none
LAN side firewall settings for Direct Access (Windows Server 2012 R2) in DMZ? RRS feed

  • Question

  • I am currently planning to set up our first Direct Access server (Windows Server 2012 R2). I will be in our firewall DMZ and we will be using the IP-HTTPS listener.

    For the Internet facing rule only TCP 443 inbound/outbound is sufficient but for the LAN facing rules (not talking about the Windows server firewall) what would be the recommended firewall rules for a Direct Access server? Is there a best practice guideline to follow for this? Appreciate any advice or comments. Thank you.



    • Edited by Barkley Bees Tuesday, February 17, 2015 10:02 PM
    Tuesday, February 17, 2015 7:55 PM

All replies

  • Hi,

    DirectAccess Gateway is a member server of your AD domain. Windows Firewall profile must be domain profile.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, February 17, 2015 9:47 PM
  • The DirectAccess Server must be able to talk to all Domain controllers. So the usual ports required.

    Then any applications you want to use via DA you will need to open the ports.

    Sometimes its easier to allow IP of DA server to IP of Application server?


    Regards, Rmknight

    Wednesday, February 18, 2015 10:03 AM
  • Hi There - The DirectAccess Server (in different of configuration) requires full access to all internal resources.

    So for example if you have an internal firewall behind the DA Server a recommended practise I have used is to allow a rule allow the DA Server Access to internal resources. For example allow internal IP of DA Server to all VLAN's behind operating services and also apply the correct static routes to the DA Server to provide network routing. 

    Internal IP of the DA Server ---> allow all traffic to selected VLAN's

    The above rule is restricting traffic from the DA Server to the required VLAN's / Networks you specify, The reasoning being is that Direct Access requires full connectivity to your apps / infrastructure unless you want to create Firewall Rules for every application and port. The suggested answer limits the DirectAccess Server Internal IP full access only to internal resources. A good example of opening ports on the backend Firewall for each application (and the difficulties you may encounter) would be something like Active Directory Certificate Services which uses a full RPC high port range (TCP/IP) unless limited to a specific port.

    See this link as an example if you go down the individual application firewall rules. - http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx

    Kr


    John Davies

    • Proposed as answer by Icon8000 Tuesday, February 24, 2015 9:37 AM
    Tuesday, February 24, 2015 9:37 AM
  •  The DirectAccess Server (in different of configuration) requires full access to all internal resources.

    Kr


    John Davies

    Hi John,

    Thanks for your reply. Do you have a link to any official Microsoft statement or documentation regarding this? I cannot find anything.

    Tuesday, February 24, 2015 9:52 PM
  • Hi Barkley

    Please see this Technet Link which will backup your requirements - https://technet.microsoft.com/en-gb/library/jj574101.aspx

    Section Reads - 

    When using additional firewalls, apply the following internal network firewall exceptions for Remote Access traffic:
    ISATAP—Protocol 41 inbound and outbound
    TCP/UDP for all IPv4/IPv6 traffic

    Also another link from http://www.ironnetworks.com/blog/directaccess-network-deployment-scenarios#.VO3tfvmsVrU

    "I have had a number of conversations with security administrators and network architects who have expressed a desire to place the DirectAccess server between two firewalls (firewall sandwich) in order to explicitly control access from the DirectAccess server to the internal corporate network. While at first this may sound like a sensible solution, it is often quite problematic and, in my opinion, does little to improve the overall security of the solution. Restricting network access from the DirectAccess server to the internal LAN requires so many ports to be opened on the inside firewall that the benefit of having the firewall is greatly diminished. Placing the DirectAccess server’s internal network interface on the LAN unrestricted is the best configuration in terms of supportability and provides the best user experience."

    Kindest Regards


    John Davies

    • Proposed as answer by Icon8000 Wednesday, February 25, 2015 3:41 PM
    Wednesday, February 25, 2015 3:41 PM
  • Hi Barkley

    Please see this Technet Link which will backup your requirements - https://technet.microsoft.com/en-gb/library/jj574101.aspx

    Section Reads - 

    When using additional firewalls, apply the following internal network firewall exceptions for Remote Access traffic:
    ISATAP—Protocol 41 inbound and outbound
    TCP/UDP for all IPv4/IPv6 traffic

    Also another link from http://www.ironnetworks.com/blog/directaccess-network-deployment-scenarios#.VO3tfvmsVrU

    "I have had a number of conversations with security administrators and network architects who have expressed a desire to place the DirectAccess server between two firewalls (firewall sandwich) in order to explicitly control access from the DirectAccess server to the internal corporate network. While at first this may sound like a sensible solution, it is often quite problematic and, in my opinion, does little to improve the overall security of the solution. Restricting network access from the DirectAccess server to the internal LAN requires so many ports to be opened on the inside firewall that the benefit of having the firewall is greatly diminished. Placing the DirectAccess server’s internal network interface on the LAN unrestricted is the best configuration in terms of supportability and provides the best user experience."

    Kindest Regards


    John Davies


    Thank for your reply and information John. I find it somewhat disappointing that Microsoft does not provide much more in the way of documentation and information regarding this topic. I required more information to show to our security team so they will allow us to have the internal facing NIC not have more restrictive rules in place as it is a security concern.

    Monday, March 2, 2015 2:52 PM
  • As long as it is a requirement from MS that the DA servers are members of the domain, you need to make sure that the DA servers have the necessary ports open to the DC's (https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx) Don't forget TCP 1688 for KMS activation if you have a KMS host.

    Also, if you want to make the DA Client behave like it's an internal Client, you need to both provide static routes on the DA servers to Your other internal Networks, plus all the ports necessary for normal Communications between the DA servers and the internal Networks. Usually that means at least SMB ports.

    If you have an existing internal Client network already in Place, you need to copy those firewall rules and apply it from the DA server as well. If that is Your Company policy of course.

    Wednesday, March 4, 2015 9:18 AM
  • Hi Barkley - whilst Steve is also correct in his answer this would only allow access to Domain Controllers and file shares would not cater for all applications and their specfic ports. The technet link sent earlier by myself dies state all tcp / udp from the internal ip of the DA Server to the corp lan, and as Steve mentioned static routes to the required vlans. I have been on many deployments where security want to limit the fw ports and the deployment starts out this way until specific apps are required and then inevitably they end up opening the backend fw as I originally suggested.

    John Davies

    Wednesday, March 4, 2015 9:34 AM