none
DirectAccess 2012 RRS feed

  • Вопрос

  • Кто нибудь пробовал открывать доступ клиентам DirectAccess из интернета через TMG, если на TMG - уже настроен доступ для Exchange 2013 и Шлюза удаленных рабочих столов?

    Как это сделать?

Ответы

  • Сделал по этой статье:

    Direct Access in Windows Server 2012 with Threat Management Gateway (TMG) 2010
    Aug14
    
    Von: Peter Vogl
    Dienstag, 14. August 2012 RssIcon
    
    The basic link for Direct Access in Windows Server 2012 is http://technet.microsoft.com/en-us/library/hh831520 and provides ample documentation about configuring Direct Access. However, the discussion of edge firewall settings is rather vague and there is no mention of TMG 2010 or ISA.
    
     
    
    Before diving into any details about Direct Access, please keep in mind that the Client must have Windows 8 Enterprise installed, not Windows 8 Professional. The new direct access functionality in Windows Server 2012 is only available in the Enterprise version of Windows 8.
    
    We discuss the following simple topology:
    WAN       --     TMG      --    LAN
    Client                                Direct Access Server (DAS), DC,...
    
    The Direct Access Server (DAS) is configured single-homed with a private IPv4 address.
    
    DNS Settings:
    Assume the domain name is company.com. We consider a so-called split-brain zone configuration. There is an external (WAN-sided) DNS-Server that is authoritative for company.com and publishes the A record
    [public IPv4 address]  A  das.company.com.
    The internal (LAN-sided) DNS server on the DC is internally authoritative for company.com and publishes the A record
    [public IPv4 address]  A  das.company.com.
    Make sure the TMG uses the internal DNS server. The external client must listen to the public DNS.
    
    Configure TMG 2010:
    
    The standard web publishing rule does not work, since the IP-HTTPS connection is not handled by the IIS.
    
        Select in Tasks "Publish Non-Web Server Protocols" and start the wizard
        Server publishing rule name: DirectAccess or something similar.
        Select Server: Enter the LAN-sided IPv4 address of the DirectAccess Server
        Select Protocol: choose HTTPS Server Network Listener IP Addresses: check "External" and select the specific IP address you wish to use for the Direct Access server or leave the default (listening on all IP addresses)
        Finish 
    
    
    Make sure this rule sits higher up than all Web Blocking rules.
    
    Set up the Direct Access Server:
    
     
    
    Make sure you have installed a valid public certificate on DAS with an internally and externally reachable CRL address. You do not need to install it on TMG.
    
    Install the Remote Access Role without Routing. This automatically installs the IIS.
    
    Start the Remote Access wizard. Note that the term "DNS server" in this wizard refers to the DAS, not the internal DNS server address (DC), since all DNS requests by the client are sent to the DAS who forwards them to the real DNS server.
    
     

    Похоже я поспешил с выводами...


    • Помечено в качестве ответа G.Sattva 19 мая 2013 г. 10:16
    • Изменено G.Sattva 21 мая 2013 г. 18:47

Все ответы

  • без проблем, только нужен отдельный ip для DA http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-How-configure-Forefront-TMG-DirectAccess-Server.html
    Отвечающий
  • У меня TMG расположен за пограничным роутером, поэтому если бы у меня был отдельный IP мне было бы достаточно пробросить 443 порт с другого внешнего IP на сервер DirectAccess2012(собственно я проводил такой эксперимент на существующем внешнем IP - все работает) и больше ничего делать не надо было бы...

    Но у меня другая задача: на одном внешнем IP настроить доступ для внешних клиентов к  Exchange 2013 и Шлюз удаленных рабочих столов, DirectAccess2012 посредством TMG расположенного за пограничным роутером (режим firewall back).

  • Сделал по этой статье:

    Direct Access in Windows Server 2012 with Threat Management Gateway (TMG) 2010
    Aug14
    
    Von: Peter Vogl
    Dienstag, 14. August 2012 RssIcon
    
    The basic link for Direct Access in Windows Server 2012 is http://technet.microsoft.com/en-us/library/hh831520 and provides ample documentation about configuring Direct Access. However, the discussion of edge firewall settings is rather vague and there is no mention of TMG 2010 or ISA.
    
     
    
    Before diving into any details about Direct Access, please keep in mind that the Client must have Windows 8 Enterprise installed, not Windows 8 Professional. The new direct access functionality in Windows Server 2012 is only available in the Enterprise version of Windows 8.
    
    We discuss the following simple topology:
    WAN       --     TMG      --    LAN
    Client                                Direct Access Server (DAS), DC,...
    
    The Direct Access Server (DAS) is configured single-homed with a private IPv4 address.
    
    DNS Settings:
    Assume the domain name is company.com. We consider a so-called split-brain zone configuration. There is an external (WAN-sided) DNS-Server that is authoritative for company.com and publishes the A record
    [public IPv4 address]  A  das.company.com.
    The internal (LAN-sided) DNS server on the DC is internally authoritative for company.com and publishes the A record
    [public IPv4 address]  A  das.company.com.
    Make sure the TMG uses the internal DNS server. The external client must listen to the public DNS.
    
    Configure TMG 2010:
    
    The standard web publishing rule does not work, since the IP-HTTPS connection is not handled by the IIS.
    
        Select in Tasks "Publish Non-Web Server Protocols" and start the wizard
        Server publishing rule name: DirectAccess or something similar.
        Select Server: Enter the LAN-sided IPv4 address of the DirectAccess Server
        Select Protocol: choose HTTPS Server Network Listener IP Addresses: check "External" and select the specific IP address you wish to use for the Direct Access server or leave the default (listening on all IP addresses)
        Finish 
    
    
    Make sure this rule sits higher up than all Web Blocking rules.
    
    Set up the Direct Access Server:
    
     
    
    Make sure you have installed a valid public certificate on DAS with an internally and externally reachable CRL address. You do not need to install it on TMG.
    
    Install the Remote Access Role without Routing. This automatically installs the IIS.
    
    Start the Remote Access wizard. Note that the term "DNS server" in this wizard refers to the DAS, not the internal DNS server address (DC), since all DNS requests by the client are sent to the DAS who forwards them to the real DNS server.
    
     

    Похоже я поспешил с выводами...


    • Помечено в качестве ответа G.Sattva 19 мая 2013 г. 10:16
    • Изменено G.Sattva 21 мая 2013 г. 18:47