Direct Access with two network adapters assistance RRS feed

  • Question

  • Hi All

    I can get direct access working great with the single adapter option. We use nat from the WAN-LAN dns for the external url and open port 443.

    However, when i introduce the DMZ in there i encounter problems.

    I have tranferred the NAT address to the DMZ and created the relevant firewall rules

    I removed the default gateway from the LAN card and ensured the DMZ card has this gateway and created static routes on the DA server so it can contact resources internally, and i have tested this and it seems ok.

    The problems i encounter when i set it up this way is my DA Client upon getting the policy does not seem to differentiate internet from corporate, i have specified the corporate only servers via ping. I can see the client trying to connect to DA regardless. Its really wierd and i had this setup working about 2 weeks ago and i had to rebuild and i know im doing something silly, i just need a fresh brain to say have you done A,B,C. 

    Any ideas would be great.



    Thursday, July 25, 2019 3:56 PM

All replies

  • Did you get this sorted?  Only just noticed your post, as I have been away on leave.  I'm not expert, but I do have a working DA setup with 2 x NICs (LAN and DMZ, with port 443 traffic NAT'd from Internet to DMZ NIC).  Happy to try to help ...

    Monday, August 12, 2019 5:46 AM
  • It sounds like you are headed in the right direction with the configuration, making sure NIC settings are correct is key to making 2-NIC DA work properly. The DMZ NIC and the Internal NIC must be in different subnets. As you mentioned, only the DMZ NIC gets a Default Gateway, no DG defined on the Internal NIC. Then the reverse is true for DNS servers - plug your internal DNS servers into the Internal NIC, but leave the DNS server definitions empty on the DMZ NIC.

    Once this is in place, you won't be able to route very far in your internal network until you get those static routes in place, and it sounds like you have those working already.

    Only when all of this is in place do you want to roll through the DA config. If you are taking a single-NIC DA instance and trying to change it over to 2-NIC, you'll need to do the full "remove configuration" in order to wipe all DA settings off the box, then once NICs are configured, re-build your DA setup by running through the wizards. Changing the way NICs are established, and in some cases even changing IP addresses of a DA box, can throw the whole config into turmoil and it's cleanest to make sure all networking is correct before even starting the DA wizards.

    Your clients choosing to try and push information through the DA tunnels when in-network typically has more to do with them failing to see the NLS website. Since you're moving to more of a "best practices" DA rollout by going dual-NIC, I also highly recommend that you host your NLS website on a server other than the DA server itself. The self-host option for NLS is really only for POC implementations, you really should have that website running on a separate webserver, if you don't already.

    Wednesday, August 28, 2019 10:45 AM