none
A few questions on Direct Access 2012

    Question

  • Hi guys,

    i implemented Direct Access in our company and everything seems to work fine, but i have a few things that are not clear to me at the moment.
    Scenario: Direct Access with Single Nic behind an Edge device. External DNS entry DA.company.de with port forwarding 443 to the DirectAccess Server.
    We only use Windows 8 clients. No High Availability, no Multisite. Windows Firewall is enabled for all profiles on Server and clients.

    Questions:

    • As soon as my clients have an Internet Connection, the Direct Access Connections Shows as connecting but it always takes about 25-30 seconds until it Shows as connected. Is this a normal behaviour? I always heard that Direct Access will only take 3-5 seconds to connect?!? As we use a single nic configuration behind an edge device, only IP-HTTPS is working for us. Might this be the reason? (Would a Connection over Teredo/6to4 be faster?)

    • As i stated before our Connection is working fine and all clients can Access internal ressources without Problems but if i collect the Client logs it Shows that the DTE List is failing? The Probes list is marked as successful.
      Thats what it Looks like right now:

    Probes List
    HTTP: http://directaccess-WebProbeHost.test.corp.int (Pass)
     PING: dc1.test.corp.int (Pass)
     PING: dc2.test.corp.int (Pass)
     PING: dc3.test.corp.int (Pass)

    --------------------------------------------------------------------------------
    DTE List
    PING: fd45:c113:c3bd:1000::1 (Fail)
    PING: fd45:c113:c3bd:1000::2 (Fail)

    EDIT// Ok this one is solved now i had to enable ICMPv4/ICMPv6 inbound rules on the DirectAccess Server.

    • In the Direct Access Configuration i set our SCCM Server as Management Server, what consequences does this have exactly? Right now i can receive Applications, Policies etc. offered by SCCM when i am connected using Direct Access, but what i cannot do is for example to remote control Direct Access Clients. Also i cannot ping the Direct Access clients from the SCCM Server. I can only ping them from the Direct Access Server (IPv6 Response).

    • When i am connected through Direct Access, i can RDP into any Server without Problems except the Direct Access Server itself. Is this normal? Anything i need to configure to get that working? Or is this caused by our one nic only setup?

    Ok, think thats enough for now :)
    I would really appreciate if you guys can help me to get these issues worked out.

    Cheers

    Stefan




    Tuesday, May 07, 2013 5:53 AM

All replies

  • Hi guys,

    i implemented Direct Access in our company and everything seems to work fine, but i have a few things that are not clear to me at the moment.
    Scenario: Direct Access with Single Nic behind an Edge device. External DNS entry DA.company.de with port forwarding 443 to the DirectAccess Server.
    We only use Windows 8 clients. No High Availability, no Multisite. Windows Firewall is enabled for all profiles on Server and clients.

    Questions:

      • As soon as my clients have an Internet Connection, the Direct Access Connections Shows as connecting but it always takes about 25-30 seconds until it Shows as connected. Is this a normal behaviour? I always heard that Direct Access will only take 3-5 seconds to connect?!? As we use a single nic configuration behind an edge device, only IP-HTTPS is working for us. Might this be the reason? (Would a Connection over Teredo/6to4 be faster?)

    Hello,

    Normally yes it will be faster with Teredo/6to4.

    In the Direct Access Configuration i set our SCCM Server as Management Server, what consequences does this have exactly? Right now i can receive Applications, Policies etc. offered by SCCM when i am connected using Direct Access, but what i cannot do is for example to remote control Direct Access Clients. Also i cannot ping the Direct Access clients from the SCCM Server. I can only ping them from the Direct Access Server (IPv6 Response).
    SCCM could push client deployment or you could use the SCCM server to make remote connection to your client for support scenario for example.
    When i am connected through Direct Access, i can RDP into any Server without Problems except the Direct Access Server itself. Is this normal? Anything i need to configure to get that working? Or is this caused by our one nic only setup?
    If I remember you could RDP to your DA Server try to check if RDP is enabled on the server and the Windows Firewall rules. 

    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/


    Tuesday, May 07, 2013 8:54 AM
  • The delay in establishing DirectAccess is not normal, it usually is quicker than that. It could be performance of the DirectAccess server itself, but more likely is that whatever device you are sending the NAT through it causing the delay. I always recommend installing DirectAccess in the dual IP edge scenario, giving it two actual public IP addresses, because then you don't have the potential for the NAT to cause any trouble, and that way you have Teredo available in addition to IP-HTTPS, Teredo is a more efficient protocol.

    Any servers that you add to the Management Servers list are available to be accessed from the DirectAccess computer over the "infrastructure" IPsec tunnel, which is established even prior to user authentication. The Management Servers list is for any server that might need to be contacted by the machine itself instead of being accessed by the user. The two most common types of servers in this list are going to be Domain Controllers (and all of your DCs are added to this list automatically in the background), and SCCM servers. This way the DirectAccess computers can talk to SCCM and get updates even when the user is sitting at the login screen.

    Simply adding the SCCM servers to the Management Servers list DOES NOT mean that you will be able to do pushes from SCCM to the client or to do remote controls from the SCCM server to the client. The process to get that working is more involved. For this to happen, not only do you need the SCCM servers added to the Management Servers list, but you also need to give the SCCM servers IPv6 connectivity inside the network, whether it be via a native IPv6 network, or with the use of ISATAP. Only then, once the SCCM servers have IPv6 routability to the DA client computers, will you be able to do these things.

    Friday, May 24, 2013 7:46 PM
  • Stefan,

    • n the Direct Access Configuration i set our SCCM Server as Management Server, what consequences does this have exactly? Right now i can receive Applications, Policies etc. offered by SCCM when i am connected using Direct Access, but what i cannot do is for example to remote control Direct Access Clients. Also i cannot ping the Direct Access clients from the SCCM Server. I can only ping them from the Direct Access Server (IPv6 Response).

    • When i am connected through Direct Access, i can RDP into any Server without Problems except the Direct Access Server itself. Is this normal? Anything i need to configure to get that working? Or is this caused by our one nic only setup?

    For your first question - Does SCCM try to connect to the IP address of the DA Client (target system) when trying to remote control? Are you running IPv6 internally?

    Second question is easy... you cannot connect to the DA server via DNS name resolution as DA has added the da.yourdomain.com and servername.yourdomain.com to the DNS exclusion list for client that are connected via DA. And you will not be able to connect to it via IP address either. So just add a DNS entry internally that points to the internal IP of the DA server for RDP connections... for example admin_da.yourdomain.com points to x.x.x.x. then point your RDP client to that DNS address and you should be able to RDP to the DA server while connected remotely via DA. 

    Tuesday, September 03, 2013 8:08 PM
  • Hi Stefan

    If you follow this guide for manage out (from my colleague Jason Jones) and negates the need for enabling isatap across the board, will help the first issue of manage out from the sccm servers (I am currently using this on a large deployment right now and works very well)

    http://blogs.technet.com/b/jasonjones/archive/2013/04/19/limiting-isatap-services-to-directaccess-manage-out-clients.aspx

    Secondly (and also doing this right now) enable the firewall rules in windows firewall as per this link - note the "edge traversal" amendment

    http://blog.concurrency.com/infrastructure/system-center/firewall-exceptions-to-allow-sccm-remote-control-for-directaccess-clients/  and

    http://blogs.technet.com/b/edgeaccessblog/archive/2010/09/14/how-to-enable-remote-desktop-sharing-rds-rdp-from-corporate-machines-to-directaccess-connected-machines.aspx

    These I have working in production along with a few other things - one to note - Remote Assistance does not work with Direct Access currently and undergoing a fix at MS - or so I was last led to believe. Also to manage out I use the servers listed in the ManageIsatap GPO - for example if you apply the GPO mentioned to SCCM01 server - then that's where to establish the RDP / Remote Event Logs etc from.

    Kr John


    john davies

    Wednesday, September 04, 2013 10:59 AM