Question : Hardware Firewall Configuration for Direct Access ( Teredo Tunneling)

I am attempting to set up a direct access server. However I don't seem to be able to find any info on what ports and services are required for the Direct Access server to be accessible from the internet through my hardware firewall. the only info I can find from Microsoft is I need to allow ping responses on the software firewall of the da server for both IPV6 and IPV4.
does anyone know what ports I need to open on my hardware firewall for direct access to function?

Thanks

Answer : Hardware Firewall Configuration for Direct Access ( Teredo Tunneling)

I'm concerned about this section of the link I sent you:

However, there has been a cause for confusion in this documentation because some admins confuse firewalling with NAT. While it is true that most firewalls are deployed with NAT enabled, that doesn’t mean you must NAT connections coming through the firewall. In fact, the UAG Infrastructure and Planning Guide (http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=110b4c77-b411-4845-9b82-40a733b17003) states:

“Are you deploying Forefront UAG as a DirectAccess server?-A Forefront UAG DirectAccess server can be located behind a firewall or between a frontend and backend firewall, but note that a public IPv4 address is required, and therefore the server should not be located behind a NAT (Network Address Translation) device” [italics mine]

So to answer the question - “can you put the UAG DA server” behind a front-end firewall, the answer is yes. However, that firewall cannot NAT connections between the DirectAccess clients and the UAG DirectAccess Server.


It appears that you might need to create a DMZ and put that in transparent mode hanging your DirectAccess server off of that.  What do you think?