locked
Server 2012 - Forwarding a port to internal network RRS feed

  • Вопрос

  • What are the steps to configure my Windows Server 2012 with two NIC's present (1 public 76.x.x.x) and 1 private (192.168.0.x)

    so that incoming traffic on port 443 will be re-routed to a machine on the internal network.

    I used to be able to accomplish this with Routing and Remote Access in 2008R2

    http://www.windowsnetworking.com/articles_tutorials/Using-Windows-Server-2008-R2-Publish-Internal-Resources.html

    I'd really like to do it cleanly, without installing IIS, DirectAccess, AD or certicates.


    Mike H

    29 ноября 2012 г. 17:12

Ответы

Все ответы

  • Hi,

    Thank you for the post.

    You may install RRAS role on windows server 2012 to publish internal resource: http://technet.microsoft.com/en-us/library/dd314183(v=ws.10).aspx, and more information about RRAS feature, please see the following links:

    http://technet.microsoft.com/en-us/library/hh831416.aspx

    http://technet.microsoft.com/en-US/network/bb545655.aspx

    Regards,


    Nick Gu - MSFT

    • Предложено в качестве ответа Mike Hilhorst 4 декабря 2012 г. 10:16
    • Помечено в качестве ответа Yan Li_ 6 декабря 2012 г. 8:57
    4 декабря 2012 г. 7:21
  • Thank you Nick,

    The 2nd document I hadn't read carefully enough says:

    http://technet.microsoft.com/en-us/library/hh831416.aspx

    To access internal resources over DirectAccess, protocol translation must be done between the DirectAccess server and the internal IPv4-only resources, with subsequent translation back to IPv6 for responses sent to DirectAccess clients. NAT64 receives IPv6 traffic from the client and converts it into IPv4 traffic to the intranet. NAT64 is used in combination with DNS64. DNS64 intercepts DNS queries from clients, and sends responses after converting IPv4 answers into associated IPv6 mappings on the NAT64.

    noteNote
    Prior to Windows Server 2012 DirectAccess, the only method available to provide protocol translation for DirectAccess is through deployment of Microsoft Forefront Unified Access Gateway DirectAccess.

    The DirectAccess setup wizard will seamlessly configure protocol translation components as a background operation, without any need for administrative interaction. There are no configuration options exposed to the administrator. The setup wizard will automatically enable NAT64 and DNS64 if the internal interface of the DirectAccess server has an IPv4 address assigned. To support this functionality, the setup wizard will configure an IPv6 network prefix for NAT64. The wizard assigns the NAT64 prefix automatically, and applies it to all IPv4 ranges in the enterprise.

    That answered the question, thanks for the pointer.

    'From the same doc :

    The Remote Access server must be a domain member. The server can be deployed at the edge of the internal network, or behind an edge firewall or other device. --------------

    Is it possible (and advisable) to deploy everything (AD,RRAS,DA,DHCP,Hyper-V) on 1 box?

    From a cost perspective, it's clear that it would be great to hookup 1 NIC to the public internet and 1 to internal network, where a virtualized (HyperV) backoffice and small VDI lives.

    The box can cope, it has 64GB RAM and 8 cores.

    If we can do this, can it be done secure enough without adding extra FW hardware?


    ..Location..is..Everything!

    4 декабря 2012 г. 10:16