none
UAG DirectAccess more secure than 2012 DirectAccess in edge scenario by default ? RRS feed

  • Question

  • I installed 2012 DirectAccess in Edge configuration, first interface connected to intranet and second interface connected to internet.
    When I did port scanning from internet, to my suprise there is about 1000 port open to internet. 85% are high ports, and rest are well-know ports.

    Ports like tcp 3389, tcp 135, tcp 445 are open to everybody by default.

    Isn't this enormous security issue ? At least it should be mentioned somewhere ?

    So options are, you manually configure windows firewall rules or you put your DirectAccess server behind edge firewall, or you build you DirectAccess with NAT.

    With UAG DirectAccess you really did not have this problem, you opened to internet only the few ports that were needed for DirectAccess. UAG DirectAccess was easily built
    without an edge firewall.


    Thanks,

    -oraat

    Wednesday, May 29, 2013 5:15 AM

All replies

  • Hi, Although technically Windows has a very good firewall a DirectAccess Server is an Edge device that should always be located behind a front-end firewall. And optionally in front of a back-end firewall. Maybe the following post I have answered provides you a bit more information:

    UAG to 2012 R2 - Edge Device concern
    https://social.technet.microsoft.com/Forums/forefront/en-US/bf3a5e9a-6f06-4e72-a907-67df1672224e/uag-to-2012-r2-edge-device-concerns?forum=forefrontedgeiag


    Boudewijn Plomp, BPMi Infrastructure & Security

    Please remember, if you see a post that helped you please click "Vote as Helpful" and if it answered your question, please click "Mark as Answer".


    Tuesday, October 21, 2014 6:24 PM
  • Hello Oraat, 

    I would say this is expected. 

    UAG has its OWN enterprise class firewall component (TMG), which will lock down unnecessary ports, and opens ports ONLY which are needed. 

    When it comes to 2012 R2, DirectAccess is JUST a role with in the OS and doesn't have any sort of FW functions apart from std windows firewall. 

    So for sure, it has to be secured by any external firewall.

    Thanks,

    Vasu

    • Proposed as answer by Vasu Deva Tuesday, November 4, 2014 9:54 AM
    Thursday, October 23, 2014 6:32 AM