Are you aware that direct access requires IPv6 on the server and the client ?

This might be a useful starting place for you

http://channel9.msdn.com/Shows/Edge/Edge-Show-35-DirectAccess-Deployment?format=html5

Thanks, but I just want to dive in.
What I do would like to know if directaccess can work with port redirection (for example from no-ip.com)? Reason:my provider blocks ports underneith 443, but most networks only allow 80 or 44.

443 I meant, can t edit previous post on mobile.

I don't know of a "port redirection" service, dynamic DNS is only for hostname resolution, not modifying the port an application can be accessed on.

If you are on a dynamic IPv4 address, what mechanism do you use for IPv6 ?

Yes it is, check no-ip.com

Are you planning to install DA on a Win2012 server? MS improved DA alot from Win2008R2 like simplified deployment, NAT64 and DNS64 (meaning you don't need a IPv6 internal network), you don't need a PKI in house.

For a complete list: http://technet.microsoft.com/nb-no/library/hh831416.aspx

If you are going to start setting up DA, I assume you have control of the FW and can allow IPSec, terredo, ip-https traffic. I doubt it will work with port redirection like you mentioned.

Windows 2012 indeed. Certs are still necessary for win 7, but not win 8 as far as I know.
Why would port fw not work? Do you have   Another suggestion for my situation then?

How about an SSTP VPN ?

You can configure SSTP to run on a different port to 443

SSTP traffic goes over NAT without any issues

SSTP does not require IPv6 on the client and server.

You mean ssl vpn? I have it running already. Great, but I need a clientless solution.

How is the IPv6 connectivity provided at the main site ?

How is the IPv6 connectivity provided at the remote location ?

Why not ask no-ip.com if they have any experience with DA?

I have only setup DA with use of UAG. You then need two sequential official IPv4 addresses. I'm not sure if that is the case with DA on Win2012.

The clients must be able to communicate with the DA server's external NIC over IPv6.

2012 is successor of uag, uag is not an option (for me).

=> http://blog.concurrency.com/infrastructure/10-reasons-why-you-should-not-use-uag-for-directaccess-anymore/

why not change ISP to one that doesn't block inbound traffic ?

can you please answer the following questions

How is the IPv6 connectivity provided at the main site ?
How is the IPv6 connectivity provided at the remote location ?

Because none of the ISP's allow it unless you start a business. I don't want to start a business just for that.
As far as I understood, IPV6 is routed over IPV4 so why is that important?
The main site is my home lab so no problem, I can configure whatever needed.
The remote site is office location, standard windows 7.

I think you misunderstand about IPv6

IPv6 can be provided in a 6in4 tunnel, or it can be provided natively.

You need routed IPv6 between the client and the Direct Connect server, and from what you have described you do not have this.

If you only have IPv4 connectivity, then you could use the IPv6 tunnel services from he.net or sixxs.net, but to use this you need to be able to run protocol 41 which might be blocked...

Alternatively, if this is just between two sites, why not simply run a site to site VPN ?

I’m looking at a clientless/”out of the box” vpn solution which works securely from anywhere to a lab environment which is privately hosted (meaning ports underneath port 1024 are blocked).

As far as I know only direct access can do this (openvpn needs client, ssl vpn of my firewall needs it), provided I’d find a port-forwarding solution (or other).

Why do you need a "clientless" solution ?

the no-ip "port forward" service is for HTTP traffic on port 80 which it will do with a HTTP  redirect, this will not work for your scenario.

How about running Direct Access server on a "managed server" with a site to site VPN to your LAB ?

or as I suggested, move to an ISP that allows inbound connectivity on ports below 1024.

Are you are aware that the windows client needs to be Windows 8 Enterprise ? http://en.wikipedia.org/wiki/DirectAccess#Requirements

Clientless = without client. Direct access only needs a certificate, nothing more.
Openvpn, ssl vpn Juniper etc need to install a client in order to function. I don't want this.
Why site to site? I'm not always managing the networks from which I connect, so why should I setup a site to site for only the demo pc's I need a connection for?

There is no provider which offers this for home users and I cannot start a business only for this.

Yes I know, therefore I will install certificates (Windows 7) which work with direct access 2008/2012.

you did not answer my question "Why do you need a "clientless" solution ?"

what country are you in ?

if you re-read my suggestion about the site to site tunnel, it is from the "hosted" Direct Access server to your home network, this could be over an OpenVPN connection on a "high port" any thus bypass your ISP restriction of ports under 1024

the other alternative I can think of would be to run PuTTY in portable mode (doesn;t require installation)  on your "client", connecting to an SSH server running on a high port on your home network and forwarding ports over SSH

PuTTY in portable mode can be run from a USB key

Why do you need a "clientless" solution

=> Because I work in different environments and don't want to install software on those different clients meaning people who work on the pc after me could see the software and configuration and try to connect theirselves.
Even a portable client I might forget and people would start playing around with it f.e. openvpn is clearly a way to connect to a remote openvpn-solution.

Putty sounds good, it is pretty harmless and available everywhere.

But then again, I’m stuck:
1.      I setup ssh on remote server
2.      I set portforward on my firewall, f.e. 1025
3.      I set putty to use proxy of connecting network

Now many proxies only support 80, 8080 or 443. 8080 is in use for my openvpn (use it all the time for my Iphone, Ipad, laptop).
So I’m totally stuck.

or you could just use PuTTY on the AWS instance to connect over an IPv4 OpenVPN tunnel to your home network.

Why would I need da when aws offers vpn?

How would you use the Amazon VPN ?

Why would I need da when aws offers vp? Don t know what aws is but vpn looks like ote connection to me where an extra da doesn t fit in.

Ah so Amazon it is. Don t understand your concept though.

what part of it do you not understand ?

Don't know anything about Amazon, what should I setup?

an AWS account and then a micro aws instance

configure an elastic IP address, so the public IP address remains static

install and configure OpenVPN and you're there

Thanks, but I'm lost again. I don't see any way to configure a micro aws or "elastic ip".
Is there a step-by-step guide to do this?

This is what I see:

Welcome

The AWS Management Console provides a graphical interface to Amazon Web Services. Learn more about how to use our services to meet your needs, or get started by selecting a service.
Getting started guides Reference architectures Free Usage Tier
Set Start Page
AWS re:Invent - November 27-29, 2012 Las Vegas - Register Now
Amazon Web Services
Compute & Networking
 
Direct Connect
Dedicated Network Connection to AWS
 
EC2
Virtual Servers in the Cloud
 
Elastic MapReduce
Managed Hadoop Framework
 
Route 53
Scalable Domain Name System
 
VPC
Isolated Cloud Resources
Storage & Content Delivery
 
CloudFront
Global Content Delivery Network
 
Glacier
Archive Storage in the Cloud
 
S3
Scalable Storage in the Cloud
 
Storage Gateway
Integrates on-premises IT environments with Cloud storage
Database
 
DynamoDB
Predictable and Scalable NoSQL Data Store
 
ElastiCache
In-Memory Cache
 
RDS
Managed Relational Database Service
 
Deployment & Management
 
CloudFormation
Templated AWS Resource Creation
 
CloudWatch
Resource & Application Monitoring
 
Elastic Beanstalk
AWS Application Container
 
IAM
Secure AWS Access Control
App Services
 
CloudSearch
Managed Search Service
 
SES
Email Sending Service
 
SNS
Push Notification Service
 
SQS
Message Queue Service
 
SWF
Workflow Service for Coordinating Application Components

an EC2 micro instance

when you instantiate the micro instance, you can then allocate an Elastic IP

Ok, thanks but again I don't get the full concept. Appreciate your input but it's like I would give you a rocket and tell you: ok, now fly to space.

I created a server and started it, then I have a rdp-shortcut. Why the rdp-shortcut only, rdp won't work in a firewall/proxy environment. Anyhow, then there is the elastic ip, never heard of the concept, created one but then, what does it do, why do I need it. Then all the other options, not sure if to configure or how.
And then again: how much will I be charged for this setup. Don't like to have a server running without using it for months then suddenly receive a bill. Stopped the server. Not sure if this is a solution for me.

Yes, I know, don't give people fish but a fishing line, but there has to be water in the first palce.

did you try to setup a Linux or Windows AMI ?

Elastic IP address http://aws.amazon.com/articles/Amazon-EC2/1346

from http://aws.amazon.com/ec2/ 

AWS Free Tier includes 750 hours of Linux or Windows Micro Instances each month for one year. To stay within the Free Tier, use only EC2 Micro instances

I installed the Windows version.
Thanks for the explanation but I was hoping for a quick alternative setup. The Amazon is to much trouble and new features/terminology. Just need a quick way to connect from anywhere to a remote lab, not using Teamviewer, Logmein etc.
Don't have the ability to dive into the Amazon thing now. Might do it later however though.

if you used Linux, you might find it a little quicker...

I want to run an openvpn-client, since it was Windows, running Linux then ssh via putty .... That's time I don't have right now to setup/troubleshoot. But thanks anyway.

Probably good solution, but still looking for a step-by-step guide for configuring it correctly (Amazon).