Implementing Windows Server 2012 DirectAccess behind Forefront TMG (Part 2)

by [Published on 2 July 2013 / Last Updated on 2 July 2013]

In this second article the author explains how to create Firewall policy rules on Forefront TMG Server and how to configure Windows 8 clients as DirectAccess clients.

If you would like to read the first part in article series please go to Implementing Windows Server 2012 DirectAccess behind Forefront TMG (Part 1).

Introduction

This is a two-part article series where I will show you how to configure Windows Server 2012 as a DirectAccess Server and how to configure Firewall policy rules on the Forefront TMG Server to allow DirectAccess clients to access the DirectAccess Server. In the first part I talked about some basic DirectAccess technologies and how to configure the DirectAccess feature of Windows Server 2012. This part of the article series explains how to configure Forefront TMG to allow DirectAccess clients to access the DirectAccess Server and how to connect DirectAccess clients.


Get your copy of the German language "Microsoft ISA Server 2006 - Das Handbuch"

Let's begin

To publish the Windows Server 2012 DirectAccess Server we must use a non-Webserver Protocol publishing rule. You cannot use a Webserver publishing rule with HTTPS to HTTPS bridging because the communication channel between the DirectAccess client and the DirectAccess server must be unchanged.  

Create a publishing rule on the Forefront TMG Server

Start the new Non-Webserver Protocol Publishing Rule wizard. Name the publishing rule DirectAccess and specify the IP address of the Windows Server 2012 DirectAccess Server.

Image
Figure 1:
Select the Server to publish

Select the predefined protocol HTTPS-Server

Image
Figure 2:
Protocol is HTTPS-Server

Forefront TMG must listen on the external network. If the Forefront TMG Server has only one assigned IP address on the external network adapter select only the External network. If there are mutliple IP addresses bound on the external interface select the specific address for DirectAccess.

Image
Figure 3:
Select the External network

If the Windows Server 2012 DirectAccess Server is not a Secure NAT client, change the request in the publishing rule on the To tab to Requests appear to come from the Forefront TMG computer.

Image
Figure 4:
Change the requests for the published Server if the Server’s Default Gateway doesn’t point to the Forefront TMG Server

Additonal ports

Depending on the configuration in the DirectAcess wizard it may be necessary to create additional Firewall Policy rules on the Forefront TMG Server. This article at TechNet explains which additonal ports must be opened for full DirectAccess connectivity at the Edge Firewall if Teredo or 6t04 protocols should be used. For full DirectAccess connectivty you must open UDP port 3544 in- and outbound for the Teredo protocol and IP level 41 protocol.

Teredo Inbound

Image
Figure 5:
Additional ports for the Teredo protocol

Teredo Outbound

Image
Figure 6:
Additional ports for the Teredo protocol

IP Protocol 50 Inbound – Outbound

Image
Figure 7:
Additional ports for the IP level 41 protocol

With these new protocol definitons create two new Firewall policy rules. One Firewall policy rule which allows the IP level 41 protocol and the Teredo protocol from EXTERNAL to the Windows Server 2012 DirectAccess Server.

Image

Image
Figure 8:
Final Firewall Policy rules

The next required Firewall policy rule allows the Teredo protocol from the DirectAccess server to EXTERNAL.

Attention:
This setting requires that the network relationship on the Forefront TMG Server from the INTERNAL to EXTERNAL network is ROUTE instead of NAT (the default).

Apply Group Policy to the client

After the Firewall policy rules and the publishing rule has been configured on the Forefront TMG Server apply the group policy to the DirectAccess client. To do this put the computer account of the client computer to the Windows group for DirectAccess, reboot the client machine and see if the group policy settings has been applied. If this is not the case update the group policy manually (Gpupdate /force) and restart the client. After the reboot check if the group policy has been applied to the client (use Gpresult.exe /v | more for example).

If the group policy has been applied sucessfully your client computer should now be a DirectAccess client. Check DirectAccess connectivity with a simple Ping to one of your internal clients or servers and you should get an IPv6 address back.

Image
Figure 9:
Check DirectAccess connectivity

Windows 8 has a built in network connectivity assistant (NCA) which gives you more information about the DirectAccess state as shown in the following screenshot. Depending on your DirectAccess configuration on the Windows Server 2012 DirectAccess Server you will see a different name for the DirectAccess connection.

Image
Figure 10:
Network Connectivity Assistant

Note:
This screenshot comes from my test environment where the client has no real Internet connectivity. So don’t wonder why the status indicator tells us that there is not Internet connectivity.

For troubleshooting purposes users are able to collect log files for advanced troubleshooting and if you specified an e-mail address in the DirectAccess configuration on the Windows Server 2012, users can send these log files to your support personal.

The new DirectAccess component in Windows Server 2012 has Remote Access Dashboard which gives you a quick overview about the state of every DirectAccess component.

Image
Figure 11:
A DirectAccess client is connected

The Remote Client Status dashboard gives you more details about connected clients. You can see the clients connected to the DirectAccess server, the communication protocol used and the amount of traffic used by the DirectAccess client.

Image
Fig
ure 12: detailed connection information about the DirectAccess client

For detailed reports about DirectAccess connections you are able to configure a more enhanced reporting in the DirectAccess Management console.

Conclusion

In this second article I went through how to create Firewall policy rules on the Forefront TMG Server and how to configure Windows 8 clients as DirectAccess clients.

Related links

If you would like to read the first part in article series please go to Implementing Windows Server 2012 DirectAccess behind Forefront TMG (Part 1).

The Author — Marc Grote

Marc Grote avatar

Marc Grote is an MCSA/MCSE Messaging & Security, MCSE Private Cloud and Server Virtualization, an MCTS/MCITP and a Microsoft Certified Trainer and MCLC. He is a freelance Consultant and IT Trainer in the north of Germany near Hanover. He specializes in System Center, TMG/UAG Server, Exchange, Security for Windows Server 2012 R2 and Windows Server 2012 R2 designs, migrations and implementations. His efforts have earned him recognition as a Microsoft MVP for ISA Server since 2004 until 2014. Starting in 2014 he has been awarded as an MVP for Hyper-V.

Latest Contributions

Featured Links