locked
Network Positioning of a Windows Server 2012 R2 Direct Access & VPN Server RRS feed

  • General discussion

  • Hi

    I'm in the process of creating a new active directory forest with a single domain using AD.Contoso.com to use the Microsoft example. The reason I have decided on AD.XXXXXXXXX.com is to get way from using split horizon (Split Brain) DNS. The requirements for our new domain are :-

    • 2012 R2 AD
    • Direct Access & VPN
    • Exchange 2013 OWA, Active Sync Outlook Anywhere (Possibly a Hybrid Config where we have on premises mailboxes and some exchange online mailboxes Office 365 etc)
    • Lync 2013 ?
    • SharePoint ?
    • Microsoft Active Directory Certificate Services
    • System Center Configuration Manager 2012 R2
    • Two way trusts between old forest and new to enable Transition/Migration

    Ok so that's what I'm aiming for so now the question.

    They are allowing me to purchase a next Generation Firewall may be a Barracuda NG firewall or a Cisco ASA X series so I need some advice on what type of network topology I should configure. I've read that using the two NIC configuration for the 2012 R2 Direct Access Server is preferable, one nic on the internal network one on the perimeter. The problem I have with this is that it bridges the internal network and the perimeter bypassing the backend firewall see image

    The other alternative is to dispense with the perimeter network use the Direct Access server with a Single NIC and setup the NG Firewall in a three-legged config with the DA server on the DMZ.

    So all you security experts out there what would be your design for this simple domain? we don't need any HA or Load Balancing.

    Thanks

    Simon


    • Edited by Boris67 Wednesday, March 5, 2014 3:40 PM
    • Changed type Amy Wang_ Thursday, March 6, 2014 9:44 AM Direct Access related
    Wednesday, March 5, 2014 2:45 PM

All replies

  • On Wed, 5 Mar 2014 14:45:44 +0000, Boris67 wrote:

    The other alternative is to dispense with the perimeter network use the Direct Access server with a Single NIC and setup the NG Firewall in a three-legged config with the DA server on the DMZ.

    So all you security experts out there what would be your design for this simple domain? we don't need any HA or Load Balancing

    DirectAccess has it's own, dedicated forum. You should repost your question
    here:

    http://social.technet.microsoft.com/Forums/forefront/en-US/home?forum=forefrontedgeiag


    Paul Adare - FIM CM MVP
    You are trapped in a maze of screens and ssh sessions all alike.
    It is dark, and you are likely to log off the wrong account. -- Nep

    Wednesday, March 5, 2014 4:13 PM
  • Thanks Paul

    I've moved it

    Wednesday, March 5, 2014 4:19 PM