I am in the process of planning to implement Direct Access on Windows Server 2012 R2.
I'm currently planning to use a single network adapter behind an edge firewall (NAT).

I see in the DA configuration wizard that you can also deploy VPN at the same time so I assume it is supported.

1. What I am unsure of is can I do this on my planned server configuration of one nic behind a NAT firewall?
2. Can it use the same IP address as Direct Access or will a separate one be required?
3. PPTP is not recommended due to security vulnerability but which is the better choice in this case L2TP or SSTP (clients are Windows 7)?
4. We will be creating an external dns record (da.companyname.com) for our direct access. Will it conflict with the VPN and will it require it's own external facing DNS record and issued certificate?

Appreciate any advice. Thank you.

• Edited by Barkley Bees Wednesday, February 04, 2015 11:12 PM

Although this is possible you would not want to do it :)

If you have DA behind NAT it can only use IP-HTTPS and because it's a TCP protocol the performance is terrible. This is because TCP handshakes and you suffer a double encryption penalty, (which is apparently not an issue in 8/8.1)

http://directaccess.richardhicks.com/2014/06/24/directaccess-ip-https-null-encryption-and-sstp-vpn/

"However, null encryption for IP-HTTPS is no longer available in the scenario where client-based remote access VPN is configured on the same server as DirectAccess."

If have quoted this blog post from Richard Hicks many times, I unfortunately learned the hard way before there was a post available.

Ryan Betts

blog.ryanbetts.co.uk

• Edited by Ryan Betts 92 Thursday, February 05, 2015 11:05 AM