locked
Segmented Internal Networks for Different Agencies-Customers with DirectAccess 2012 RRS feed

  • Question

  • We are planning for an Enterprise rollout of DirectAccess within our environment. We have multiple agencies with each needing to reach different backend resources once DA connection established. We are planning for Server 2012 DirectAccess implementation acting as DA gateway to single AD environment. Once the connection is authenticated with AD, we need some way to route the connection to specific backend resource for that particular agency user.

    Is it possible to install multiple internal interfaces on DA gateway? Each interface would host specific internal networks specific to each agencies backend resources. Or would it be best to place DA gateway at the edge for each agency. (We plan to use VMs for DA servers) Thanks for any help on this!


    Bill

    Friday, August 17, 2012 8:26 PM

Answers

  • Hi Bill,

    I would personally place one DA server per agency if you require that noone ever should be able to reach the backend systems of other agencies. That way you can controll all the different aspects and simply use internal firewalls or routes to determine what respective agency can reach.

    I actually had a short discussion the other week regarding the use of Authentication Assurance in combination with DirectAccess and internal IPSec tunnels limited to the different AA groups. Basically a way to differentiate between what different users can actually reach on the inside. But I haven't tried it myself yet so cannot say how well it would work in the real world or on how to practically configure it for an production-like deployment.

    General information regarding Authentication Assurance: http://technet.microsoft.com/en-us/library/dd378897

    Best wishes,
    Jonas Blom


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    • Marked as answer by Beachnut_ Monday, August 27, 2012 3:03 AM
    Monday, August 20, 2012 8:48 AM
  • Hi

    There is no problem with multiple DA server in a same environment as you use separate client-side GPO. Authentication assurance mixed with DirectAccess can be good but note that you will have to modify the IPSEC user tunnel each time you generate a new configuration to enforce authorization. Otherwire, you can have a single DirectAccess Server (based on Windows Server 2012) an use the selected access mode that establish IPSEC transport tunnels to selected servers on your LAN. I've documented this approach on my blog with Windows 7 & Windows 2008 R2 but it should be fine with Windows Server 2012 : http://danstoncloud.com/blogs/simplebydesign/archive/2012/08/01/directaccess-challenge-series.aspx.

    Cheers.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by Beachnut_ Monday, August 27, 2012 3:03 AM
    Monday, August 20, 2012 6:55 PM

All replies

  • Hi Bill,

    I would personally place one DA server per agency if you require that noone ever should be able to reach the backend systems of other agencies. That way you can controll all the different aspects and simply use internal firewalls or routes to determine what respective agency can reach.

    I actually had a short discussion the other week regarding the use of Authentication Assurance in combination with DirectAccess and internal IPSec tunnels limited to the different AA groups. Basically a way to differentiate between what different users can actually reach on the inside. But I haven't tried it myself yet so cannot say how well it would work in the real world or on how to practically configure it for an production-like deployment.

    General information regarding Authentication Assurance: http://technet.microsoft.com/en-us/library/dd378897

    Best wishes,
    Jonas Blom


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    • Marked as answer by Beachnut_ Monday, August 27, 2012 3:03 AM
    Monday, August 20, 2012 8:48 AM
  • Hi

    There is no problem with multiple DA server in a same environment as you use separate client-side GPO. Authentication assurance mixed with DirectAccess can be good but note that you will have to modify the IPSEC user tunnel each time you generate a new configuration to enforce authorization. Otherwire, you can have a single DirectAccess Server (based on Windows Server 2012) an use the selected access mode that establish IPSEC transport tunnels to selected servers on your LAN. I've documented this approach on my blog with Windows 7 & Windows 2008 R2 but it should be fine with Windows Server 2012 : http://danstoncloud.com/blogs/simplebydesign/archive/2012/08/01/directaccess-challenge-series.aspx.

    Cheers.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by Beachnut_ Monday, August 27, 2012 3:03 AM
    Monday, August 20, 2012 6:55 PM
  • Thank you both for those options. I like the idea of using modified connection security rules as we have experience with that already.We will take a look at the Authentication Assurance with 2012 to see how it compares. Both options look like increased administrative overhead to achieve our end goal, but provide what we looking for so all is good. Thanks again!


    Bill

    Monday, August 27, 2012 3:02 AM