none
Securing my DirectAccess NAT configuration, need assistance. RRS feed

  • Question

  • Hello,

    We currently have a Windows Server 2012 R2 DirectAccess server (SSTP VPN and DirectAccess). We use IP-HTTPS DA only.

    The way I have the server configured currently (and it is working well) is with 2 NICs, lets assume these are called Internal/External NIC. The Internal NIC is 172.16.4.1 and the External NIC is 10.60.0.1 and we have NAT setup.

    DA-NAT-Config2

    The issue that I am having is in that this setup is not the "most secure", ultimately we would like the DirectAccess server to shit in the DMZ completely for both the Internal/External NIC and then we can create firewall rules for both. I would like to get this...

    DA-NAT-Config1

    I have some questing making this switch.

    If my DA NIC1 is 10.60.0.1 (External) and my DA NIC2 is 172.16.4.1 (Internal), I need to update the Internal IP to use an IP from our DMZ and update our firewall/NAT rules.

    Do I need a completely separate DMZ for NIC2 or can it be 10.60.0.2 (the next available IP), so that both NIC1 and NIC2 use the same DMZ.

    This DA computer is domain-joined and DA publishes its GPO settings to AD whenever we make a change, how will this affect the server? Do would need to create firewall rules opening all the necessary ports so that DA can access AD, DNS, etc..?

    Basically I am trying to change so that our DA's Internal NIC does not have direct access to the internal network, instead it also being in a DMZ.

    Wednesday, March 1, 2017 8:00 PM

Answers

  • Its very critical to give the required IPs to your interfaces before the DA implementation not after it. Having the internal NIC on the Local network shouldn't be a problem especially if you are following the recommendations for Multi-homed server (No GW on internal NIC, remove in needed protocols as QoS.....etc.). For the External Network unbind all NIC properties/protocols checkboxes except IPv4 and IPv6. Firewall is placed to protect the internal NIc and only allowed the needed traffic to reach your internal network

    Direct Access is very sensitive to any change in the NIC settings or naming after installing Direct Access, Don't change it otherwise you will setup DA again from scratch.

    Yes you can add the internal to second DMZ

    Sunday, March 5, 2017 2:56 PM
    Moderator

All replies

  • Anyone?
    Thursday, March 2, 2017 4:00 PM
  • Its very critical to give the required IPs to your interfaces before the DA implementation not after it. Having the internal NIC on the Local network shouldn't be a problem especially if you are following the recommendations for Multi-homed server (No GW on internal NIC, remove in needed protocols as QoS.....etc.). For the External Network unbind all NIC properties/protocols checkboxes except IPv4 and IPv6. Firewall is placed to protect the internal NIc and only allowed the needed traffic to reach your internal network

    Direct Access is very sensitive to any change in the NIC settings or naming after installing Direct Access, Don't change it otherwise you will setup DA again from scratch.

    Yes you can add the internal to second DMZ

    Sunday, March 5, 2017 2:56 PM
    Moderator
  • I am trying to add the Internal NIC to DMZ, this is the only change I am trying to make so that it does not have direct LAN access.

    I am trying to do this after the fact, so this is why I am a bit concerned.

    I guess if it does not work I can always change it back. Is there anything else I need to do to the GPO settings or update other components if I change the Internal NIC IP?

    Sunday, March 5, 2017 3:32 PM