locked
MS Direct Access Public IP's , Hearsay and SP1 RRS feed

  • Question

  • Hi Chaps ,

    I hope someone can clarify and maybe present and workaround.


    In regards to the element of Two consecutive public IP address's are required on the Internet facing adapter of the DirectAccess server , this appears to vary from place to place.

    Eg: http://blogs.technet.com/b/tomshinder/archive/2010/04/01/uag-directaccess-server-deployment-scenarios.aspx

    The above infers that DA server has be behind a firewall.

    We deployed into a test scenario and this all worked very well passing through the traffic through the perimeter firewalls with a one to one translation inbound and outbound. Since updating to SP1 however, DA has stopped working and moans that we need public IP's.

    Changing the IPs on the interface on the DA server to non private ranges , eg 1.1.1.1 and 1.1.1.2 it reports all is fine and can be configured , but then this is no good as the DMZ's are all in a 10.x.x.x subnets coupled back to the core. (Getting a server directly on the WAN network bypassing the firewalls is a non starter)

    So it appears DA with SP1 now no longer allows private IP's, can someone please confirm??

    The above issue aside, if it is the case , I know of quite a few corps where the wording of having the DA server directly on the internet , not sat behind the corp firewalls /IPS systems its immediatley dropped. Also another customer looking to deploy with has an MPLS on a 10.x.x.x network , whereby cross company VPN's occur accross the MPLS , DA's apparent refusal of the above means it can't be used...and more clunky "dial up VPN's" are not being used..

    I can prehapes understand the requirements as some firewalls don't pass through the correct traffic or tamper and makes configuration and support easier, but surely enforcing seams commercially silly.

    Many thanks

    Neil

     

    Monday, December 20, 2010 11:49 AM

Answers

  • Like everyone else said, 2 consecutive IP's are required to get Teredo working.

    As for the firewalls you can have UAG behind a firewall but you cannot do NAT.  The UAG server must have two public IP addresses on the external NIC.  This means your firewall can do what is sometimes called a "Static NAT" where the public ip on the eternal interface of the firewall maps to the same ip on it's internal interface, but the truth of the matter is you cannot use a set of private IP's on the external NIC of UAG.


    MrShannon | TechNuggets Blog | Concurrency Blogs
    • Edited by MrShannon Tuesday, December 21, 2010 10:58 PM clarification
    • Marked as answer by Erez Benari Wednesday, December 22, 2010 10:55 PM
    Tuesday, December 21, 2010 10:56 PM

All replies

  • Even pre-SP1 you needed two consecutive public IP addresses on your UAG external interfaces to support DA. Given your constraints, this means that you will need to create a public IP addressed DMZ (assuming you cannot connect directly as you mention).

    http://technet.microsoft.com/en-us/library/dd857262.aspx

    The public IP address requirement is needed to support the IPv6 transition technologies required by DA to function.

    I have used the above approach with a customer who wanted an MPLS only solution and you cannot get away with the public IP address requirement.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, December 20, 2010 1:29 PM
  • Tom's article mentions the edge firewalls for the purpose of filtering out "internet junk" as my colleague Richard Hicks puts it.  It falls in line with Dr. Shinders teachings that we should always have a firewall on the edge to handle the grunt work and let the native TMG firewall that comes with UAG handle the rest of the traffic.  

    In the DA deployment scenerios the firewall should only be used for port blocking and not address translation.  Regarding Consecutive IPs, yep thats was always the case, with UAG or without UAG in a standard Server 2008 implementation of Direct Access.

    Thanks!
    Dennis

     

    Monday, December 20, 2010 5:59 PM
  • Hi Neil,
    Two public consecutive IPv4 addresses were always required in UAG DirectAccess.
    The UAG activation will simply fail to configure Teredo server if private IPs are used and none of the DA configuration would have been activated.

    We did change one thing in UAG Update 1 (Way before SP1) - The UI allowed selecting private consecutive IPv4 addresses for the external leg - This configuration never actually worked since the activation failed. In UP1 we changed the UI to not allow selecting private IPv4 addresses.

    Monday, December 20, 2010 7:38 PM
  • Like everyone else said, 2 consecutive IP's are required to get Teredo working.

    As for the firewalls you can have UAG behind a firewall but you cannot do NAT.  The UAG server must have two public IP addresses on the external NIC.  This means your firewall can do what is sometimes called a "Static NAT" where the public ip on the eternal interface of the firewall maps to the same ip on it's internal interface, but the truth of the matter is you cannot use a set of private IP's on the external NIC of UAG.


    MrShannon | TechNuggets Blog | Concurrency Blogs
    • Edited by MrShannon Tuesday, December 21, 2010 10:58 PM clarification
    • Marked as answer by Erez Benari Wednesday, December 22, 2010 10:55 PM
    Tuesday, December 21, 2010 10:56 PM