DA server within a DMZ - ports needed for internal network RRS feed

  • Question

  • Hi,

     I'm planning on adding a domain joined DA server in my DMZ. The DA server will have 2 NICs, one for the internal network and the other for the external. I'll be using two consecutive public IPv4 addresses.

    On my external firewall I'll be opening the following ports for my DA server:

    - Port 443 inbound and outbound
    - UDP 3544 inbound and outbound.
    On my Juniper firewall between the internal network and DMZ I'll be opening the following bi directional ports between my DC and DA server:

    - IP Protocol 41 inbound and outbound.
     TCP/UDP 53, 88, 3389, 389, 443, 445, 636, 3268, 3269

    Am I right in thinking that in order for my DA clients to reach file shares (for example) I need to ensure that the required protocol and ports are open between my DA server and my file share (i.e. 443)? Doesn't this open a whole load of security holes?


    IT Support/Everything

    Friday, June 27, 2014 7:31 AM


  • Hi there - in a similar scenario on many customer sites i have done the following configurations on the Internal Firewalls

    Internal IP of the DA Server ---> allow all traffic to selected VLAN's

    The above rule is restricting traffic from the DA Server to the required VLAN's / Networks you specify, The reasoning being is that Direct Access requires full connectivity to your apps / infrastructure. 

    john davies

    • Marked as answer by Aetius2012 Friday, July 4, 2014 6:34 AM
    Monday, June 30, 2014 6:49 AM