locked
Accessing IPv4 only resources on "External" adapter for DA Clients RRS feed

  • Question

  • Hello,

    I am not sure if this is supposed to work by default or not, but it doesn't seem to be. 

    Our DA server is dual-homed, an internal adapter on a special subnet with rules allowing access to our real internal subnets and an external adapter in our DMZ. The setup works great for accessing internal resources, however we cannot access other resources in the DMZ from DA clients. For example, public web servers and such. I believe this is due to NAT64/DNS64 not working for the external adapter? Doing a Get-nettransitionmonitoring shows a mapping for inbound address of the internal network adapter IP and then outbound as the correct DMZ machine IP, but nothing gets through. We were trying a ping and I saw with Microsoft Network Monitor the ping get to the DA server and the DA server tries sending it to thr NAT64 (fdxx...) IP of the DMZ server, but the DMZ server never sees it.

    Is it possible get routes to the external network to work without excluding lots of DMZ machines from going through the DA tunnel? Thanks!

    Wednesday, June 4, 2014 2:22 PM

Answers

  • Hi,

    If the external interface of your DirectAccess Server is connected to your Perimter Network (DMZ), and asuming that it uses a certain Domain Namespace that is routed through DirectAccess then; DirectAccess should not be used for those hosts in your Perimeter Network. You should exclude the hostnames within the NRPT table. The fact is DirectAccess uses your internal network interface as the NAT interface.

    I understand it can be list in you NRPT depening on the host located in your Perimter Network. But you must question yourself if you want everything the desninted for the Perimeter Network to be encrypted and passed through the DirectAccess tunnel. I would prefer excluding them with your NRPT, unless strictly needed.


    Boudewijn Plomp, BPMi Infrastructure & Security | Please remember, if you see a post that helped you please click "Vote as Helpful" and if it answered your question, please click "Mark as Answer".


    Monday, June 23, 2014 2:16 PM

All replies

  • Anyone know?
    Thursday, June 19, 2014 2:22 PM
  • Hi,

    If the external interface of your DirectAccess Server is connected to your Perimter Network (DMZ), and asuming that it uses a certain Domain Namespace that is routed through DirectAccess then; DirectAccess should not be used for those hosts in your Perimeter Network. You should exclude the hostnames within the NRPT table. The fact is DirectAccess uses your internal network interface as the NAT interface.

    I understand it can be list in you NRPT depening on the host located in your Perimter Network. But you must question yourself if you want everything the desninted for the Perimeter Network to be encrypted and passed through the DirectAccess tunnel. I would prefer excluding them with your NRPT, unless strictly needed.


    Boudewijn Plomp, BPMi Infrastructure & Security | Please remember, if you see a post that helped you please click "Vote as Helpful" and if it answered your question, please click "Mark as Answer".


    Monday, June 23, 2014 2:16 PM
  • Hi,

    It is a long time. Can you give me an update?

    Boudewijn


    Boudewijn Plomp, BPMi Infrastructure & Security | Please remember, if you see a post that helped you please click "Vote as Helpful" and if it answered your question, please click "Mark as Answer".

    Wednesday, October 15, 2014 2:14 PM
  • Sorry, thought I already mentioned that as the answer. In the end, we ended up just creating an isolated network for the external interface instead of just our DMZ, but your NRPT solution would have worked too. Thanks!
    Wednesday, October 15, 2014 2:16 PM