We help IT Professionals succeed at work.

Hardware Firewall Configuration for Direct Access ( Teredo Tunneling)

I am attempting to set up a direct access server. However I don't seem to be able to find any info on what ports and services are required for the Direct Access server to be accessible from the internet through my hardware firewall. the only info I can find from Microsoft is I need to allow ping responses on the software firewall of the da server for both IPV6 and IPV4.
does anyone know what ports I need to open on my hardware firewall for direct access to function?

Thanks
Comment
Watch Question

Top Expert 2010

Commented:

Author

Commented:
sorry for the slow response. How would one go about forwarding Protocol 41 in a NAT based firewall?

I attached a screen shot of my Service I created for Protocol 41 so I can forward it, Does this look correct?
I have never made a custom protocol before

protocol-41.png
Top Expert 2010

Commented:
I've attached screen shots for the service objects of both TCP and UDP.  I don't know if you need to specify that it's IPV6, though.  Just specify what the service is for.  Then, when you've created the two service objects, create a service group to include both TCP and UDP service objects.  Makes it easier to setup firewall/NAT rules.
greenshot-2010-06-21-09-31-00.jpg
greenshot-2010-06-21-09-31-18.jpg
greenshot-2010-06-21-09-33-06.jpg

Author

Commented:
That is what I have done,
I assume the examples you posted are not the real port ranges as they aren't the same ranges as the link you provided says I need to open
Top Expert 2010

Commented:
My apologies.  I answered generally as in creating services, but after re-reading the article realized I answered incorrectly.  You are correct in how you are creating it.  You want to create the service as you've shown.  I'm sorry for the confusion.

What I've come to realize in my research is there are many differences between IPv4 and IPv6 but one worth noting is that Internet Protocol Security (IPSec) is built in to IPv6 while it is added into IPv4 by specifying protocol 41 in the header packets.

So, to recap, you've created the proper UDP/TCP ports specified and the protocol 41, right?

Author

Commented:
Yes, I created
UDP port 3544 inbound and outbound
TCP port 443 inbound and outbound
and
Protocol 41 inbound and outbound
Top Expert 2010
Commented:
I'm concerned about this section of the link I sent you:

However, there has been a cause for confusion in this documentation because some admins confuse firewalling with NAT. While it is true that most firewalls are deployed with NAT enabled, that doesn’t mean you must NAT connections coming through the firewall. In fact, the UAG Infrastructure and Planning Guide (http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=110b4c77-b411-4845-9b82-40a733b17003) states:

“Are you deploying Forefront UAG as a DirectAccess server?-A Forefront UAG DirectAccess server can be located behind a firewall or between a frontend and backend firewall, but note that a public IPv4 address is required, and therefore the server should not be located behind a NAT (Network Address Translation) device” [italics mine]

So to answer the question - “can you put the UAG DA server” behind a front-end firewall, the answer is yes. However, that firewall cannot NAT connections between the DirectAccess clients and the UAG DirectAccess Server.


It appears that you might need to create a DMZ and put that in transparent mode hanging your DirectAccess server off of that.  What do you think?

Author

Commented:
I have already created a DMZ for my server and I have 2 consecutive public IP address's. but I'm not sure what you mean by transparent mode?

Author

Commented:
worked like a charm once I realized the windows firewall must be enabled on my win7 client before directaccess will function
Top Expert 2010

Commented:
Great!  I'm glad it's working and thanks for the points!