Windows Server 2012 Thread, Direct Access from behind a firewall in Technical; Anyone have any ideas which ports I should be opening to a DA server? I'm finding all sorts of ports ...
13th December 2012, 11:02 AM #1
Direct Access from behind a firewall
Anyone have any ideas which ports I should be opening to a DA server? I'm finding all sorts of ports listed all over the place, some with long lists, some just saying port 443 only?
13th December 2012, 11:06 AM #2
I think that you need the following:
Protocol 41 inbound and outbound—For DirectAccess clients that use the 6to4 IPv6 transition technology to encapsulate IPv6 packets with an IPv4 header. In the IPv4 header, the Protocol field is set to 41 to indicate an IPv6 packet payload.
UDP destination port 3544 inbound and UDP source port 3544 outbound—For DirectAccess clients that use the Teredo IPv6 transition technology to encapsulate IPv6 packets with an IPv4 and UDP header. The Forefront UAG DirectAccess server is listening on UDP port 3544 for traffic from Teredo-based DirectAccess clients.
TCP destination port 443 inbound and TCP source port 443 outbound—For DirectAccess clients that use IP-HTTPS to encapsulate IPv6 packets within an IPv4-based HTTPS session. The Forefront UAG DirectAccess server is listening on TCP port 443 for traffic from IP-HTTPS-based DirectAccess clients.
I have only copied the section relating to an IPv4 Internet connection - I assume your ISP has not provided you with IPv6 addresses
This was taken from Tom Shinder's Blog - although this talks about being when you use a UAG server I believe the same is true if you have your DirectAccess server directly published.
It is also worth noting that you cannot place a DirectAccess server beghind a NAT translator - IE if your internet connection is provided by the LA and your servers are assigned a 10.x.x.x address you cannot use that to provide DirectAccess. The DirectAccess server (or UAG server if you have one of those) should have a valid Internet IP address.
Last edited by Ergo; 13th December 2012 at 11:10 AM.
13th December 2012, 11:13 AM #3
So, as we'll be using IP-HTTPS to encapsulate the IPv6 packets, it does look like port 443 then!
IPv6 is still far off in the distance down here as far as I know.
We won't be using UAG, but there are other firewalls in between the net and the server.
You can put DirectAccess in Server 2012 behind NAT, that's one of the main features of the new release.
Thanks to localzuk from:
Ergo (13th December 2012)
13th December 2012, 11:14 AM #4
Sounds like I need to get some upgrading of my skills one!
Originally Posted by localzuk
Thanks for the tip.
13th December 2012, 11:19 AM #5
The new feature only allows the IP-HTTPS encapsulation from behind NAT though, Toledo or native IPv6 don't work from behind NAT natively (although there is someone who has posted on here saying they can do it, and they sell their services to do it).
Originally Posted by Ergo
13th December 2012, 11:22 AM #6
The limitation is from it needing to 'see' a couple of external addresses. Double NAT on the addresses from outside to inside should trick the machine into playing ball. I'm sure that sufficient hacking about with a Linux firewall dist would enable it or probably three or four lines on a decent Cisco router. With double 1 to 1 NAT enabled it should be completely transparent to the box so it should just work.
Originally Posted by localzuk
Last edited by SYNACK; 13th December 2012 at 11:38 AM.
13th December 2012, 12:51 PM #7
Just to put some things straight about DA in 2012 (we have it setup here)-
-You only need a single external IP and it can be v4
-You can use NAT
-Windows 7 clients are backwards compatible with Server 2012 after deploying a internal CA
-You only need 443 open if using IP-HTTPS (which is easy!)
-DA is the MOST AMAZING bit of tech out there, seamless remote connection without the need for a software client or even the need to push a button to make it work
2 Thanks to jamesfed:
Ergo (13th December 2012), SYNACK (13th December 2012)
13th December 2012, 01:00 PM #8
Agreed, it is easy to set up too, supposedly, so long as it doesn't randomly break like mine has!
Originally Posted by jamesfed
Configuring RemoteAccess (DirectAccess)
By the_mighty_boosh in forum Netware
Last Post: 28th January 2011, 10:34 AM
By thegrassisgreener in forum Windows
Last Post: 3rd April 2008, 11:41 AM
By forcryingoutloud in forum MIS Systems
Last Post: 29th November 2007, 11:40 PM
By Outpost in forum Wireless Networks
Last Post: 11th February 2006, 01:01 AM
By adamyoung in forum How do you do....it?
Last Post: 25th January 2006, 01:45 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)