Hi All, I am new to Meraki and have deployed a new setup which consists of MX68 gateway with 3 switches and a few WAPs. The client bought a new internet connection which is connected to the MX68. The client required a guest wireless connection, which i setup using NAT mode on the APs which gives out random IP in the range of 10.0.0.0/8 as expected. The problem we are facing is that the clients want to use Microsoft Direct Access client on this network, just as they do at their home network, but the Direct Access client gets stuck at "Connecting", hence they users are not able to connect to the corporate resources. There are currently no restrictions on the firewalls to outbound traffic, inbound however is deny just as it would be out of the box. My question is that do we need to put any specific IPv6 policy on either inbound or outbound or is there any other option to allow these clients to connect? Can i find any logs of these connections through the MX68, ( i dont have a syslog server collecting the logs) Regards, -KN
>Microsoft Direct Access
Wow, I haven't seen that in a long time. They know this technology is deprecated and not supported by Microsoft anymore?
Are they connecting into the site with the MX68? If so, they would be way better getting onto supported technology like Cisco Secure Client (aka AnyConnect).
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance
Failing that, you are going to have to experiment. You might find if you create a VLAN for guest access on the MX68, and then change the guest SSID to us bridge mode it might work. Hard to say.
Hi Philip,
Thanks for your reply. These clients are behind the MX68 with just a connection to the internet like SOHO setup. The Microsoft DA server is hosted at a DC location, reachable over the public internet. When these clients use their home internet, they connect to the Microsoft DA seamlessly.
I had the experiment in mind which you mentioned, but before trying on wireless, i tried over the wired. I made a new vlan in a 192.168.x.x space (just to mimic the same IP range that clients get at home) and assigned that to a port in the office where the client connected using wired connection. They could get the internet through MX68, but the Microsoft DA client on the workstation/laptop didn't connect, it stays on connecting state. With Microsofts DA 6to4 tunnels and IPoverHTTPS requirements for clients, i was wondering if there is any inbound firewall policies which would need to get applied on the MX68 over the default deny?
On the other hand, as i understand it's a client-initiated connection to the DA server, so as a stateful connection, the firewall should allow the communication back.... it's just that the 6to4 tunnel requirement are not making sense to me whether it would need to be explicitly allowed in some form.
Regards,
-KN
According to https://social.technet.microsoft.com/wiki/contents/articles/901.directaccess-and-firewalls-and-nat.a..., you'll need to enable
when using MS' own "firewall" solution. My best guess would be that outbound rules will be sufficient, because as you say MX is a stateful firewall.
Thanks CptnCrnch,
I can't find a way to allow Protocol 41 inbound and outbound. I have allowed rest of the two UDP and TCP ports, let's see if it makes any difference.
Regards,
-Khurram