I want to deploy DirectAccess, but 2 requirements rule out a number of scenarios. In my environment I need to 1)maintain an internal and external firewall (i.e. not bridge the internal FW or open all IPv4 and IPv6 traffic) and 2)a domain joined DirectAccess server cannot reside in the DMZ. Authentication in the DMZ is high on the desirable requirements, but is not mandatory like the previous two.
Much of the literature for this scenario revolves around TMG/UAG, but of course they are discontinued. Most of the TMG/UAG replacement recommendations point towards IIS ARR or Web Application Proxy, with some recommending an alternative firewall/load balancer - we have Citrix NetScaler in mind here.
I have concerns that IIS ARR is the least secure of the 3 options in that it simply acts as a reverse proxy and offers no authentication. I may be misunderstanding there however - does the client connection get passed through to the Direct Access server in the server farm, or do the connections get terminated at the reverse proxy? This appears to be the easiest solution if we can get over the lack of authentication.
Web Application Proxy with AD FS appears to be the most difficult to implement but seems to be most secure. I just don't see much information out there to suggest whether this would work with DirectAccess. For example, is DA claims aware or does it require Integrated Authentication (no go as we cannot domain join the WAP server in the DMZ), or we could use forms based authentication...if DirectAccess supports it.
Lastly, placing a load balancer such as a NetScaler in the DMZ which can terminate and authenticate connections before relaying them to the internal DA server. I have less knowledge of how this works, but I think it's feasible - I don't yet have my head round how it authenticates.
Anyone have any familiarity with any of these deployment scenarios, or can perhaps suggest another that I haven't considered? I'm also concerned about the termination of connections, particularly SSL, and how that will break/interact with DirectAccess. We are going to be NATing so IP-HTTPS is the only transition protocol available to us