locked
Direct Access vs SCCM 2007 RRS feed

  • Question

  • I have Direct Access on Server 2012 and my clients are Teredo Clients.

    I want to manage SCCM clients from SCCM console. What I want to know is, what IPv6 address do I need on my SCCM server and do I need it? Also I get "IPv6 addressing is required to enable additional end-to-end authentication" on DA server. I want to use SCCM "Remote Desktop Client" from SCCM Console.

    Tnx for the help.


    Thursday, September 27, 2012 5:04 PM

All replies

  • I managed this, but Remote Desktop is not working. I can PING client outside.
    Thursday, September 27, 2012 5:33 PM
  • Hi,

    Check that the firewall rule for RDP on your clients allow NAT traversal.

    A good source for information regarding SCCM and DA can be found at http://www.isaserver.org/tutorials/Configuring-SCCM-UAG-DirectAccess-Part2.html

     


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Thursday, September 27, 2012 6:51 PM
  • Hi Jonas,

    I checked out rule regarding NAT traversal and its ok. I can ping my client if I use IP-HTTPS connection but if I use Teredo, nothing happens. I have set the IPv6 address on my SCCM server and I have configured DA IPv6 NLB address as default gateway.

    Do I need to put Teredo IPv6 address on my SCCM, so I can see Teredo IPv6 clients? Very confusing...

    Friday, September 28, 2012 8:58 AM
  • I somehow managed to ping my Terdo clients. Didn't change anything, it just started to work.

    Anyway, now I only have a problem doing remote desktop to my clients from SCCM. I configured ports 2701-2702 and of course 3389.

    When I try Start > Remote Desktop Client it won't work. If I try Remote Desktop connection from clients I can connect anywhere. When I try Remote Desktop from DA servers it works.

    Any suggestions? 

    Friday, September 28, 2012 11:17 AM
  • Hi again,

    To summarize your comments.

    * You can now reach clients with ICMP when they are connected with both Teredo and IPHTTPS?
    * You can NOT RDP to your if they are connected with Teredo or IPHTTPS

    My suggestion is that you do the following:
    Verify that the RDP firewall rule on the client firewall is configured to allow traffic from your internal IPv6 range and that the firewall rule is enabled for the Public and Private firewall profile.

    Enable logging of allowed AND dropped packets on the windows firewall on the DA client that you try to connect to?
    This way you can see if/that the traffic reaches the client.
    (Ie, if the problem is in the routing or on the clients firewall)

     


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Friday, September 28, 2012 6:21 PM
  • Hi,

    1. Yes I can reach my clients with ICMP, both Teredo and IPHTTPS

    2. No, I can not connect if they are connected with Teredo or IPHTTPS

    I can see packets with wireshark.

    Tnx for the effort

    Monday, October 1, 2012 8:25 AM
  • For #2:

    When you see packets in Wireshark, do you actually see that there's an established TCP session for RDP? If not (e.g the client doesn't respond), then I'd say you have a client firewall issue. If yes, then you have an application issue on the client where RDP is not accepting the traffic.

    Btw, have you set allow edge traversal for the client side rule for RDP?

    Where do you see the traffic? On the client?


    Hth, Anders Janson Enfo Zipper

    Monday, October 1, 2012 9:01 AM
  • I see "TPKT: Typically, RDP uses TPKT as its transport protocol. TPKT runs atop TCP; when used to transport RDP, the well known TCP port is 3389" (taken from Wireshark Wiki).

    Also, when my client is in the corporate network, packets are very similar.

    Can you just tell me what are your firewall rules, so I can try that way? I think it would be easier. The thing is, this is my test environment and firewall rules are basically allow all. What I don't understand is, how I can establish RDP from Direct Access servers and not from SCCM? I must tell again, I have DA servers in NLB, but I don't see that as problem.

    EDIT:

    I can ping client from SCCM.

    • Edited by Vuk Kadija Monday, October 1, 2012 10:06 AM
    Monday, October 1, 2012 9:50 AM
  • Finally my colleague figured it out.

    You need to add IPv6 suffixes on firewall gpo. We added Teredo and IP-HTTPS IPv6 suffixes to the Remote IP address-es and now it works.

    Tnx for all of your help.

     
    Monday, October 1, 2012 12:16 PM
  • Glad to hear you solved it.
    If your client has an ISATAP address internally you should only have to add that range, or are you connecting from one DA client to another DA client?


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Monday, October 1, 2012 12:33 PM
  • Yeah, we want that also, but tnx for the advice. 
    Monday, October 1, 2012 12:36 PM
  • It still does not work :)

    I was wrong, my colleague put it on internal network. hehehe.

    So, the problem still remains. :)

    Monday, October 1, 2012 1:28 PM
  • Hi again,

    To summarize again,
    You see dropped packets at clientA when clientA is connected over DirectAccess?

    What does the Windows Firewall log say, are the packets dropped?


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Monday, October 1, 2012 2:53 PM
  • Hi Jonas,

    I enabled firewall logging on client and I don't have anything in log. Nothing, zero... I've enabled it on all profiles and even when client is in local network, I have nothing in log.

    edit: this is really frustrating, everything seems to be ok, I triple checked my firewall rules the way everyone says it works (but I really doubt), I can ping DA clients from servers and servers from DA clients, I can RDP on client from DA server(s). Just can't figure out whats wrong.
    • Edited by Vuk Kadija Tuesday, October 2, 2012 1:54 PM
    Tuesday, October 2, 2012 11:06 AM
  • The fact that you cannot see anything at all in the logs is really strange.
    If you have enabled logging of both successfull and dropped packets you should see a lot of traffic.

    What happens if you add an extra firewall rule that is attached to all profiles and allow all incoming TCP traffic to any port and then try to use Telnet or something similar to initiate a connection to a random port?

    There is no chance that you have some kind of antivirus software that has an additional firewall enabled or something like that?


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Tuesday, October 2, 2012 7:17 PM
  • No, we don't have any antivirus software, because it's lab environment, to avoid any possible problems.

    Yes I have many things in log. I can see that NO 3389 (RDP) are coming from my servers inside my corp network to external DA client. When I try the same thing from DA server, I see 3389. Also, we added firewall rule that allows any kind of traffic = Allow all and Allow traversal. I also read some articles and deployment guides from Schindler, but no help.

    I configured on my SCCM 2007 server IPv6 address and as a gateway I configured DA server's IPv6 address. I can ping that IPv6 address from my client. So, I don't think I have some routing issues. 

    EDIT:

    Recieved ICMP packets are in the log.

    • Edited by Vuk Kadija Wednesday, October 3, 2012 9:43 AM
    Wednesday, October 3, 2012 8:42 AM
  • Ok, good to know that you see things in your logs.
    Interpreted "Nothing, zero" in the way that the logs were completely empty of everything.

    One thing, do you have a logged on user on your client so it has enabled  both Infrastructure and Intranet tunnels?
    Otherwise your SCCM server have to be added to the list of Infrastructure/Management servers in your DA setup.
    ICMP traffic is exempt from the IPSec tunnels but the RDP traffic will need to go through one of the tunnels.


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Wednesday, October 3, 2012 9:43 AM
  • From the start SCCM is added to the list of Infrastructure/Management servers in my DA setup.

    I am always logged on and I tried to do Remote Desktop when the user is logged off, but still the same problem. I can see RDP in the log when I'm trying from DA server. 

    Wednesday, October 3, 2012 10:18 AM
  • All of a sudden I can RDP from Domain Controller to DA client.

    Incredible. From any other server, nothing happens. 

    Thursday, October 4, 2012 10:30 AM
  • Hi again,

    The domaincontrollers are normally added to the list of Infrastructure servers.
    It sounds like the Infrastructure tunnel works but that the Intranet tunnel does not allow outgoing traffic.

    Do you have Native IPv6 deployed internally?
    If so, does your DC's have statically assigned IPs or dynamically assigned?

    If RDPing did not work before from the same DC, could the list of IPs have been updated due to a refresh of the DirectAccess settings?


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Thursday, October 4, 2012 10:45 AM
  • Could this relate to your other thread on the same/similar issue where your clients do not register in DNS?

    http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/a1afd60b-98ea-44e8-8ea0-b87f7cf90bcb/


    Hth, Anders Janson Enfo Zipper

    Thursday, October 4, 2012 10:54 AM
  • Hi again,

    The domaincontrollers are normally added to the list of Infrastructure servers.
    It sounds like the Infrastructure tunnel works but that the Intranet tunnel does not allow outgoing traffic.

    Do you have Native IPv6 deployed internally?
    If so, does your DC's have statically assigned IPs or dynamically assigned?

    If RDPing did not work before from the same DC, could the list of IPs have been updated due to a refresh of the DirectAccess settings?


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    My DC have statically assigned IP, also SCCM has statically assigned IP. I read somewhere that without IPv6 on SCCM, you can not Manage Out clients. Their records are registered in DNS. "If RDPing did not work before from the same DC, could the list of IPs have been updated due to a refresh of the DirectAccess settings?" - Sorry but I dont understand this. I could ping client from the start from any server in my environment (Application Servers).
    Thursday, October 4, 2012 11:33 AM
  • We have re installed DA server and now everything works.

    I just don't understand what was the problem. For the end, can anyone give me advice, do I need to configure IPv6 before I configure DA servers? As Jonas and Andreas suggested maybe this was DNS problem.


    • Edited by Vuk Kadija Thursday, October 4, 2012 2:12 PM
    Thursday, October 4, 2012 2:08 PM
  • Hi,

    If the IPv6 configuration on the internal nodes were configured after you did your DirectAccess configuration the IPSec rules would only contain the NAT64 addresses so yes, that could be a valid reason for the connection to fail when you try to connect when only the Infrasctructure tunnel was established.
    But it should not be required when there was a logged on user on the client.


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Friday, October 5, 2012 1:10 PM
  • Recycling electrons:

    Have you configured ISATAP? That is needed in order for the management machines to know where to find the client and how to get there.

    Jason Jones has written an excellent blog entry on implementing a limited version ISATAP without turning your entire internal network into an ISATAP based IPv6 network.

    http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html

    This applies to DirectAccess configurations in both UAG and Server 2012 where you are using NAT64.


    Hth, Anders Janson Enfo Zipper

    Friday, October 5, 2012 6:16 PM
  • First sorry for not replying for some time.

    Tnx for all the help Jonas and Anders, I managed this with your help.

    Cheers

    Tuesday, October 16, 2012 12:25 PM