Direct Access DMZ NIC Has Domain Profile
Direct Access can use two types of network topology, single NIC where the Direct Access server sits in the domain or dual NIC where the Direct Access server sits in a DMZ and also on the domain. Obviously these are two totally independent networks that you should not be able to route between.Ref below.
On a recent Direct Access project I was involved in the client required the Direct Access server to use the dual NIC design, so during the build of the virtual machine it was allocated two network cards. Once built the network cards where allocated an ip address in for their respective ranges.
The LAN connection picked up the domain suffix it was attached to “Domain.com” as expected but then the DMZ NIC which was on a completely different ip range also picked up a domain suffix. This meant that the DMZ could obviosly route to the domain subnet. To test confirm this I used the command below.
ping -S 172.20.1.10 192.168.1.1
In the command above I ping from the source IP (the DMZ) to the domain IP, the ping was successful. As you know during an install of Direct Access, the install checks to make sure that the two NICS can not route traffic, if they can you will see the following error like I did which will not allow you to continue the Direct Access install
The issue you need to resolve is routing between your DMZ and Domain for this server, we can however create a workaround with the inbuilt firewall in Window server. Follow the step by step rule creation below.
- Run Firewall.cpl
- Advanced settings
- Right click outbound rule and select new.
- Select Custom Rule
- All Programs
- Select Any and all ports
- In local IP address enter the DMZ IP address
- In remote IP enter ALL DOMAIN CONTROLLERS AND DNS SERVERS IPs on the domain.
- Select block the connection
- Select all profiles, Domain, Private and Public.
- Give it a sensible name to identify
Then go to network management and disable and enable both network cards, once re-enabled you will see that your DMZ NIC does not pick up a domain profile and you can continue your Direct Access install.
Tags: directaccess