TMG can be a good friend of DirectAccess

Yes, even if today, Threat Management Gateway 2010 is not longer available from Microsoft product line, there still have in production, and some of them will remain online because they do the job. But why TMG can be a DirectAccess good friend?

As a matter of fact, it’s may be Unified Remote Access (URA) good friend because a new feature  was introduced to Windows Server 2012 that make DirectAccess so easy to deploy : Publishing DirectAccess behind an Edge device



And in my case, my Edge device is a Forefront Unified Access Gateway. Let’s have a look at this in a TMG Management console :


When you configure your URA Server to operate behind an edge device, Teredo protocol wont be available (No consecutives IPv4 public addresses), neither 6to4. Only IPHTTPS will be available. But it’s not a web site. Technically the only thing that IIS and IPHTTPS protocol share is the HTTP.SYS stack at kernel level. We wont be publishing a web site but a non-web protocol.



First required parameter, the private IPv4 interface of my Unified Remote Access server. In my case, my URA server is configured with a single Network card.



At TMG protocol definition level, IPHTTPS protocol will be recognized ad “HTTPS Server”.



That protocol will be published on the external Network card of my TMG server, but only on one IPv4 public address



In my case, this is



So IPHTTPS interface of my URA server will be available on Internet on this IP address.



Our TMG configuration is now terminated. It’s time to activate the new configuration and test that out.



A simple “Get-DARemoteAccessConnectionStatistics” PowerShell command will show to that my client is connected with IPHTTPS. In my case, this was a Windows 8 client, but this also work with Windows 7 if you enable the legacy client support feature.



So don’t underestimate the value of your existing TMG investment, it can be used with DirectAccess if you choose Unified Remote Access included in Windows Server 2012.

Final question : Is it possible to publish Unified Remote Access server on an alternate public port? Technically speaking yes but I won’t explain this in this blog post. This will be a subject for the DirectAccess Challenge series. Stay tuned and get an aspirin tube ready for that journey to DirectAccess in SDI scenario.

BenoîtS – Simple and Secure by Design but business compliant


Simple, yes, Secure Maybe, by design for sure, Business compliant always!

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.