locked
DirectAccess archeticture desing RRS feed

  • Question

  • Hi all

    I'v been asked to design Direct Access 2012 r2 for win7 clients (more than 1000)

    what is the best scenario for security? one nic or two nic deployment?

    Inside the LAN or in the DMZ? 

    I will use sll offload for the win7 client double encryption

    no multisite

    any other confederation for a high level brief? 

    10x


    • Edited by Yfhar's Tuesday, November 18, 2014 9:36 PM
    Tuesday, November 18, 2014 6:47 PM

Answers

  • Hi all

    I'v been asked to design Direct Access 2012 r2 for win7 clients (more than 1000)

    what is the best scenario for security? one nic or two nic deployment?

    Inside the LAN or in the DMZ? 

    I will use sll offload for the win7 client double encryption

    no multisite

    any other confederation for a high level brief? 

    10x


    You should always locate your DirectAccess Server behind an front-end firewall, in a Perimeter Network (DMZ). For an optimal configuration you use two network interfaces; one interface connected to the Perimeter Network (DMZ) and the other interface connected to the Internal Network (LAN). Optionally, you can have a back-end firewall between the internal network interface and your internal network.

    If you want to use all DirectAccess Protocol (e.g. 6to4, Teredo and IP-HTTPS) you need two external IP Addresses without NAT in between. But if you are going to use IP-HTTPS only you can apply NAT and one external IP Address will be enough.

    There is many other thing to consider, but network related this is good to start with.


    Boudewijn Plomp | BPMi Infrastructure & Security

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".

    • Marked as answer by Yfhar's Wednesday, November 26, 2014 5:49 PM
    Thursday, November 20, 2014 2:26 PM

All replies

  • You can refer below links for Design Considerations and Capacity Planning for DirectAccess

    http://technet.microsoft.com/en-us/library/jj735301.aspx

    http://technet.microsoft.com/en-us/library/jj735301.aspx

    Wednesday, November 19, 2014 10:22 AM
  • Hi all

    I'v been asked to design Direct Access 2012 r2 for win7 clients (more than 1000)

    what is the best scenario for security? one nic or two nic deployment?

    Inside the LAN or in the DMZ? 

    I will use sll offload for the win7 client double encryption

    no multisite

    any other confederation for a high level brief? 

    10x


    You should always locate your DirectAccess Server behind an front-end firewall, in a Perimeter Network (DMZ). For an optimal configuration you use two network interfaces; one interface connected to the Perimeter Network (DMZ) and the other interface connected to the Internal Network (LAN). Optionally, you can have a back-end firewall between the internal network interface and your internal network.

    If you want to use all DirectAccess Protocol (e.g. 6to4, Teredo and IP-HTTPS) you need two external IP Addresses without NAT in between. But if you are going to use IP-HTTPS only you can apply NAT and one external IP Address will be enough.

    There is many other thing to consider, but network related this is good to start with.


    Boudewijn Plomp | BPMi Infrastructure & Security

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".

    • Marked as answer by Yfhar's Wednesday, November 26, 2014 5:49 PM
    Thursday, November 20, 2014 2:26 PM
  • Hi

    I may be wrong but IPSEC/SSL Offloading are network capabilities not available in virtual machines. So you will need Appliances or physical servers.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, November 21, 2014 2:57 PM
  • Hi

    I may be wrong but IPSEC/SSL Offloading are network capabilities not available in virtual machines. So you will need Appliances or physical servers.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx


    Apparently with an external load balancer F5 Big-IP you are able to do SSL offloading. But I don't have experience with it.

    Boudewijn Plomp | BPMi Infrastructure & Security

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".

    Thursday, November 27, 2014 8:29 AM
  • Hi,

    You're right. It can be done by F5 or Kemp. With windows 7 clients it help a lot. Windows Windows 8 and Null-Encapsulation, gain is not imBut SSL Offloading is not the most consuming process. IPSEC Tunnels negociation are much more consuming. That's why I would choose a physical server / appliance. We can't hace IPSEC offloading in virtual machines.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, November 27, 2014 8:36 AM