+ Post New Thread
Results 1 to 8 of 8
Windows Server 2012 Thread, Direct Access from behind a firewall in Technical; Anyone have any ideas which ports I should be opening to a DA server? I'm finding all sorts of ports ...
  1. #1

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,524
    Thank Post
    513
    Thanked 2,398 Times in 1,859 Posts
    Blog Entries
    24
    Rep Power
    821

    Direct Access from behind a firewall

    Anyone have any ideas which ports I should be opening to a DA server? I'm finding all sorts of ports listed all over the place, some with long lists, some just saying port 443 only?

  2. #2
    Ergo's Avatar
    Join Date
    Sep 2012
    Location
    Nottingham
    Posts
    111
    Thank Post
    16
    Thanked 26 Times in 25 Posts
    Rep Power
    8
    I think that you need the following:

    Protocol 41 inbound and outbound—For DirectAccess clients that use the 6to4 IPv6 transition technology to encapsulate IPv6 packets with an IPv4 header. In the IPv4 header, the Protocol field is set to 41 to indicate an IPv6 packet payload.

    UDP destination port 3544 inbound and UDP source port 3544 outbound—For DirectAccess clients that use the Teredo IPv6 transition technology to encapsulate IPv6 packets with an IPv4 and UDP header. The Forefront UAG DirectAccess server is listening on UDP port 3544 for traffic from Teredo-based DirectAccess clients.

    TCP destination port 443 inbound and TCP source port 443 outbound—For DirectAccess clients that use IP-HTTPS to encapsulate IPv6 packets within an IPv4-based HTTPS session. The Forefront UAG DirectAccess server is listening on TCP port 443 for traffic from IP-HTTPS-based DirectAccess clients.

    I have only copied the section relating to an IPv4 Internet connection - I assume your ISP has not provided you with IPv6 addresses

    This was taken from Tom Shinder's Blog - although this talks about being when you use a UAG server I believe the same is true if you have your DirectAccess server directly published.

    It is also worth noting that you cannot place a DirectAccess server beghind a NAT translator - IE if your internet connection is provided by the LA and your servers are assigned a 10.x.x.x address you cannot use that to provide DirectAccess. The DirectAccess server (or UAG server if you have one of those) should have a valid Internet IP address.

    Regards,

    Dave
    Last edited by Ergo; 13th December 2012 at 10:10 AM.

  3. #3

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,524
    Thank Post
    513
    Thanked 2,398 Times in 1,859 Posts
    Blog Entries
    24
    Rep Power
    821
    So, as we'll be using IP-HTTPS to encapsulate the IPv6 packets, it does look like port 443 then!

    IPv6 is still far off in the distance down here as far as I know.

    We won't be using UAG, but there are other firewalls in between the net and the server.

    You can put DirectAccess in Server 2012 behind NAT, that's one of the main features of the new release.

  4. Thanks to localzuk from:

    Ergo (13th December 2012)

  5. #4
    Ergo's Avatar
    Join Date
    Sep 2012
    Location
    Nottingham
    Posts
    111
    Thank Post
    16
    Thanked 26 Times in 25 Posts
    Rep Power
    8
    Quote Originally Posted by localzuk View Post
    You can put DirectAccess in Server 2012 behind NAT, that's one of the main features of the new release.
    Sounds like I need to get some upgrading of my skills one!

    Thanks for the tip.

    Dave

  6. #5

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,524
    Thank Post
    513
    Thanked 2,398 Times in 1,859 Posts
    Blog Entries
    24
    Rep Power
    821
    Quote Originally Posted by Ergo View Post
    Sounds like I need to get some upgrading of my skills one!

    Thanks for the tip.

    Dave
    The new feature only allows the IP-HTTPS encapsulation from behind NAT though, Toledo or native IPv6 don't work from behind NAT natively (although there is someone who has posted on here saying they can do it, and they sell their services to do it).

  7. #6

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,986
    Thank Post
    850
    Thanked 2,652 Times in 2,252 Posts
    Blog Entries
    9
    Rep Power
    764
    Quote Originally Posted by localzuk View Post
    The new feature only allows the IP-HTTPS encapsulation from behind NAT though, Toledo or native IPv6 don't work from behind NAT natively (although there is someone who has posted on here saying they can do it, and they sell their services to do it).
    The limitation is from it needing to 'see' a couple of external addresses. Double NAT on the addresses from outside to inside should trick the machine into playing ball. I'm sure that sufficient hacking about with a Linux firewall dist would enable it or probably three or four lines on a decent Cisco router. With double 1 to 1 NAT enabled it should be completely transparent to the box so it should just work.
    Last edited by SYNACK; 13th December 2012 at 10:38 AM.

  8. #7
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,185
    Thank Post
    133
    Thanked 340 Times in 287 Posts
    Rep Power
    84
    Just to put some things straight about DA in 2012 (we have it setup here)-

    -You only need a single external IP and it can be v4
    -You can use NAT
    -Windows 7 clients are backwards compatible with Server 2012 after deploying a internal CA
    -You only need 443 open if using IP-HTTPS (which is easy!)
    -DA is the MOST AMAZING bit of tech out there, seamless remote connection without the need for a software client or even the need to push a button to make it work

  9. 2 Thanks to jamesfed:

    Ergo (13th December 2012), SYNACK (13th December 2012)

  10. #8

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,524
    Thank Post
    513
    Thanked 2,398 Times in 1,859 Posts
    Blog Entries
    24
    Rep Power
    821
    Quote Originally Posted by jamesfed View Post
    Just to put some things straight about DA in 2012 (we have it setup here)-

    -You only need a single external IP and it can be v4
    -You can use NAT
    -Windows 7 clients are backwards compatible with Server 2012 after deploying a internal CA
    -You only need 443 open if using IP-HTTPS (which is easy!)
    -DA is the MOST AMAZING bit of tech out there, seamless remote connection without the need for a software client or even the need to push a button to make it work
    Agreed, it is easy to set up too, supposedly, so long as it doesn't randomly break like mine has!

    Configuring RemoteAccess (DirectAccess)

SHARE:
+ Post New Thread

Similar Threads

  1. Enable/Disable workstation internet access from shortcut
    By the_mighty_boosh in forum Netware
    Replies: 3
    Last Post: 28th January 2011, 09:34 AM
  2. Staff Access from home????
    By thegrassisgreener in forum Windows
    Replies: 27
    Last Post: 3rd April 2008, 10:41 AM
  3. SIMS - Accessing from Home
    By forcryingoutloud in forum MIS Systems
    Replies: 4
    Last Post: 29th November 2007, 10:40 PM
  4. Access from home???
    By Outpost in forum Wireless Networks
    Replies: 3
    Last Post: 11th February 2006, 12:01 AM
  5. Stop internet access from address bar
    By adamyoung in forum How do you do....it?
    Replies: 13
    Last Post: 25th January 2006, 12:45 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •