I sent Tom an email several days ago after reading some articles on "The Edge Man" blog, but then I found these forums so I'll post my questions here too.
Question/issue 1: Iím in the process of putting together a DirectAccess solution for a small client of mine that needs the features of DirectAccess but canít lay down the cash for multiple physical servers or UAG. They donít need the additional complexities of access to IPv4 only resources as this is basically going to be a new network starting from scratch. I know this may not be ideal from a performance perspective because of the many shared roles and limited scalability, but this is not going to be a network with many users; rather it will be a network of a dozen or so kiosks that will always be remotely connected. Iím starting to experiment some but havenít found many resources for the absolute simplest implementation of DirectAccess.
I will certainly be going through the test lab documentation and other papers from Microsoft regarding the set up, but I thought Iíd ask just in case anyone knows of some resources I haven't found yet (or just has some good tidbits of info themselves).
My concept is this: 1) A single physical server running Win2008 R2 as the domain controller (also DNS server, DHCP server, CA, NL server, File Server) 2) A virtual server within that physical server running Win2008 R2 as the DirectAccess server 3) The server will have the appropriate dedicated physical NICs (one internal facing for the domain controller, one internal facing for the DirectAccess server, one external facing for the DirectAccess server) 4) A firewall appliance will sit in between the external NIC of the DirectAccess server and the internet connection to provide basic protection (not NAT, just firewall) 5) The remote kiosk clients will, of course, be running Win7 Enterprise
What Iíd ultimately really love is a "test lab" document similar to the one already out there from Microsoft but designed to interface with the real internet instead of a fake internet. The document makes several references to "problems" trying to adapt that test environment into a real world scenario, but it doesnít give a whole lot of information about what "problems" they are referring to.
Question 2: What are the advantages/disadvantages of using a native IPv6 infrastructure (with a tunnel broker like Hurricane Electric) vs just using ISATAP? Are there any compelling reasons to go ahead and go native (especially if the network is going to be new with no legacy devices)?
Question 3: What are the security implications with opening up inbound IPv6 traffic into your network? Since DirectAccess requires Protocol 41 traffic to be let through the firewall directly to the external NIC on the DirectAccess server, doesn't this open up some potential security issues without an IPv6 firewall in place? Maybe I am missing something, but since Protocol 41 is encapsulating ALL IPv6 traffic in IPv4 packets isn't letting Protocol 41 traffic through essentially the same thing as having a computer directly connected to the IPv6 internet with no firewall at all?
Sorry for the lengthy post, but I'd love some feedback.