Setting Up MS DirectAccess

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Setting Up MS DirectAccess

L3 Networker

Trying to configure DireectAccess (Windows Server) to work but I believe it is failing due to the Palo Alto. I created a custom application and application override for the ports needed but still failing. Per a Microsoft Document, "the firewall has to be configured to pass the traffic through transparently. you cannot NAT the traffic".  How do I do this?  Anyone else experience using DA (more so with DA is behind the PA firewall)? 

 

Thanks, 

3 REPLIES 3

Cyber Elite
Cyber Elite

I have not set up DirectAccess but few ideas.

Do you have dedicated public IP for DA?

If yes then can you set up bi-directional NAT with Service Any.

Permit all traffic from specific source IP you attempt to connect from to this DA IP.

Review logs. What applications do you see in use?

Disable app-overrides temporarily to see how Palo identifies this traffic.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

DA does have a public IP. The PA is currently setup as a vwire, so NAT is handled by our Cisco ASA. I have all of the ports enabled correctly on the ASA).  As far as the PA, I created application overrides for all of the ports. One thing I noticed and I know this is the default since version 7 ( I believe); the policy for "Inbound Traffic" has application-Default as a service type. Should I change this to any and see if that solves the issue (instead of trying to figure out application overrides)?

 

You mention premit all traffic from the source IP. Is that as in creating a new policy with that source IP and set any as service and allow?  

 

Sorry, still a newbie to PAN.  Thanks. 

Yes if you know public ip of client who tries to communicate then create policy where source zone is wan, source ip is client ip, application is any and service is any.

 

And share logs what you see Monitor > Traffic.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 3048 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!