locked
DirectAccess two public IP addresses needed, but how? RRS feed

  • Question

  • Hello everyone,

    I finally have created a Dualstack IPv6 network. Now I'm trying to get DirectAccess working, although there is a small chance that it will work in my case. I have installed and configured everything which was needed for DirectAccess except for the part with two PUBLIC IP addresses on the external NIC.

    My network setup is very simplistic.
    - I have a Dualstack modem which is connected to my external NIC from my server
    - Then I have a Server with two NICS and Win 08R2 Enterprise on it
    - The Internal NIC has Clients connected to it

    The modem gets an IPv4 address from my ISP (Internet Service Provider) and my server which is connected to the modem should have two static public IPv4 addresses. Now I know that my modem is NATting everything, so those two public IPv4 addresses from the server will have some problem getting connectivity to the internet, right?

    My questions are how can I setup those two IPv4 addresses from my server and is there another way to do it with only one IPv4 address, because that's what I have at the moment. Is it for example possible to just only set the two Public addresses on the NIC and RRAS server finds out what de default gateway is and that kind of stuff?

    Thank you in advance.

    ---

    Jonathan


    Tuesday, February 28, 2012 12:36 PM

Answers

  • My questions are how can I setup those two IPv4 addresses from my server and is there another way to do it with only one IPv4 address, because that's what I have at the moment. Is it for example possible to just only set the two Public addresses on the NIC and RRAS server finds out what de default gateway is and that kind of stuff?

    Small question that requires a complex answer. Maybe my notes below will help to configure it start to finish. As for your modem, which is essentially a firewall/router, you'll have to port translate two of the WAN IPs that your ISP, assuming Comcast, assigned to you. How to do that, will require you to contact Comcast.

    Once you've figured that part out, then you would configure and assign internal IPs on the DA/IPHTTPS server. THen port translate each from the router (modem) to each NIC. THe rest is below.

    You will also need to configure a CA for the certificate requirements.

    In addition, a word to the wise, make sure you do not use a domain controller for this server's role, or you will be inviting problems with the DC properly functioning with multiple NICs, because it turns it into a multihomed DC, which is problematic.

    .

    ==================================================================
    ==================================================================
    Direct Access & Troubleshooting IPHTTPS

    One question many have asked, why do we need IPv6 to make this work??
    Great discussion explaining it:
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2917d89d-8a3e-4293-a762-0b64aa59862a/

    Deep Dive into UAG Direct Access & Reasons to use IPv6
    http://blogs.technet.com/b/edgeaccessblog/archive/2009/10/13/deep-dive-into-uag-directaccess-ipv6-and-directaccess.aspx

    ===
    The DirectAccess server has the following requirements:

    a. Joined to an Active Directory domain
    b. Running Windows Server 2008 R2
    c. Have at least two physical network adapters installed
    d. Have at least two consecutive publicly addressable static IPv4 addresses that are externally resolvable through the Internet DNS. If not:

    External DNS
    The DirectAccess Setup wizard configures DirectAccess clients with the IPv4 addresses of the 6to4 relay and the Teredo server with Group Policy settings in Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies. For the URL for the Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) server (the IP-HTTPS State setting), the DirectAccess Setup Wizard configures https://Subject:443/IPHTTPS, in which Subject is the Subject field of the HTTPS certificate that you specify in Step 2 of the DirectAccess Setup Wizard. If the Subject field of the IP-HTTPS certificate is an FQDN, you must ensure that the FQDN is resolvable using Internet DNS servers.

    If you modify the 6to4 Relay Name or Teredo Server Name Group Policy settings to use FQDNs rather than an IPv4 address, you must ensure that the FQDNs are resolvable using Internet DNS servers.

    You must also ensure that the FQDNs for your Internet-accessible certificate revocation list (CRL) distribution points are resolvable using Internet DNS servers. For example, if the URL http://crl.contoso.com/crld/corp-DC1-CA.crl is in the CRL Distribution Points field of the IP-HTTPS certificate of the DirectAccess server, you must ensure that the FQDN crl.contoso.com is resolvable using Internet DNS servers.

    Planning the placement of CRL distribution points:
    "Without a reachable CRL distribution point on the Internet, all IP-HTTPS-based DirectAccess connections will fail. ..."
    http://technet.microsoft.com/en-us/library/ee690445.aspx

    How to Publish the CRL on a Separate Web Server
    http://blogs.technet.com/b/configmgrteam/archive/2009/05/01/how-to-publish-the-crl-on-a-separate-web-server.aspx

    Publishing a Public Key Infrastructure with ISA Server 2004 (Part 2) (step by step screenshots)
    http://www.isaserver.org/tutorials/Publishing-Public-Key-Infrastructure-ISA-Server-2004-Part2.html

    How to configure Certificate Services and ISA Server to publish CRLs
    http://support.microsoft.com/kb/318707

    Windows Server 2008 r2 Remote Desktop Services:
    http://www.microsoft.com/en-us/server-cloud/windows-server/remote-desktop-services.aspx

    Remote Desktop Services in Windows Server 2008 R2: Step-by-Step Guides
    http://blogs.technet.com/b/mattmcspirit/archive/2009/08/05/remote-desktop-services-in-windows-server-2008-r2-step-by-step-guides.aspx

    More info on IPs being resolvable through DNS:
    Design Your DNS Infrastructure for DirectAccess
    http://technet.microsoft.com/en-us/library/ee382323(WS.10).aspx

    Design IP Addressing and Routing for the DirectAccess Server
    http://technet.microsoft.com/en-us/library/ee731904(WS.10).aspx 

    The DirectAccess Management console sorts the public IPv4 addresses assigned to the Internet adapter alphabetically. Therefore, the DirectAccess Management console does not consider the following sets of addresses as consecutive: w.x.y.9 and w.x.y.10, which is sorted as w.x.y.10, w.x.y.9; w.x.y.99 and w.x.y.100, which is sorted as w.x.y.100, w.x.y.99; w.x.y.1, w.x.y.2, and w.x.y.10, which is sorted as w.x.y.1, w.x.y.10, w.x.y.2. Use a different set of consecutive addresses.


    Specific Steps:

    You may want to check out this guy's DirectAccess videos on YouTube. Here's one of them, but you can see his list of videos if you click on his name and the list to the right of the video.
    http://www.youtube.com/watch?v=w7MWX446hVs
     
    DirectAccess for Windows Server 2008 R2 - Complete Guide
    http://technet.microsoft.com/en-us/library/dd758757(WS.10).aspx

    Direct Access Test Lab Guide: Base Configuration
    http://go.microsoft.com/fwlink/?LinkId=198140

    Technet Thread - Directaccess: Test Lab Guide: Demonstrate DirectAccess
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2f3be53a-13cf-4d04-8b41-5cc1cc43d2ca

    .

    Configure the HTTPS security bindingNext, configure the HTTPS security binding so that APP1 can host HTTPS-based URLs.

    To configure the HTTPS security binding
    1.   Click Default Web site.
    2.   In the Actions pane, click Bindings.
    3.   In the Site Bindings dialog box, click Add.
    4.   In the Add Site Binding dialog box, in the Type list, click https. In SSL Certificate, click the certificate with the name app1.corp.contoso.com. Click OK, and then click Close.
    5.   Close the Internet Information Services (IIS) Manager console.
     

    Configure the HTTPS security bindingNext, configure the HTTPS security binding so that APP1 can act as the network location server.

    To configure the HTTPS security binding
    1.   Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    2.   In the console tree of Internet Information Services (IIS) Manager, open APP1/Sites, and then click Default Web site.
    3.   In the Actions pane, click Bindings.
    4.   In the Site Bindings dialog box, click Add.
    5.   In the Add Site Binding dialog box, in the Type list, click https. In SSL Certificate, click the certificate with the name nls.corp.contoso.com. Click OK, and then click Close.
    6.   Close the Internet Information Services (IIS) Manager console.
     
    ==================================================================
    ==================================================================


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 29, 2012 1:56 AM
  •  

    Hi Jonathan,

    Thanks for posting here.

    > My questions are how can I setup those two IPv4 addresses from my server and is there another way to do it with only one IPv4 address, because that's what I have at the moment. Is it for example possible to just only set the two Public addresses on the NIC and RRAS server finds out what de default gateway is and that kind of stuff?

    At this moment ,DirectAccess can only be configured on a server with two network adapters at the network edge or behind an edge device. And we need to set some firewall exceptions and port mappings on front Edge or NAT in order to publish the DA server to internet and allow the incoming connections and traffics that in different protocols (Teredo,6to4,IP-HTTPS or native IPv6), please refer to the blog post below and get the detail explications:

    UAG DirectAccess Server Deployment Scenarios

    http://blogs.technet.com/b/tomshinder/archive/2010/04/01/uag-directaccess-server-deployment-scenarios.aspx

    No , at this moment , two internet IPv4 addresses are still required :

    Appendix A: DirectAccess Requirements

    http://technet.microsoft.com/en-us/library/ee382305(WS.10).aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Wednesday, February 29, 2012 6:26 AM
  •  

    Hi Jonathan,

    Thanks for update.

    > This may be a problem because I only have on server to do this and it is a DC. Are these problems really big?

    Yes, this is the problem and will not suggest to set DA in this way . Consider to have a dedicate server and set it as DA server which meet the requirements that listed in that link.

    If this is just for testing purpose we can simulate it in a lab environment with virtual machine software.

    Thanks

    Tiger Li


    Tiger Li

    TechNet Community Support

    Wednesday, February 29, 2012 8:37 AM

All replies

  • My questions are how can I setup those two IPv4 addresses from my server and is there another way to do it with only one IPv4 address, because that's what I have at the moment. Is it for example possible to just only set the two Public addresses on the NIC and RRAS server finds out what de default gateway is and that kind of stuff?

    Small question that requires a complex answer. Maybe my notes below will help to configure it start to finish. As for your modem, which is essentially a firewall/router, you'll have to port translate two of the WAN IPs that your ISP, assuming Comcast, assigned to you. How to do that, will require you to contact Comcast.

    Once you've figured that part out, then you would configure and assign internal IPs on the DA/IPHTTPS server. THen port translate each from the router (modem) to each NIC. THe rest is below.

    You will also need to configure a CA for the certificate requirements.

    In addition, a word to the wise, make sure you do not use a domain controller for this server's role, or you will be inviting problems with the DC properly functioning with multiple NICs, because it turns it into a multihomed DC, which is problematic.

    .

    ==================================================================
    ==================================================================
    Direct Access & Troubleshooting IPHTTPS

    One question many have asked, why do we need IPv6 to make this work??
    Great discussion explaining it:
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2917d89d-8a3e-4293-a762-0b64aa59862a/

    Deep Dive into UAG Direct Access & Reasons to use IPv6
    http://blogs.technet.com/b/edgeaccessblog/archive/2009/10/13/deep-dive-into-uag-directaccess-ipv6-and-directaccess.aspx

    ===
    The DirectAccess server has the following requirements:

    a. Joined to an Active Directory domain
    b. Running Windows Server 2008 R2
    c. Have at least two physical network adapters installed
    d. Have at least two consecutive publicly addressable static IPv4 addresses that are externally resolvable through the Internet DNS. If not:

    External DNS
    The DirectAccess Setup wizard configures DirectAccess clients with the IPv4 addresses of the 6to4 relay and the Teredo server with Group Policy settings in Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies. For the URL for the Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) server (the IP-HTTPS State setting), the DirectAccess Setup Wizard configures https://Subject:443/IPHTTPS, in which Subject is the Subject field of the HTTPS certificate that you specify in Step 2 of the DirectAccess Setup Wizard. If the Subject field of the IP-HTTPS certificate is an FQDN, you must ensure that the FQDN is resolvable using Internet DNS servers.

    If you modify the 6to4 Relay Name or Teredo Server Name Group Policy settings to use FQDNs rather than an IPv4 address, you must ensure that the FQDNs are resolvable using Internet DNS servers.

    You must also ensure that the FQDNs for your Internet-accessible certificate revocation list (CRL) distribution points are resolvable using Internet DNS servers. For example, if the URL http://crl.contoso.com/crld/corp-DC1-CA.crl is in the CRL Distribution Points field of the IP-HTTPS certificate of the DirectAccess server, you must ensure that the FQDN crl.contoso.com is resolvable using Internet DNS servers.

    Planning the placement of CRL distribution points:
    "Without a reachable CRL distribution point on the Internet, all IP-HTTPS-based DirectAccess connections will fail. ..."
    http://technet.microsoft.com/en-us/library/ee690445.aspx

    How to Publish the CRL on a Separate Web Server
    http://blogs.technet.com/b/configmgrteam/archive/2009/05/01/how-to-publish-the-crl-on-a-separate-web-server.aspx

    Publishing a Public Key Infrastructure with ISA Server 2004 (Part 2) (step by step screenshots)
    http://www.isaserver.org/tutorials/Publishing-Public-Key-Infrastructure-ISA-Server-2004-Part2.html

    How to configure Certificate Services and ISA Server to publish CRLs
    http://support.microsoft.com/kb/318707

    Windows Server 2008 r2 Remote Desktop Services:
    http://www.microsoft.com/en-us/server-cloud/windows-server/remote-desktop-services.aspx

    Remote Desktop Services in Windows Server 2008 R2: Step-by-Step Guides
    http://blogs.technet.com/b/mattmcspirit/archive/2009/08/05/remote-desktop-services-in-windows-server-2008-r2-step-by-step-guides.aspx

    More info on IPs being resolvable through DNS:
    Design Your DNS Infrastructure for DirectAccess
    http://technet.microsoft.com/en-us/library/ee382323(WS.10).aspx

    Design IP Addressing and Routing for the DirectAccess Server
    http://technet.microsoft.com/en-us/library/ee731904(WS.10).aspx 

    The DirectAccess Management console sorts the public IPv4 addresses assigned to the Internet adapter alphabetically. Therefore, the DirectAccess Management console does not consider the following sets of addresses as consecutive: w.x.y.9 and w.x.y.10, which is sorted as w.x.y.10, w.x.y.9; w.x.y.99 and w.x.y.100, which is sorted as w.x.y.100, w.x.y.99; w.x.y.1, w.x.y.2, and w.x.y.10, which is sorted as w.x.y.1, w.x.y.10, w.x.y.2. Use a different set of consecutive addresses.


    Specific Steps:

    You may want to check out this guy's DirectAccess videos on YouTube. Here's one of them, but you can see his list of videos if you click on his name and the list to the right of the video.
    http://www.youtube.com/watch?v=w7MWX446hVs
     
    DirectAccess for Windows Server 2008 R2 - Complete Guide
    http://technet.microsoft.com/en-us/library/dd758757(WS.10).aspx

    Direct Access Test Lab Guide: Base Configuration
    http://go.microsoft.com/fwlink/?LinkId=198140

    Technet Thread - Directaccess: Test Lab Guide: Demonstrate DirectAccess
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2f3be53a-13cf-4d04-8b41-5cc1cc43d2ca

    .

    Configure the HTTPS security bindingNext, configure the HTTPS security binding so that APP1 can host HTTPS-based URLs.

    To configure the HTTPS security binding
    1.   Click Default Web site.
    2.   In the Actions pane, click Bindings.
    3.   In the Site Bindings dialog box, click Add.
    4.   In the Add Site Binding dialog box, in the Type list, click https. In SSL Certificate, click the certificate with the name app1.corp.contoso.com. Click OK, and then click Close.
    5.   Close the Internet Information Services (IIS) Manager console.
     

    Configure the HTTPS security bindingNext, configure the HTTPS security binding so that APP1 can act as the network location server.

    To configure the HTTPS security binding
    1.   Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    2.   In the console tree of Internet Information Services (IIS) Manager, open APP1/Sites, and then click Default Web site.
    3.   In the Actions pane, click Bindings.
    4.   In the Site Bindings dialog box, click Add.
    5.   In the Add Site Binding dialog box, in the Type list, click https. In SSL Certificate, click the certificate with the name nls.corp.contoso.com. Click OK, and then click Close.
    6.   Close the Internet Information Services (IIS) Manager console.
     
    ==================================================================
    ==================================================================


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 29, 2012 1:56 AM
  •  

    Hi Jonathan,

    Thanks for posting here.

    > My questions are how can I setup those two IPv4 addresses from my server and is there another way to do it with only one IPv4 address, because that's what I have at the moment. Is it for example possible to just only set the two Public addresses on the NIC and RRAS server finds out what de default gateway is and that kind of stuff?

    At this moment ,DirectAccess can only be configured on a server with two network adapters at the network edge or behind an edge device. And we need to set some firewall exceptions and port mappings on front Edge or NAT in order to publish the DA server to internet and allow the incoming connections and traffics that in different protocols (Teredo,6to4,IP-HTTPS or native IPv6), please refer to the blog post below and get the detail explications:

    UAG DirectAccess Server Deployment Scenarios

    http://blogs.technet.com/b/tomshinder/archive/2010/04/01/uag-directaccess-server-deployment-scenarios.aspx

    No , at this moment , two internet IPv4 addresses are still required :

    Appendix A: DirectAccess Requirements

    http://technet.microsoft.com/en-us/library/ee382305(WS.10).aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Wednesday, February 29, 2012 6:26 AM
  • Thank you Ace Fekay and Tiger Li for your reply's.

    @Ace Fekay
    Fortunaltely I already have done most of the preparation work for DirecAccess. I still need to change the server into a modem/router/firewall. I found in RRAS that you can make a Demand-dial Interface where you can put al the info that you normally put in the modem. I will read the whole Troubleshooting before I will go any further and wow it is big. Thank you for this.

    @Tiger Li
    The link to the blog you posted helped a lot to understand what topology I can use. The other link with requirments isn't new for me. I asked about those two public IP's because I was hoping for a workaround which unfortunately isn't possible.

    In addition, a word to the wise, make sure you do not use a domain controller for this server's role, or you will be inviting problems with the DC properly functioning with multiple NICs, because it turns it into a multihomed DC, which is problematic.
    This may be a problem because I only have one server to do this and it is a DC. Are these problems really big?

    Wednesday, February 29, 2012 8:16 AM
  •  

    Hi Jonathan,

    Thanks for update.

    > This may be a problem because I only have on server to do this and it is a DC. Are these problems really big?

    Yes, this is the problem and will not suggest to set DA in this way . Consider to have a dedicate server and set it as DA server which meet the requirements that listed in that link.

    If this is just for testing purpose we can simulate it in a lab environment with virtual machine software.

    Thanks

    Tiger Li


    Tiger Li

    TechNet Community Support

    Wednesday, February 29, 2012 8:37 AM
  • In response to your modem and multiple WAN IP questions, please see my response in your other thread:
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/9079142c-d0bd-4cc7-b833-2b17d0ce6c21/ 

    .

    Tiger, do you think we should merge these two threads?

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 29, 2012 5:03 PM
  •  

    Hi guys,

    Just FYI, as you know we have announced Windows Server 8 consumer preview  , one of improvement in DA service is that reduce deployment infrastructure requirements which means DirectAccess can be configured on a server with two network adapters at the network edge or behind an edge device as what we required in previous version, or with a single network adapter running behind a firewall or NAT device. And  the ability to use a single adapter removes the requirement to have dedicated public IPv4 addresses for DirectAccess deployment.

    Hope that will help us to deployment more easily in future.

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Thursday, March 1, 2012 7:22 AM
  • @Ace Fekay
    Sorry about the two threads, but thought that I could better ask two separate questions that one thread full of different questions. If it is best to merge the two then please do so. My bad.

    I also have fully readed the whole post with all of the links you gave me. They gave me a better understanding and the youtube films will give me a step by step howto. This question is thereby been answered! Thank you for your time and help.

    @Tiger Li
    To bad that I can't use Windows Server 8 yet, but Microsoft made it a lot easier to deploy DA for beginners like me which is a good thing. It seems that my question has been answered and I want to thank you for your time and help with this. It's still a pity you can't use on public IP and put everything on one server without using virtualisation and that sort of stuff.

    So thank you both for your help again!

    Thursday, March 1, 2012 8:25 AM
  • You are welcome!

    .

    As for the public IPs, they are only configured in the perimeter firewall NOT on the server.

    .

    The server would have two NICs, each with a separate internal, private IP. The perimeter firewall is where you configure each public IP to port translate inbound traffic to each private IP on the internal DA server.

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, March 1, 2012 8:48 PM