Microsoft Direct access on MX68 Gateway Security Appliance

knoor
Conversationalist

Microsoft Direct access on MX68 Gateway Security Appliance

Hi All,  I am new to Meraki and have deployed a new setup which consists of MX68 gateway with 3 switches and a few WAPs. The client bought a new internet connection which is connected to the MX68. The client required a guest wireless connection, which i setup using NAT mode on the APs which gives out random IP in the range of 10.0.0.0/8 as expected. The problem we are facing is that the clients want to use Microsoft Direct Access client on this network, just as they do at their home network, but the Direct Access client gets stuck at "Connecting", hence they users are not able to connect to the corporate resources. There are currently no restrictions on the firewalls to outbound traffic, inbound however is deny just as it would be out of the box. My question is that do we need to put any specific IPv6 policy on either inbound or outbound or is there any other option to allow these clients to connect? Can i find any logs of these connections through the MX68, ( i dont have a syslog server collecting the logs) Regards, -KN

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal

>Microsoft Direct Access

 

Wow, I haven't seen that in a long time.  They know this technology is deprecated and not supported by Microsoft anymore?

 

Are they connecting into the site with the MX68?  If so, they would be way better getting onto supported technology like Cisco Secure Client (aka AnyConnect).

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance 

 

Failing that, you are going to have to experiment.  You might find if you create a VLAN for guest access on the MX68, and then change the guest SSID to us bridge mode it might work.  Hard to say.

knoor
Conversationalist

Hi Philip,

 

Thanks for your reply. These clients are behind the MX68 with just a connection to the internet like SOHO setup. The Microsoft DA server is hosted at a DC location, reachable over the public internet. When these clients use their home internet, they connect to the Microsoft DA seamlessly.

 

I had the experiment in mind which you mentioned, but before trying on wireless, i tried over the wired. I made a new vlan in a 192.168.x.x space (just to mimic the same IP range that clients get at home) and assigned that to a port in the office where the client connected using wired connection. They could get the internet through MX68, but the Microsoft DA client on the workstation/laptop didn't connect, it stays on connecting state. With Microsofts DA 6to4 tunnels and IPoverHTTPS requirements for clients, i was wondering if there is any inbound firewall policies which would need to get applied on the MX68 over the default deny?

 

On the other hand, as i understand it's a client-initiated connection to the DA server, so as a stateful connection, the firewall should allow the communication back.... it's just that the 6to4 tunnel requirement are not making sense to me whether it would need to be explicitly allowed in some form. 

 

Regards,

-KN

CptnCrnch
Kind of a big deal
Kind of a big deal

According to https://social.technet.microsoft.com/wiki/contents/articles/901.directaccess-and-firewalls-and-nat.a..., you'll need to enable

 

  • Protocol 41 inbound and outbound—For DirectAccess clients that use the 6to4 IPv6 transition technology to encapsulate IPv6 packets with an IPv4 header. In the IPv4 header, the Protocol field is set to 41 to indicate an IPv6 packet payload.
  • UDP destination port 3544 inbound and UDP source port 3544 outbound—For DirectAccess clients that use the Teredo IPv6 transition technology to encapsulate IPv6 packets with an IPv4 and UDP header. The Forefront UAG DirectAccess server is listening on UDP port 3544 for traffic from Teredo-based DirectAccess clients.
  • TCP destination port 443 inbound and TCP source port 443 outbound—For DirectAccess clients that use IP-HTTPS to encapsulate IPv6 packets within an IPv4-based HTTPS session. The Forefront UAG DirectAccess server is listening on TCP port 443 for traffic from IP-HTTPS-based DirectAccess clients.

when using MS' own "firewall" solution. My best guess would be that outbound rules will be sufficient, because as you say MX is a stateful firewall.

knoor
Conversationalist

Thanks CptnCrnch,

 

I can't find a way to allow Protocol 41 inbound and outbound. I have allowed rest of the two UDP and TCP ports, let's see if it makes any difference.


Regards,

-Khurram

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels