Microsoft makes new DirectAccess server 8 work behind NAT’s finally

Well sort of….

Bits and pieces are popping up all over the Internet stating that the new DirectAccess in Server 8 supports putting the server behind a NAT. Yes this is true but with many limitations.

First lets start at the setup page that is causing all this debate

So as you can see we have 3 options to install our DA server.

The Edge option is the standard we are all used to.

The second 2 will allow you to setup your DA behind a NAT. Thats great I have been waiting for that for years. So I took a deeper look into it and found this page http://technet.microsoft.com/en-us/library/hh831416.aspx and I am quoting this section –

Support for DirectAccess Server behind a NAT Device

A Windows Server 2008 R2 DirectAccess server requires two network interfaces with two consecutive public IPv4 addresses assigned to the external interface. This is required so that it can act as a Teredo server. In order for clients behind a NAT to determine the Teredo server and the type of NAT device, the Teredo server requires two consecutive IPv4 addresses.

This requirement presents difficulty for small and medium organizations that do not have access to consecutive, public IPv4 addresses. In the future this has the potential to become a deployment blocker as the available IPv4 address space is exhausted. Windows Server “8” Beta DirectAccess provides the ability to deploy the DirectAccess server behind a NAT device, with support for a single network interface or multiple interfaces, and removes the public IPv4 address prerequisite.

When the Remote Access Services setup Getting Started Wizard or Remote Access Setup Wizard is run, it will check the status of network interfaces on the server to determine if the DirectAccess server is located behind a NAT device. In this configuration, only IP over HTTPS (IP-HTTPS) will be deployed. The IP-HTTPS protocol is an IPv6 transition technology that allows for a secure IP tunnel to be established using a secure HTTP connection.

Damn, like I said there are limitations and they are you can only have HTTPS tunnels.

But that is basically equaling speeds of traditional VPN’s but with the added security gain and transparency. Thumbs down and two thumbs up.

Well it was a good job I worked out how to get Teredo to work behind NAT’s then isn’t it. By simply selecting the Edge option and talking to the guys at mydanat.co.uk you to can have Teredo speeds when you are behind NAT’s.

Don’t settle for HTTPS, when in a quick phone call you to can smile all the way home to work faster than your fellow man.

 

 

 

Comments 3

  1. Jakob Heidelberg wrote:

    I think it’s very interesting what you have done, enabling the use of DA servers behind NAT devices, while utilizing Teredo – before Microsoft had that solution. Cool stuff!

    However, DA in Windows Server 2012 does not only enable the use of NAT at the server site (which leads to the use of IP-HTTPS as you also state) – it ALSO optimizes performance of IP-HTTPS, which was previously encrypted twice (both IPSec and HTTPS).

    The question remains whether or not Teredo still performs better than the new version of IP-HTTPS. I would think the optimized protocol makes it more or less the same – have you tested it by any chance?

    Please read the section “IP-HTTPS Interoperability and Performance Improvements”:
    http://technet.microsoft.com/en-us/library/hh831416.aspx

    Thanx you for now!
    /Jakob

    Posted 04 Jun 2012 at 6:50 pm
  2. Scott Logan wrote:

    We have not speed tested the new windows 8/2012 version no. However we are pretty sure that Teredo will always be faster due to it being UDP. If it wasn’t there would be no need for Teredo. We are now working on getting 6To4 to work which all our customers will get a free upgrade to when we finish testing it.

    Posted 04 Jun 2012 at 7:21 pm
  3. bondo wrote:

    comment fonctionne les 4 technologie de transition de directaccess

    Posted 12 May 2015 at 12:31 pm

Post a Comment

Your email is never published nor shared. Required fields are marked *

This blog is protected by Dave\'s Spam Karma 2: 23160 Spams eaten and counting...