I installed 2012 DirectAccess in Edge configuration, first interface connected to intranet and second interface connected to internet.
When I did port scanning from internet, to my suprise there is about 1000 port open to internet. 85% are high ports, and rest are well-know ports.
Ports like tcp 3389, tcp 135, tcp 445 are open to everybody by default.
Isn't this enormous security issue ? At least it should be mentioned somewhere ?
So options are, you manually configure windows firewall rules or you put your DirectAccess server behind edge firewall, or you build you DirectAccess with NAT.
With UAG DirectAccess you really did not have this problem, you opened to internet only the few ports that were needed for DirectAccess. UAG DirectAccess was easily built
without an edge firewall.
Thanks,
-oraat