I have a client that is wanting to use DA for their laptop users in the field but they have some fairly specific wants and they would like to know if they can get their cake and cookies while using ONLY port 443 open to the Internet.  I've been wading through a ton of info and some of it seems to contradict not only itself but what they are hearing from MS so I thought I'd post it up here and get a second opinion as to whether it's even possible.

The DA server(s) will be running Server 2012 R2 and will have 2 NICs, one in their private network (the "LAN" NIC) and one in their DMZ/perimeter network behind a 1:1 NAT.  The public IP that the NAT is set to does have a DNS entry that can be resolved from the Internet.  The private and DMZ networks are IPv4 only and their clients are expected to be on IPv4 only connections.  

Here's their want list:

• Support Windows 7, Windows 8/8.1 Clients
• Manage Out
• Force Tunneling

They want to start with a single DA server but eventually if the thing goes to production they want to have 2 of them in an NLB cluster.

My real questions are a) can this be done using ONLY port 443 inbound and b) if not what items on the "want" list may need to be sacrificed in order to get it going.  Thanks in advance for any help!

• Edited by Matt Br Friday, February 27, 2015 4:52 PM

Hi,

Since Windows Server 2012, DirectAccess Gateway can be published behind any NAT device that can publish HTTPS. Even the old TMG can do that : http://danstoncloud.com/blogs/simplebydesign/archive/2013/04/04/tmg-can-be-a-good-friend-of-directaccess.aspx. It was not possible with UAG or Windows Server 2012. The only drawback is that IPHTTPS is the only protocol that your DirectAccess clients will be able to use. Just disable 6to4 and Teredo on client side to avoid problems.

If you plan to upgrade to NLB, Watch out. When you enable NLB, you change the network configuration of the DirectAccess gateways. Your DirectAccess clients will need to connect to the LAN to get the new GPO. If you want to avoid that, just start in NLB with one node.

Have you implemented this scenario before with Windows 7 Clients, Force Tunneling and Manage Out?

Yes for Windows 7, behind NAT and manage out. I always try to avoid Force tunneling.

They have some specific needs when it comes to controlling remote machines due to HIPAA so that's the reason they want to do the Force Tunneling thing.

An engineer at Microsoft said we would need other ports open inbound to the DA box (500 and 4500 as I recall.)  I'm really hoping that's not true but I am also curious why they would say that those ports are required.  Maybe this has something to do with us being all IPv4?

Hi,

First an update for Windows 7 and Windows remote Assistance : http://danstoncloud.com/blogs/simplebydesign/archive/2014/01/15/directaccess-and-windows-remote-assistance.aspx

and some work of mine around remote management in secure way : http://danstoncloud.com/blogs/simplebydesign/archive/2014/03/12/directaccess-remote-management-from-padawan-to-jedi.aspx and http://danstoncloud.com/blogs/simplebydesign/archive/2014/03/20/directaccess-remote-management-from-jedi-knight-to-master-seating-at-the-jedi-council.aspx