none
UAG to 2012 R2 - Edge Device concerns RRS feed

  • Question

  • I'm going to migrate from the UAG server to 2012 R2 direct access, but most of the clients are still Win7, so I'd rather not do a NAT behind the firewall with the double encryption of IP HTTPS (if I understand that correctly).  So, the other option is having the DA server as an edge device.  How are people protecting the server as an edge device?  Just using the built in Windows firewall locked down to just the DA ports?  Just curious on how other people have handled the conversion from UAG to 2012 direct access. 
    Friday, September 19, 2014 1:12 PM

Answers

  • Mark,

    With UAG you could be confident to connect it directly to the internet. But if you implement DirectAccess based on Windows Server 2012 R2 you should always put it behind a firewall. And if you prefer between firewalls. Although the Windows Firewall with Advanced Security is a pretty good firewall, you should always place another firewall in front.

    I have deployed DirectAccess multiple times for different customers. Whenever possible I always place the DirectAccess Server(s) behind a firewall and configure 1:1 routing. By that I mean the external network interfaces have public IP Addresses without any interference of NAT. By doing so you have the optimal configuration, and DirectAccess Clients can use all protocols, including 6to4 and Teredo.

    Boudewijn


    Boudewijn Plomp, BPMi Infrastructure & Security

    Please remember, if you see a post that helped you please click "Vote as Helpful" and if it answered your question, please click "Mark as Answer".


    • Edited by Boudewijn Plomp Friday, September 19, 2014 7:18 PM
    • Marked as answer by MarkBrand Monday, September 22, 2014 5:17 PM
    Friday, September 19, 2014 7:17 PM

All replies

  • Mark,

    With UAG you could be confident to connect it directly to the internet. But if you implement DirectAccess based on Windows Server 2012 R2 you should always put it behind a firewall. And if you prefer between firewalls. Although the Windows Firewall with Advanced Security is a pretty good firewall, you should always place another firewall in front.

    I have deployed DirectAccess multiple times for different customers. Whenever possible I always place the DirectAccess Server(s) behind a firewall and configure 1:1 routing. By that I mean the external network interfaces have public IP Addresses without any interference of NAT. By doing so you have the optimal configuration, and DirectAccess Clients can use all protocols, including 6to4 and Teredo.

    Boudewijn


    Boudewijn Plomp, BPMi Infrastructure & Security

    Please remember, if you see a post that helped you please click "Vote as Helpful" and if it answered your question, please click "Mark as Answer".


    • Edited by Boudewijn Plomp Friday, September 19, 2014 7:18 PM
    • Marked as answer by MarkBrand Monday, September 22, 2014 5:17 PM
    Friday, September 19, 2014 7:17 PM
  • Hi Mark - i completely agree with Boudewijn - three is always better than 1 ! Also another slant is using a NAT0 Rule (no inspection) on your external Firewall.

    Kr


    John Davies

    Monday, September 22, 2014 10:57 AM