All,
I'm not sure where to ask this question, but I have to believe that
some of you here have some experience and opinions with DirectAccess,
so will ask here first, while I'm doing my STFW work.
Please feel free to direct me elsewhere if you know somewhere better.
Does anyone have thoughts or concrete (referenceable?) recommendations
on placement for a DA server?
We currently are using UAG 2010 SP1 for DirectAccess (and only for DA,
nothing else).
We're looking to move to DirectAccess on 2012R2. One of the major
design goals is to enable "manage out". I'll be doing a parallel
install, and migrating current users to the new facility.
We have a choice to make regarding placement of the new DA server - I
know my preference, but I'm getting pushed to implement in a way I'm
not comfortable with.
The way we have it now: one NIC exterior, one NIC interior on its own
VLAN - basically it straddles the perimeter, and bypasses our
firewall. AFAICT, it was the best way to implement it at the time.
With DA 2012R2, I can do that, or I can do a 2 NIC setup behind the
firewall or I can do a single NIC behind the firewall. I'm not too
concerned about that part of it.
What I'm unhappy about is being pushed to put the DA server on the
same VMware cluster as the rest of our production servers. It seems
like a fairly major sin to mix security domains like that. I don't
care that it would have its own VLAN, etc. - it just seems wrong to be
mixing a security device that's supposed to be at the perimeter in
with the soft gooey production servers.
Kurt
Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Somewhat OT: DirectAccess choices
- 433 Views
- Last Post 07 March 2016
kurtbuff
posted this
04 March 2016
gkirkpatrick
posted this
04 March 2016
Not really my area of expertise, but a rough threat analysis would seem to come down to two questions: How much do you trust VMWare to provide isolation between virtual networks and virtual machines, and how much do you trust your VMWare administrators?
There have been several hypervisor vulnerabilities over the years. Reaching into your squishy bits would require an attacker to exploit vulnerabilities in the guest OS as well as the hypervisor. Not impossible, but seems pretty unlikely.
I'd be more concerned about your VMWare admins and their standards of practice.
-gil