Greetings,
I have been tasked with exploring Direct Access as a VPN solution for a campus in a highly secured environment. We will not be using NAT, RFC 1918 addresses, or IPv6 addresses per the client's existing addressing and security requirements. All servers and clients will have publicly routable IPv4 addresses.
I have been banging my head against the wall trying to get a Server 2008 R2/Windows 7 Enterprise solution working in my test lab. Since the Internal resources ("Intranet") do not have IPv6 addressing, I have installed UAG/TMG SP1 on my DA server
for the IPv4 to IPv6 translations. I have left IPv6 enabled on the clients and the DA server.
To make a long story short, the IPSEC tunnels will not come up. After researching the issue, I came across this: http://pcmusings.wordpress.com/2011/07/29/lessons-learnt-deploying-directaccess/. This article states that Direct Access does not support environments where Internal and External addresses are routable (i.e. non-RFC 1918). Can anyone confirm this is the case?
For background, my CRL is published on an internal server with a trunk on the UAG server and accessible by any client from an IP address on the external subnet of the UAG server. DNS resolution on the "External" subnet resolves da, crl, and other
critical names without issue. The PKI seems to working with Auto Enrollment of Computer certs with the CRL locations, and client machines can access the CRL both internally and externally.
This is a bit of an odd setup in that the client machines will not be leaving the campus, but need to be secured with VPN tunnels internally. It was suggested that Direct Access serve as an IPSEC tunnel solution between resources on the "inside" (servers, internal resources), and the client machines.
If anyone can tell me if this is a feasible solution, I would appreciate it. I have spent quite a bit of time working on the lab and would like to know if there is a way to make this work in production or if I should look at another solution.
Thank you in advance...