locked
Server 2012 DirectAccess and External IP address NAT RRS feed

  • Question

  • Sorry I know this question has been addressed in various forms but i've been unable to find a categorical answer. Can the two public IPs required for Teredo be NAT'd to internal DMZ IPs on the DA server, or must the external interface on the DA server still have two public IPs directly assigned to it?

    I read a technet article stating that the DA server can be put behind NAT but is then restricted to IP-HTTPS only, yet my colleague is says he has deployed DA NAT'ing the two external IP addresses through to two DMZ IPs on the DA server.

    Thanks.

      
    Monday, April 8, 2013 9:15 PM

Answers

  • Well here's the categorical answer, it has been tested and you can NAT the two external IPs for Teredo through to two internal DMZ IPs.
    • Marked as answer by TickTarry37 Wednesday, April 10, 2013 7:59 AM
    Wednesday, April 10, 2013 7:59 AM

All replies

  • Well here's the categorical answer, it has been tested and you can NAT the two external IPs for Teredo through to two internal DMZ IPs.
    • Marked as answer by TickTarry37 Wednesday, April 10, 2013 7:59 AM
    Wednesday, April 10, 2013 7:59 AM
  • How would this work I've added a secondary DMZ IP Address to the DMZ adapter but when i try to set the teredo state to enabled it gives me the following

    PS C:\Windows\system32> Set-DAServer -Teredo Enabled
    Set-DAServer : Teredo cannot be enabled when the Remote Access server is located behind a NAT device.
    At line:1 char:1
    + Set-DAServer -Teredo Enabled
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (TeredoState:root/Microsoft/...ess/PS_DAServer) [Set-DAServer], CimExcepti
       on
        + FullyQualifiedErrorId : HRESULT 8007139f,Set-DAServer

    External DMZ Adapter

    Ethernet adapter DMZ:

       Connection-specific DNS Suffix  . :
       Link-local IPv6 Address . . . . . : fe80::8c5d:aef4:*******
       IPv4 Address. . . . . . . . . . . : 10.240.52.11
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       IPv4 Address. . . . . . . . . . . : 10.240.52.12
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 10.240.52.1

    Monday, April 15, 2013 11:03 AM
  • Hi

    If your URA server is configured in one ofthe two "behind an edge device", this is normal you cannot enable Teredo. Teredo requires that you have a dedicated interface with Two consécutive public IPv4 addresses). Teredo can only be enabled in the "Edge" scenario.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, April 15, 2013 11:17 AM
  • understood i thought back and figured as much ticktarry has managed to get it working without using public ip addresses on the external interface and i was just wondering how

    because if i go back and now select "edge" and put in the external fqdn

    i get " an external adapter with a public ip address ipv6 enabled and without a domain profile cannot be located" etc

    which is what i expected. so just want to try and work out what ticktarry did

    Monday, April 15, 2013 11:23 AM
  • Hi

    Two solutions for ticktarry architecture :

    -Have enought IPv4 publis addresses to create a routable IPv4 subnet dedicated to DA witch need at least for adresses

    -Use an IPv4 public addresse from the 6598RFC : http://www.rfc-editor.org/rfc/rfc6598.txt


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, April 15, 2013 11:32 AM
  • Thank you Benoit,

    I'll give that a go, the issue i have is directaccess 2012 is installed as a virtual machine, the only way i can assign a public ip address to the that VM is by connecting a NIC directly from the ESXi host to firewall but we have limited port availability.

    So it might not be possible and i will have to resort to using IP-HTTPS.

    That's why the idea of being able to use a NAT'd ip address for Teredo sounded like just the thing i was looking for.

    TickTarry37

    if you are still able to respond and give me a detailed breakdown of what you did to get this working i would be most greatful.

    Many Thanks

    Monday, April 15, 2013 12:45 PM
  • Hi,

    I know that Deploying DirectAccess with Public IP address as documented by RFC6598 is technically possible and is in production in some customers of mine. This is helpfull in HLB deployment because there is no direct connectivity with URA/UAG hosts from Internet.

    At last, IPHTTPS is an excellent solution. From a troubleshooting point of view, you have only one protocol to troubleshoot.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, April 15, 2013 12:59 PM
  • Just another perspective, I encourage all of my installs to go with the real public IP route whenever possible specifically so that Teredo is enabled. I do this for two reasons:

    1. Three is better than One - When you sit behind a NAT, you only have access to IP-HTTPS. This is fine, as it works for everyone, but if you had DirectAccess with all three running and your IP-HTTPS certificate expired (or one of numerous other things happened that took it down) - you may not even notice because in my experience I would say 75% of DA connections are Teredo. So a small percentage of your users may struggle. If you are running only IP-HTTPS and your cert expires, you're DOWN - right now.

    2. Teredo is still faster than IP-HTTPS. Even with the new capabilities for null encryption in Server 2012 DirectAccess, IP-HTTPS is still doing an extra encap of the packets than Teredo does. Further, the null encryption advantage only benefits Windows 8 clients. So your Windows 7 clients (everyone still has them and might forever) will have a slower experience with IP-HTTPS, and it will put more load on your DA server.

    Monday, April 15, 2013 3:29 PM
  • Hi

    In normal condition I would recommand to keep Teredo but in some situation it may not be possible. For example, When my company moved from UAG to URA we did not have enought IPv4 public addresses to activate Teredo on URA. We had no other choice than IPHTTPS behind a NAt device (TMG Appliance).


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, April 15, 2013 8:13 PM