Network Interface Configuration for Multihomed Windows Server 2012 DirectAccess Servers

When preparing a Windows Server 2012 DirectAccess server with two network interfaces, proper configuration of the network interfaces is vital to the operation and security of the remote access solution, especially in edge-facing scenarios. Preparing a server with two network interfaces might seem trivial, but there are some important and often overlooked settings that may lead to trouble. In this post I’d like to outline the proper network interface configuration for a Windows Server 2012 DirectAccess server in an edge-facing deployment scenario. It is important to note that you should configure your network interfaces prior to installing and configuring DirectAccess.

The first step is to rename the network interfaces with intuitive names that identify their role. Typically I use Internal and External. This will make DirectAccess configuration much easier, as you will see when you are configuring DirectAccess using the deployment wizards. To rename the network interfaces, open the Networking and Sharing Center from the Control Panel and choose the option to Change adapter settings. Optionally you can simply highlight the network interface you wish to rename and hit F2. Assign new names to the network interfaces as appropriate.

direct_access_multihome_01

Next, right-click the Internal network interface and choose Properties. Enter an IPv4 address, subnet mask, and DNS servers as required. Notice that I have not entered a default gateway here. This is absolutely critical and one of the most common mistakes made when configuring a multihomed DirectAccess server. On a server with multilple network interfaces there can be only one default gateway, and the gateway must reside on the External network interface.

direct_access_multihome_02

In the absence of a default gateway on the Internal network interface, static routes will be required to reach any remote internal subnets. To add a static route, open an elevated PowerShell command prompt and add any necessary routes using the following syntax:

New-NetRoute -InterfaceAlias <Interface_Name> -DestinationPrefix <SubnetID/Mask> -NextHop <Gateway_Address>

For example, my lab network has a remote subnet of 172.16.2.0/24 that is reachable through a router interface of 172.16.1.254.

New-NetRoute -InterfaceAlias Internal -DestinationPrefix 172.16.2.0/24 -NextHop 172.16.1.254

It’s also a good idea to unbind any protocols that are not required. For example, in my implementation I will not be leveraging QoS or NIC teaming, nor will I require the Link-Layer Topology Discovery services so I’ve unchecked those boxes accordingly.

direct_access_multihome_03

Perform this same exercise for the External network interface. Enter an IPv4 address and subnet mask, and this time be sure to include the default gateway for the External network. Notice that I have not entered any DNS servers here. Resist the urge to enter the DNS servers provided by your ISP. They are not required here.

direct_access_multihome_04

Since this DirectAccess server will be edge-facing and connected directly to the public Internet, it is a good idea to unbind all protocols from the network interface with the exception of IPv4 and IPv6.

direct_access_multihome_05

In addition, uncheck the option to Enable LMHOSTS lookup and also chooseDisable NetBIOS over TCP/IP.

direct_access_multihome_08

Important Note:  Beginning with Windows Server 2016, making changes to the network interface binding order is no longer required, and this option has been removed from the UI.

One last change that needs to be made, and perhaps the most critical and often overlooked setting, is the network interface binding order. This change can be made by pressing the Alt key on the keyboard to display the drop-down menu and choosing Advanced Settings.

direct_access_multihome_06

Make certain that the Internal network interface is listed first in the list of connections.

direct_access_multihome_07

So that’s it! You can now proceed with installing and configuring DirectAccess in full confidence that your network interfaces are configured properly!

Leave a comment

51 Comments

  1. Good blog – are there any security considerations when standing up DA 2012 as an edge deployment? I want to think that it is hardened enough as is, but I need to actually know it and not just think it. Any links would be great. Thanks!

    Reply
  2. Hi Jason,

    PowerShell is the wave of the future! Time go stop using those legacy commands and learn the new, modern way for configuring Windows. 😉 Seriously though, I understand why many continue to use “route add”. If it works, no need to fix it, right? 🙂 I’ll update the post soon with some commands and screen captures using route add soon.

    Thanks!

    Reply
  3. mike0788

     /  September 10, 2013

    Excellent post. thanks Richard!

    Reply
  4. dnelre

     /  September 30, 2013

    Hey Richard, it would be nice if you updated the post with the routing pictures 🙂

    Reply
  5. NEUR0

     /  January 22, 2015

    I know this is an old post but maybe you will see this. How do I add routes so that the DA server still has internet access? Also, the lack of the gateway seems to prevent me from being able to RDP to the DA server for administration, is this another route issue?

    Thanks for the awesome guide!

    Reply
    • NEUR0

       /  January 22, 2015

      Sorry a follow up to the above. I noticed the EXTERNAL NIC seems to now have an “autoconfigure” IP on top of my static IP which I configured based on the guide above. Why would it have this if DHCP is turned off? After deploying DA I got an error on the IP-HTTPS interface. Would it be due to this extra IP? Thank You Again!

      Reply
      • I apologize, but I’m not following you. If you could email me some screen shots I’d be happy to provide some feedback for you. 🙂

    • The DirectAccess server will have access to the Internet via the external network interface, where the default gateway is assigned. Static routes are required for any remote internal subnets. The issue you describe (no access to RDP) sounds to me like you are trying to connect to the DirectAccess server from a remote subnet for which it doesn’t have a route to. If you resolve that issue I’m sure you’ll have RDP access. 🙂

      Reply
      • I can vouch for this setup. If you’re going to use the DA server(s) in an edge scenario then the default gateway must belong to the internet facing adapter and the internal NIC cannot have one defined. Static routes must be defined for anything internal. This can be a lot of work, but thankfully it’s only a one-time deal. If you cannot RDP into the server from inside with this configuration make sure RDP is enabled and verify the static route is present to where you are trying to RDP from.

  6. Craig

     /  February 25, 2015

    If I want to use Teredo and I have two consecutive public IPs at my disposal I take it I just configure the external NIC with a second IP?

    Reply
    • Correct. Teredo will automatically be configured during DirectAccess installation if you have two consecutive public IPv4 addresses assigned to the external network interface. If you configure DirectAccess with only a single address and add another one after the fact, there’s an additional step you have to take. I’ll post that procedure soon.

      Reply
  7. Sohail Ahmed

     /  April 12, 2015

    Hi Richard,

    I got everything working except without specifying default gateway IP as DNS server, I cannot access internet. Can you please enlighten me on this?

    Reply
    • Not sure. If you have your routing configured correctly, everything should work. Double check that you can access all supporting infrastructure services (AD, DNS, PKI, etc.) from the DirectAccess server. If you can’t, you are probably missing a route.

      Reply
  8. Aljosa Agoli

     /  October 23, 2015

    Hi Richard,

    I have working da setup that is same as you wrote. I can access all server resources that are inside subnet 192.168.16.x resolving to their ipv6 addresses. From da server i can ping and remote to 128.1.0.x subnet and I have static route set on DA (on 192.168.16.87) to go there through 192.168.16.240 gateway. Problem is my Da clients cant connect to 128.1.0.x subnet. What am i missing? Is it possible to let clients also pass to this subnet.

    Reply
    • Not sure, but it sure does sound like a routing issue. DA clients should be able to access anything that is accessible from the DA server though. I’d suggest double-checking your routing configuration to ensure that traffic is getting back to the DA server correctly.

      Reply
      • Aljosa Agoli

         /  October 24, 2015

        Hello,
        Thank you for your swift comment. It seems im not getting routes on my DA client, those I have on my DA server.
        I am a bit confused as extra routes are not listed. It seems hop goes to my home router and then to Internet and not to DA server that probably should be gateway for these routes. I will have to recheck configuration unless im not understanding something crucial.

      • Your client doesn’t need those routes. The client uses IPv6 exclusively to talk to the DirectAccess server. From there it is converted to IPv4 to get to the Intranet. The IPv4 routes only need to be in place on the DirectAccess server.

  9. Mark

     /  November 17, 2015

    The problem with this set up is that with Windows, leaving off a default gateway will cause the network location to change to ‘Public’, which will place your internal network connection under the public profile settings of Windows firewall, which can cause problems (such as lack of remote administration) as the Windows Firewall public profile is much more restrictive – and if you attempt to block everything outbound on the Public profile except for specific rules, that will casue you major headaches and a lot more administration.

    Reply
    • Hi Mark,

      That shouldn’t be the case. If you’ve configured static routes correctly on the internal interface, the DirectAccess server should be able to reach a domain controller without issue and also enable the Domain firewall profile. If that isn’t happening, something else is probably wrong.

      Reply
  10. Jeff Singler

     /  December 1, 2015

    I’m not following how the static routes work. Am I routing the internal nic subnet to the external nic gateway?

    Reply
    • No. The purpose of the static routes is to ensure that the DirectAccess server can reach any and all remote internal subnets. For example, let’s say your internal network is includes multiple subnets like 10.0.1.0/24, 10.0.2.0/24, etc. If the DirectAccess server is on the 10.0.1.0/24 network and has an IP address of 10.0.1.240, it could of course reach all hosts on that subnet without a gateway. However, to reach any other subnets internally it needs a route (because it lacks a default gateway – without a route it would be sent on the external interface, which isn’t where those networks are located!). The route to get to 10.0.2.0/24 would look something like this:

      New-NetRoute -DestinationPrefix 10.0.2.0/24 -NextHop 10.0.1.254 (or whatever the gateway is for this subnet!) -InterfaceAlias “Internal”

      Keep in mind you can summarize routes too. You could easily create a single static route for all of 10.0.0.0/8 if your entire internal network was in 10.0.0.0/8. Hopefully you get the picture. 🙂

      Let me know if that helps!

      Reply
      • Jeff Singler

         /  December 3, 2015

        That clears it up for me, thank you. I was not sure if this was something I was missing or not. I have my DA working fine, clients are connected outside of corp network. But….I need manage out capabilities for a few different reasons, ccleaner network management and then RDP if I need it. I have Kaspersky as well and mostly that is pull, but sometimes it needs to push something out to clients. This is my main issue, I have followed a couple different guides for creating extra GPO’s for isatap and client FW extra rules. But it’s still not working.

      • I’m happy to help. Drop me an email and we’ll talk in more detail. 🙂

  11. Aljosa Agoli

     /  December 3, 2015

    Hello, I just want to confirm that following this article, and replies Richard gave me I have concluded that the problem was in Cisco router. This lead to change of router to newer (fortigate) router after wich everything worked as written, I have tunnels connected through Direct Access to over 15 subnets and everything works as expected. I just have to add subnet on DA server, use local network gateway and (with a little help of DNS server) have Access to all Servers for management. Thank you Richard.

    Reply
  12. Courtney

     /  January 28, 2016

    Richard – is this post valid for PPTP VPN setup with 2 NIC’s also? Thank you…

    Reply
  13. Carl Lucas

     /  March 16, 2016

    I have two NIC’s installed in the 2012 DA. I would like to have the VPN access be able to access the internet without the need of a proxy server. Is that possible?

    Reply
    • Over VPN? Yes. Over DirectAccess, assuming you have force tunneling enabled, I’m not sure. I’ve only ever configured force tunneling with on-premises proxy servers.

      Reply
      • Yes, this is possible. The RRAS routing configuration will be the trickiest part.

      • The experience isn’t likely to be without issue. If web pages load content using an IPv4 address as opposed to an FQDN, it will fail to connect over DirectAccess. Hopefully that doesn’t happen too often though.

  14. wafaa

     /  June 7, 2016

    Excellent blog .
    I have 2 subnet and 3 network interfaces .
    first subnet 192.168.0.0/24 and the second 192.168.10.0/24
    how configure my windows server 2012 r2 as router with one dns and dhcp for there 2 subnets
    Thank you

    Reply
    • The guidance in this post is pretty clear. Just create the static routes to your remote internal subnets using your network’s default gateway as the next hop. 🙂

      Reply
  15. We have a native IPv6 Intranet and IPv6 Internet that tests perfectly, a whatismyip.com and a ping to google.com show IPv6 traffic only. There seems to be little documentation how to configure the NIC cards and DA in this rare setup. Can you point me to any docs on this? Thanks!

    Reply
    • There is very little (if any) documentation for this deployment scenario. I did touch upon this topic in my upcoming book though – http://directaccessbook.com/. Ultimately it isn’t difficult to implement. If you have native IPv6 addressing you would assign those addresses to the DirectAccess server’s network interfaces accordingly. The real challenge is ensuring that traffic is routed back to connected DirectAccess clients correctly. If the DirectAccess client is using a transition technology, no problem. The prefixes for DirectAccess clients are unique and can be routed back to the DirectAccess server without much hassle. The real challenge is when your DirectAccess clients have a native IPv6 address. This typically results in asymmetric routing, where traffic from the DirectAccess client comes in through the DirectAccess server, but attempts to egress through the internal network’s default gateway. Commonly, a stateful firewall is inline and prevents this return traffic. There’s no good way to route this traffic back to the DirectAccess server because the client has a unique public IPv6 address (GUA). In this scearnio, it is recommended that the DirectAccess server be deployed in a perimeter network behind the internal network’s border router/edge firewall. In some cases it might even be easier not to put a public IPv6 address on the DirectAccess server to ensure that all DirectAccess client traffic uses a transition technology. This will greatly simplify IPv6 routing and eliminate potential asymmetric routing issues.

      Reply
      • That seemed to do the trick, I set public NIC to automatic IPv6 so it only has the local link address, and put in on the DMZ with only IPv4 443 open to it. I left the static IPv6 on the internal NIC, but no IPv6 default gateway. Since all our clients are Windows 10, seems like IPHTTPS is the way to go.

  16. C Osborne

     /  October 17, 2016

    Hi Richard,

    I have found your site very informative and useful. However I have an issue with regards to our Direct Access clients not being able to resolve the directaccess-webprobehost address (NCA). I thought this was a DNS issue so I created a Host A record for that address to the ip of our DA server but this made no difference. I have checked multiple internet website addresses and I do an nslookup from the DA server they all fail.

    I was looking through this page and saw this: “One last change that needs to be made, and perhaps the most critical and often overlooked setting, is the network interface binding order.”

    I checked this on our server and the binding order is indeed wrong (DMZ above LAN), but all the clients are working. That said I am seeing some odd errors so In an effort to make sure everything is configured correctly I am checking the whole setup. To that end my question is, if the binding order was wrong (as ours is) do you know what errors I could expect to see? I ask this specifically as you have said this is critical.

    Thanks.

    Reply
    • The only time I’ve ever seen incorrect network interface binding order cause an issues is when there are DNS servers configured on the external interface. DNS servers should only be configured on the internal network interface. If that’s the case for you, I’d say that this isn’t the issue. However, it is a good idea to fix it. You should be able to resolve the web probe host name to an IPv4 address on the DirectAccess server. If you can do that, verify the same on a DirectAccess client. Remember that nslookup won’t work unless you specify the DNS64 address. I recommend using the Resolve-DNSName PowerShell command as it works with the NRPT on the DirectAccess client.

      Reply
  17. I have used these settings for a small test server using Windows 2012. My server is also my domain controller and I am running into tons of trouble with NLA placing my external NIC in the domain. I cannot run the configuration wizard for remote access as it says it can’t find a network adapter w IPv4 with external address and no domain profile. Any ideas on how I can overcome this? There are a few things posted on the Internet about blocking the card from seeing the domain controller which I have tried. Unless I’m doing that incorrectly I’m at a loss.

    Reply
    • This is one of the reasons that installing the DirectAccess role on a domain controller is not recommended. That’s not to say it isn’t possible though. 😉 However, I have no experience with this configuration and don’t have anything useful in the way of guidance to offer you. :/

      Reply
  18. Jan Nielsen

     /  January 17, 2017

    Thanks for a good guide.
    Is it possible to do the changes to the NICS after you have installed DirectAccess without messing up the DirectAccess setup ?

    /Jan-

    Reply
    • No. Changing the NICs after DirectAccess is installed will result in a broken configuration. However, it is sometimes possible to simply select the new NICs in the Remote Access Management console again and everything will work. In my experience though that doesn’t always work. :/ DirectAccess is tightly couple with the network interfaces and even changing IP addresses can break DirectAccess.

      Reply
  19. lukaszc

     /  January 29, 2017

    Hi Richard,
    Before our DirectAccess deployment I read your book. It’s great and helps a lot.
    However I’m confused what routes should be added and where.
    Internally we have mixed deployment of IPv4/IPv6 where each host has both addresses set as static. I can establish DirectAccess connection from an external client but I cannot access any internal resource until I add on this resource IPv6 interface an IPv6 internal address of my DirectAccess server as a gateway. Than I can access it but only with IPv6 address, IPv4 doesn’t work.
    May you elaborate what’s the best practice in such situation?

    BR,
    Lukasz

    Reply
    • There are a number of issues and challenges associated with deploying DirectAccess with native IPv6. If you have IPv6 deployed internally, that’s usually fine. However, if your DirectAccess server has an IPv6 address on its external network interface and clients can connect without using an IPv6 transition technology, then it can be problematic. The only workaround I’m aware of currently is to configure the DirectAccess server as your internal network’s default gateway. If you can’t do that (and probably shouldn’t anyway) then it is suggested that you ensure the DirectAccess server is reachable from the public Internet via IPv4 only. After that, as long as the DirectAccess server has routes to any remote internal networks (IPv4 or IPv6) it should work.

      Reply
  20. Warren Brown

     /  February 3, 2017

    Just starting to build our test environment. Your site was so good, that we ordered your book.

    Server 2016 doesn’t seem to have the options to configure the NIC adapter order. I do not have a “Adapters and Bindings” tab shown at all. Apparently no components use the binding order any longer (https://blogs.technet.microsoft.com/networking/2015/08/14/adjusting-the-network-protocol-bindings-in-windows-10/). The new method of controlling flow is to set the route metrics, such as with Set-NetIPInterface –InterfaceIndex “xx”–InterfaceMetric “xxx”. Does this match up with your experience and understanding?

    Thanks for the great site, and really appreciate your great book on the topic.

    Reply
    • Thanks for purchasing the book! If you would be so kind as to review it on Amazon.com I’d appreciate that tremendously. 🙂 When I was writing the book I was using Windows Server 2016 Technical Preview 4 (TP4). There was a bug in TP5 that prevented DirectAccess from working correctly, so I was stuck using TP4 for the duration of the book. When Windows Server 2016 was finally released, I did notice that they removed the option to change the network interface binding order (might have been removed in TP5, but I didn’t spend much time with that release). According to Microsoft, there is no longer any need to make this change, so I’m good with that. The real reason network interface binding order was even an issue previously had more to do with name resolution, but that’s no longer an issue now. I’ve not encountered any scenario in which I’ve had to make route metric changes. With that, I’d say that configuring network interfaces as outlined in the book will yield acceptable results. No need to make any other changes as far as I’m concerned.

      Hope that helps!

      Reply
  21. Mukesh Kumar

     /  June 11, 2017

    Hello Richard…
    Very well way to esay understand but please can u explain the IP scnerio with topology..

    Reply
    • The IP addressing I used is just an example. You can use whatever IP addressing you desire, really. The important thing is that the internal and external interfaces have to be on different subnets, that’s all. 🙂

      Reply
  22. Reggie

     /  June 15, 2017

    Hi Richard,

    PLEASE HEEELP!!
    I am a total Newbie and my host is Windows 10 with Hyper V activated. I have only one NIC and I would like to set up a lab where I have a VM Domain Controller using it’s own ADDS, DNS and DHCP that includes window 10 and 7 clients, However this VM LAN should exist on a seperate IP subnet from my physical router. However it should be able to access the internet.
    I would then like to add another 2012 R2 Server with windows 10 and 7 clients on yet another IP subnet /VM LAN2) with the ability to talk back and forth with VM LAN1. It should also have internet access.
    Is this set up the right one for me? How should I set this up. I am desperate and need help.
    Thanks!!

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: