Security/Firewall recommendations for DirectAccess 2012 (Dual-NIC Edge Configuration) (Network Steve Forum)

Security/Firewall recommendations for DirectAccess 2012 (Dual-NIC Edge Configuration)

Hello all,

We have installed and configured DirectAccess 2012 with the Edge Configuration with the thought that we would be able to install TMG directly on this server (as we did with the original 2008 DirectAccess/UAG). It appears that we cannot install TMG on Server 2012 R2, so now we have a server directly connected to the outside world with public IP's assigned to it and no firewall other than Windows Firewall. I know that most organizations choose to configure DirectAccess behind an Edge device (hindsight being perfect, we should have as well) however we did not and it appears that we can't easily change this without completely reconfiguring DirectAccess (which took several days to get it right).

So my question: What are the security/firewall recommendations for a DirectAccess server in an Edge scenario? I've Googled this and have not found much. Thanks in advance,

April 13th, 2015 1:58pm

Its always good to have a Firewall infront of a domain joined machine and of course DA Server is not an exception.

Server 2012 can work behind a Firewall with NAT functionality enabled or disabled.

if you have a fully functional DA with EDGE profile enabled, still you can configue any firewall(without NATing functionality) without changing the configuration settings in DA.

Also you can have TMG protecting your existing DA setup. Below is the link for it.

http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part1.html

Please let me know, how it goes.

Edited by Vasu Deva 19 hours 52 minutes ago

Free Windows Admin Tool Kit Click here and download it now

April 17th, 2015 7:29am

Its always good to have a Firewall infront of a domain joined machine and of course DA Server is not an exception.

Server 2012 can work behind a Firewall with NAT functionality enabled or disabled.

if you have a fully functional DA with EDGE profile enabled, still you can configue any firewall(without NATing functionality) without changing the configuration settings in DA.

Also you can have TMG protecting your existing DA setup. Below is the link for it.

http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part1.html

Please let me know, how it goes.

Edited by Vasu Deva Friday, April 17, 2015 11:30 AM

April 17th, 2015 11:28am

Its always good to have a Firewall infront of a domain joined machine and of course DA Server is not an exception.

Server 2012 can work behind a Firewall with NAT functionality enabled or disabled.

if you have a fully functional DA with EDGE profile enabled, still you can configue any firewall(without NATing functionality) without changing the configuration settings in DA.

Also you can have TMG protecting your existing DA setup. Below is the link for it.

http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part1.html

Please let me know, how it goes.

Edited by Vasu Deva Friday, April 17, 2015 11:30 AM
Proposed as answer by Vasu Deva 21 hours 25 minutes ago

Free Windows Admin Tool Kit Click here and download it now

April 17th, 2015 11:28am

Its always good to have a Firewall infront of a domain joined machine and of course DA Server is not an exception.

Server 2012 can work behind a Firewall with NAT functionality enabled or disabled.

if you have a fully functional DA with EDGE profile enabled, still you can configue any firewall(without NATing functionality) without changing the configuration settings in DA.

Also you can have TMG protecting your existing DA setup. Below is the link for it.

http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part1.html

Please let me know, how it goes.

Edited by Vasu Deva Friday, April 17, 2015 11:30 AM
Proposed as answer by Vasu Deva Monday, April 20, 2015 9:55 AM

April 17th, 2015 11:28am

Its always good to have a Firewall infront of a domain joined machine and of course DA Server is not an exception.

Server 2012 can work behind a Firewall with NAT functionality enabled or disabled.

if you have a fully functional DA with EDGE profile enabled, still you can configue any firewall(without NATing functionality) without changing the configuration settings in DA.

Also you can have TMG protecting your existing DA setup. Below is the link for it.

http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part1.html

Please let me know, how it goes.

Edited by Vasu Deva Friday, April 17, 2015 11:30 AM
Proposed as answer by Vasu Deva Monday, April 20, 2015 9:55 AM

Free Windows Admin Tool Kit Click here and download it now

April 17th, 2015 11:28am

This topic is archived. No further replies will be accepted.