none
DirectAccess server behind a router RRS feed

  • Question

  • Hello,

    I've got 4 public IPV4 address available. My ISP can setup NAT rules for these addresses.

    MY DirectAccess server has 2 network cards, and is running as a VM with Hyper-V.

    Can I setup the 2 public address for DA server with "transparent" NAT rules ?

    Thanks.

    Xavier.

     

     

     


    Thursday, April 28, 2011 10:28 AM

Answers

  • It's an issue for the DirectAccess / UAG / Server. As far as i know, there is no support today for such a scenario. In some situation you may be able to get it work but you will have no garantee that it will work in the future because Microsoft does not test this scenario when validating service packs and hotfixes.

     

    If the scenario described by Jason is supported by Microsoft, that would be a great this for DirectAccess adoption. But still a complicated scenario. DirectAccess is considered as a complex solution because its composed of multiple blocks. It'm not sure that would help DirectAccess.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by Erez Benari Wednesday, May 4, 2011 11:28 PM
    Thursday, April 28, 2011 12:48 PM

All replies

  • Hi,

    Definitively not. DirectAccess server don't support to be behind a NAT or PAT.


    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
    Thursday, April 28, 2011 10:57 AM
  • Hi,

     

    As lionel said, it is not possible to NAT or PAT the public IP addresses. It's a Teredo requirement. If you need more information about DirectAccess network requirements have a look at the DirectAccess design Guide :

    The Windows Guide : http://technet.microsoft.com/en-us/library/ee382297(WS.10).aspx

    The UAG Guide : http://technet.microsoft.com/en-us/library/dd857320.aspx

     

    have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Thursday, April 28, 2011 12:06 PM
  • ...even if I NAT the 2 public addresse with 2 (others) public address on the external network card ?

    Because I can't see where NAT is banned :

    It must have at least two, consecutive public Internet Protocol version 4 (IPv4) addresses assigned to the interface that is connected to the perimeter network, or in the absence of an Internet firewall, it must be connected directly to the Internet. Addresses in the ranges 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 are private IPv4 addresses and cannot be used.

    Two consecutive public IPv4 addresses are required so that the server can act as a Teredo server, and Windows-based Teredo clients can use the Forefront UAG DirectAccess server to perform detection of the type of network address translator (NAT) that they are behind. For more information, see Teredo Overview (http://go.microsoft.com/fwlink/?LinkId=169486).

    Thanks.

     

    Thursday, April 28, 2011 12:35 PM
  • Because NAT broke Teredo and IPsec protocol in DirectAccess scenario.

    Take care of NAT is only supported for DirectAccess client only not for the server.


    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
    Thursday, April 28, 2011 12:38 PM
  • Breaking TOREDO and IPSec is a filter issue on the router ?

    Because it seems to have work... http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/d29b4570-6513-4595-9458-9250af1f918b

     

     

    Thursday, April 28, 2011 12:42 PM
  • It's an issue for the DirectAccess / UAG / Server. As far as i know, there is no support today for such a scenario. In some situation you may be able to get it work but you will have no garantee that it will work in the future because Microsoft does not test this scenario when validating service packs and hotfixes.

     

    If the scenario described by Jason is supported by Microsoft, that would be a great this for DirectAccess adoption. But still a complicated scenario. DirectAccess is considered as a complex solution because its composed of multiple blocks. It'm not sure that would help DirectAccess.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by Erez Benari Wednesday, May 4, 2011 11:28 PM
    Thursday, April 28, 2011 12:48 PM