none
Direct Access and UAG portal - how many network cards and what IP's RRS feed

  • Question

  • Hi

      I am just about to embark on a POC of Direct access. Can anyone with some real world experience of it tell me how many NIC's do you actually need and details of the IP addresses

    I am looking to put a UAG portal in, with SSTP as well as direct access - do i need a separate NIC for this as well as the two for DA.

    also with the IP address it says sequential External IP's does this mean the ones you assign to the NIC's you have specified as external or the ones that are the actual Public IP's

     

    cheers

    Chris 


    it's hard to convey five-dimensional ideas in a language evolved to scream defiance at the monkey in the next tree
    Monday, June 13, 2011 9:13 AM

Answers

All replies

  • Hi

     

    There is no need to have dedicated Nic for DirectAccess. You can setup DA, Portail and SSTP with only two network cards. You must respect requirements for each usage. For example, IPv4 public addresses for DA are dedicated to DA. So you may be need up to four addresses on the public interface.

     

    Note : some customers require a third card dedicated to remote administration..

     


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Monday, June 13, 2011 11:17 AM
  • so the sequential external IP's need to be proper external IP's and not just DMZ nat'd ones ?

    And where you state you may need up to four addresses on the public interfaces are you saying that you would NAT'd these 4 across to the same NIc's thus cutting down the need for separate NIC's on the server.

     

    cheers

     

    chris


    it's hard to convey five-dimensional ideas in a language evolved to scream defiance at the monkey in the next tree
    Monday, June 13, 2011 11:58 AM
  • so the sequential external IP's need to be proper external IP's and not just DMZ nat'd ones ?

    Yes.

    And where you state you may need up to four addresses on the public interfaces are you saying that you would NAT'd these 4 across to the same NIc's thus cutting down the need for separate NIC's on the server.

    Take care you can't use NAT'd addresses for DirectAccess.

    You could use two NICs as Benoit said :

    • One for the internal network
    • One for Internet : with the 4 addresses binded on it

    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
    Tuesday, June 14, 2011 7:14 AM
  • in that case we might not be able to use DA as we have back to back firewalls where our public addresses are NAT'd twice to get to our DMZ.

    We would fail a security audit otherwise.

     

    Does anyone know if the NAT'd is a no no because Microsoft won't support it because they didn't test it or because it actually won't work?


    it's hard to convey five-dimensional ideas in a language evolved to scream defiance at the monkey in the next tree
    Tuesday, June 14, 2011 3:05 PM
  • Hi IRWeazel,

    There was a similar question to yours a while back here on the forum, perhaps the answers/comments there can help you.
    http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/d29b4570-6513-4595-9458-9250af1f918b


    Another important part is that the UAG can (and should) still be behind a firewall that filters nonrelated traffic.
    It just need the public IP adresses to be able to use the IPv6 transitional techniques (6to4,Teredo)
    A great article that takes up that is: http://blogs.technet.com/b/tomshinder/archive/2010/12/09/microsoft-uag-directaccess-the-beautiful-truth.aspx

    Best wishes,
    Jonas Blom

     

    • Marked as answer by Erez Benari Saturday, August 27, 2011 12:03 AM
    Wednesday, June 15, 2011 6:38 AM