SRX

Hi,

I have been asked to test Microsoft Direct Access as a home / remote user working scenario.  This product requires 2 x public facing IP addresses and not to be behind a NAT device.

I am not too comfortable with just placing a Windows Server facing the internet, so I want to place it behind my SRX in 2 arm DMZ ideally.

So for example my ISP Range is xxx.xxx.xxx.82/29.  I want to use .84 and .85 for the Public IPs of the Server. 

So any idea how to configure this?  Can I have the server with the NIC configured with these IPs and just 1:1 map connections coming in?

Hopefully someone has seen a similar scenario!

You are correct I think to want the public interface in a DMZ on the firewall.  You will still have a two armed server.  The dual public interfaces however will be in your DMZ zone on the SRX.  This will be a private address range you choose for that purpose.  This will have two addresses assigned.

Your second interface is then in the private address of your internal resources.

On the SRX you will configure static nat for the two public ip addresses to your two DMZ addresses.  These instructions are in Tech Note 81 on page 13 of the PDF.

http://kb.juniper.net/InfoCenter/index?page=content&id=TN81

To secure the channel you need a policy that allows only the required ports and protocols.  These are listed in the MS technet manual linked below.  You will use this list instead of "any" as the protocol in the policy you  create above for the static nat.

http://technet.microsoft.com/en-us/library/ee809062.aspx

Hi there,

Thanks for the reply.   From my research, it appears the External NICs of the Direct Access Server MUST have Public IP Addresses or it will repor an error if SP1 is installed:

http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/ee25c32e-01f4-4781-8348-811027675c31/

So can anyone confirm if its ok to static NAT for example: 213.111.222.333 to a server on an internal DMZ or VLAN with this same Public IP?

So again 213.111.222.333 -> 213.111.222.333

So I am thinking of using a /30 of my ISPs /29 range to create a DMZ with public addresses for:

Direct Access IP1 123.123.123.2

Direct Access IP2 123.123.123.3

Gateway IP 123.123.123.1

This may work I hope,  anyone see anything wrong with this approach?

Sorry, I'm not sure how you would do this.  Typically the DMZ where you NAT the public address to is not on a public segment.

The requirement to put a windows server interface directly onto the internet does not seem like a good idea.  I did some brief reading on MS technet,   I suppose this is why MS seems to push using Direct access along with their Forefront software firewall product.  You will be relying on the windows firewall alone to protect the server without this.  Meaning that hackers will have full access to any MS OS vulnerabilities to make their entrance to your server.

You should probably find a full best practice sercuirty white paper from MS Technet to see how they suggest keeping this secure.  Unfortunately, I don't know anyone who has implemented the feature.

MMcD, that will work fine. A public-IP'd DMZ is the right way to go when you wish to avoid NAT. Carving out a /29 from your public block works. I've done this many times.

To those advocating NAT here: NAT is not a security feature. Repeat that until you believe it. Look at IPv6, that may help with that concept. From a security perspective, there is NO difference between a private IP DMZ on a static NAT and a public IP DMZ. In both cases, the server is secured by a) L3/4 firewall rules, b) any type of L7 inspection in play, and c) host security on those ports that are open.

Hi,

Thanks, im still a little confused as the best way to do this, but I definately want to avoid NAT.

For Example, I have a range from my ISP,  80.xxx.xxx.80/29 with .81 being the upstream ISP Gateway.

I have only one physical connection from my ISP, so say i use .84/30 for the DMZ with .85 and .86 IP addresses used on the Direct Access Server and say .84 as the gateway for this VLAN / DMZ.

On my external Firewall interface should I have 80.xxx.xxx.80/29 as the address and when a connection to the .85 or .86 arrives on the external interface, the routing engine should just pass this through to the DMZ right?

Just want to be totally sure before I start making these changes

Will this scenario require Proxy Arp configured on the external interface to answer any requests for the internal, public IP VLAN DMZ also?

As there is no NAT, xxx.xxx.xxx.80/29 is my range, so if i leave that set up on the external and configure proxy arp to answer for .84/30 it should be ok yeah?

If you want to use the same subnet on your external/untrust interface and in your DMZ zone, you're going to have to split that subnet and set up routes.

Unfortunately, with a /29 subnet, if you split that into 2 /30s you only get 2 useable IPs per subnet.  You would need 3 IPs in your DMZ, one for the SRX interface, and 2 for your Direct Access server interfaces.

If the SRX is in layer 3 mode, then in order for any security policies to exist, based on Zones, then routing decisions need to happen on the SRX.  It's security processing is based on routing decisions.  You may need to ask for some more address space from your ISP, so that you can split up your subnets and do the necessary routing at your SRX.

Your other option would be to look into using the device in transparent mode.  For branch SRX, this was introduced in 11.2 software, I believe.

Thanks Keith,

Yeah that makes sense and to be honest maybe a waste of resources for just this.

I may seek an alternate solution to this, Direct Access seem a great solution and no trouble for end users, also in my case, a free option!

I have looked into the SA2500 VPN device, also seems good and easy to set up but at a cost.

Any more input on this is appreciated, but maybe its time to think about another solution

Assuming from your post, in order for this to work properly the address book entries need to be zone specific?  I am currently trying to get this to work with global address book to no avail.

http://forums.juniper.net/t5/SRX-Services-Gateway/External-Users-Can-t-Reach-Public-Addressed-Devices-in-DMZ-from/m-p/287928/highlight/false#M40020