DirectAccess and Firewalls and NAT

Its seems like we’ve run into a little confusion recently regarding how to deploy the UAG DA server in a firewalled environment.

If you look at our documentation for Packet Filtering for the Internet Firewall (https://technet.microsoft.com/en-us/library/ee809062.aspx) you’ll see that we fully support putting a firewall in front of the UAG DA server.

-----------------------------------------------------------------------------------------
Discuss UAG DirectAccess issues on the TechNet Forums over at
https://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag -----------------------------------------------------------------------------------------

To quote Packet Filtering for the Internet Firewall:

“Most organizations use an Internet firewall between the Internet and the computers on their perimeter network. The firewall is typically configured with packet filters that allow specific types of traffic to and from the perimeter network computers. When you add a Forefront UAG DirectAccess server to your perimeter network, you must configure additional packet filters, to allow the traffic to and from the Forefront UAG DirectAccess server for all the traffic that a DirectAccess client uses to obtain IPv6 connectivity to the Forefront UAG DirectAccess server.

The following describes the type of traffic you can configure on your Internet firewall depending on whether the Forefront UAG DirectAccess server is on an IPv4 or IPv6 Internet.

When the Forefront UAG DirectAccess server is on the IPv4 Internet

Configure packet filters on your Internet firewall to allow the following types of IPv4 traffic for the Forefront UAG DirectAccess server:

• Protocol 41 inbound and outbound—For DirectAccess clients that use the 6to4 IPv6 transition technology to encapsulate IPv6 packets with an IPv4 header. In the IPv4 header, the Protocol field is set to 41 to indicate an IPv6 packet payload.
• UDP destination port 3544 inbound and UDP source port 3544 outbound—For DirectAccess clients that use the Teredo IPv6 transition technology to encapsulate IPv6 packets with an IPv4 and UDP header. The Forefront UAG DirectAccess server is listening on UDP port 3544 for traffic from Teredo-based DirectAccess clients.
• TCP destination port 443 inbound and TCP source port 443 outbound—For DirectAccess clients that use IP-HTTPS to encapsulate IPv6 packets within an IPv4-based HTTPS session. The Forefront UAG DirectAccess server is listening on TCP port 443 for traffic from IP-HTTPS-based DirectAccess clients .

When the Forefront UAG DirectAccess server is on the IPv6 Internet

Configure packet filters on your Internet firewall to allow the following types of IPv6 traffic for the Forefront UAG DirectAccess server:

• Protocol 50—Forefront UAG DirectAccess on the IPv6 Internet uses IPsec Encapsulating Security Payload (ESP) to protect the packets to and from the Forefront UAG DirectAccess server without the encapsulation headers required for IPv6 transition technologies. In the IPv6 header, the Protocol field is set to 50 to indicate an ESP-protected payload.
• UDP destination port 500 inbound and UDP source port 500 outbound—Forefront UAG DirectAccess on the IPv6 Internet uses the Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) protocols to negotiate IPsec security settings. The Forefront UAG DirectAccess server is listening on UDP port 500 for incoming IKE and AuthIP traffic.
• All ICMPv6 traffic inbound and outbound.”

=====================================

However, there has been a cause for confusion in this documentation because some admins confuse firewalling with NAT. While it is true that most firewalls are deployed with NAT enabled, that doesn’t mean you must NAT connections coming through the firewall. In fact, the UAG Infrastructure and Planning Guide (https://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=110b4c77-b411-4845-9b82-40a733b17003) states:

“Are you deploying Forefront UAG as a DirectAccess server? -A Forefront UAG DirectAccess server can be located behind a firewall or between a frontend and backend firewall, but note that a public IPv4 address is required, and therefore the server should not be located behind a NAT (Network Address Translation) device” [italics mine]

So to answer the question - “can you put the UAG DA server” behind a front-end firewall, the answer is yes. However, that firewall cannot NAT connections between the DirectAccess clients and the UAG DirectAccess Server.

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Microsoft ISDiX/SCDiX
UAG Direct Access/Anywhere Access Team
The “Edge Man” blog (DA all the time): https://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: https://twitter.com/tshinder
Facebook: https://www.facebook.com/tshinder

Comments

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Tom. If I have a customer that is doing some kinds of fancy NAT on their ASA - still giving me a public IP address but having a NAT entry for the IP in their rules - will this likely give me some strange niggly issues? Thanks, Stephen

• Anonymous
  January 01, 2003
  Hi Tom, Is it so necessary to exclude NAT at all? I'm using simple d-link ADSL router to connect to Internet. Isn't it sufficient to forward proto 41 and UDP 3544 port in and out to DirectAccess server behind firewall? Really detailed info but why NAT is so bad and how overcome this! Ilya

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  October 08, 2011
  hypothesis, As the UAG server will require a public IP address you may have to change your simple d-link ADSL router. NAT, in lamens terms, allows devices behind your firewall to utilize public IP's whilst having a none-public IP address.

• Anonymous
  April 16, 2012
  Other commenters, please read the closing statement, "that firewall cannot NAT connections between the DirectAccess clients and the UAG DirectAccess Server."

• Anonymous
  November 23, 2015
  i do not understand NAT