to check that the DA Server can ping the internal resources and i would be looking at AV or Windows Firewall to see if traffic is being blocked.
    Internal IP of the DA Server ---> allow all traffic to selected VLAN's
    The above rule is restricting traffic from the DA Server to the required VLAN's / Networks you specify, The reasoning being is that Direct Access requires full connectivity to your apps / infrastructure. 

    John Davies

    • Marked as answer by Mindhunt3r Monday, September 15, 2014 12:20 PM
    Friday, September 12, 2014 2:16 PM

All replies

  • Not knowing what kind of DA environment you have (Single NIC/Dual NIC? Behind edge device? etc.), I'm wondering if you've got proper routes to the other subnets from the DA server. The resources on the same subnet as the internal NIC of the DA server probably work cause there is no need for static routes when on the same subnet.
    Firewall wise, if you have no problems accessing resources on the other subnet, from the subnet the internal NIC is on (from other machines on the DA subnet), there shouldn't be need for changes to the firewall, as iirc, all communication to other resources from the DA server will go over the standard ports for that resource.

    Could you explain some more about how your environment is setup, and if you have proper static routes set up for access to internal subnets? Could you add a printout of your routes with "route print" on the DA server?

    • Marked as answer by Mindhunt3r Monday, September 15, 2014 12:19 PM
    Thursday, September 11, 2014 8:19 AM
  • Hi There - as stated above by P.Molavi the DirectAccess Server (in different of configuration) requires full access to all internal resources. So for example if you have an internal firewall behind the DA Server recommended practises are to allow a rule allow the DA Server Access to internal resources. For example allow internal IP of DA Server to all VLAN's behind operating services and also apply the correct static routes to the DA Server to provide network routing. If there is no firewall behind the DA Server, then you will still require access to the VLAN's behind the DA Server and static routes also need to be applied. If there are no VLAN's behind the DA Server then the next option is to check that the DA Server can ping the internal resources and i would be looking at AV or Windows Firewall to see if traffic is being blocked.
    Internal IP of the DA Server ---> allow all traffic to selected VLAN's
    The above rule is restricting traffic from the DA Server to the required VLAN's / Networks you specify, The reasoning being is that Direct Access requires full connectivity to your apps / infrastructure. 

    John Davies

    • Marked as answer by Mindhunt3r Monday, September 15, 2014 12:20 PM
    Friday, September 12, 2014 2:16 PM
  • I managed to find out that some of the LAN actually ha an firewall between them, thus, no connection to that resources. 

    For configuration is is an single NIC in NAT, no route should be necessary for this.


    Thanks though for the clarifcation.

    Monday, September 15, 2014 11:56 AM