locked
Direct access design advice RRS feed

  • Question

  • Hello,

    I have an external Firewall on the edge of the network - The NAT for the direct access server is done here.  

    Then another internal firewall with the dmz servers where the direct access server sits.

    On the dmz hyper-v i have two nics on the server.  One for dmz and the other for corporate network.  In theory i know i shouldnt have a cable running direct to the dmz as this is bridging a firewall 

    I usually pass the traffic back via the internal firewall gateway and over to the corporate network (with policy rules) but after a few issues with direct access i have pointed it straight at the corporate network using in the internal nic as the gateway (using static routes). Direct access works ok but i have a few questions.

    1) Should i break the connection for the internal nic and try to get direct access to go via the internal firewall

    2) Is the above a security issue

    3) Direct access seems bandwidth hungry as it is always talking to dns (domain controllers) - WHY IS THIS?  Youd think once you are authenticated by the domain controller it wouldnt need any more contact with it

    thanks in advance

    Kevin

    Monday, February 8, 2016 9:50 PM

All replies

  • Hi Kevin,

    You have some valid concerns. Ultimately these are design choices you must make based on your appetite for risk. First, placing the DirectAccess server behind an edge firewall is an excellent idea. Second, having a firewall between the DirectAccess server and the LAN is also a good idea. However, the DirectAccess server must be joined to the domain, and domain-joined systems were never designed to have a firewall between them. My suggestion is to keep the firewall between the DMZ-based DirectAccess server and create an ACL that allows all protocols/ports to the LAN. This will at least allow you to log all traffic and potentially deny traffic if required in the future (for example, known ports used by malware). It's an excellent idea to place an IDS/IPS sensor here too.

    Another alternative is to have the DirectAccess server reside on the LAN itself. The only port allowed in from the outside would then be TCP port 443, which is much more restrictive than an any/any rule from the DMZ to the LAN.

    As for DNS traffic, the DirectAccess server is handling DNS requests/responses for all connected DirectAccess clients as well as itself. Not surprising that it is noisy. :)

    • Proposed as answer by BenoitSMVP Sunday, February 14, 2016 12:07 PM
    Tuesday, February 9, 2016 4:28 PM