How to enable/use remote assistance from one DirectAccess client to another in F5 load balanced DA environment RRS feed

  • Question

  • Hi,

    We have setup a DirectAccess production environment with two DirectAccess servers load balanced using a single F5 ELB. The DA clients can connect to DA server using IPHTTPS connection and access corporate resources.

    However Remote Assistance is not working from computers in corporate network to DA clients as Isatap is disabled on DA servers due to External Load Balancing.

    Remote assistance from DirectAccess server to DirectAccess Client machine is working using the RemoteAssistance Invitation file however not using Offer Remote Assistance.

    Group policy is not configured for Offer Remote Assistance or any other method. Inbound and Outbound firewell rules have been created to allow Remote Assistance Traffic on DA client machines.

    Is it possible to enable remote assistance from one DirectAccess client machine to another?

    Any assistance will be highly appreciated.


    Wednesday, June 18, 2014 10:03 AM

All replies

  • I'm struggling with the same issue. There is an article here https://devcentral.f5.com/articles/direct-access-on-windows-2012-r2-manage-out-with-a-hardware-load-balancer which describes a workaround.
    Wednesday, July 2, 2014 12:16 AM
  • Hi Matt,

    We have gone through that article earlier. That article assumes that the environment is capable of supporting Manage Out (IPv6, or ISATAP, internally). However in our environment both are not applicable. Native IPv6 network connectivity is also not present.

    Wednesday, July 2, 2014 2:28 PM
  • Hi,

    If you can't have ISATAP/IPv6 on LAN it's time to consider the problem from another point of view. You just need end-to end connectivity in IPv6/ Why not using another DirectAccess client to perform remote assistance. You just have to secure network flow and it will work.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, July 2, 2014 7:23 PM
  • Hi BenoitS,

    That is my original question, how to use remote assistance to connect to one directaccess client from another. Could you provide me the steps or any documentation which describes the steps to secure network flow between the two directaccess client machines.

    Thursday, July 3, 2014 10:19 AM
  • Hi,

    Its simple and complex at the same time. First you need to have DNS resolution for IPv6 addresses (Records AAAA) in internal DNS. For This, have a look at this blog post : http://danstoncloud.com/blogs/simplebydesign/archive/2013/01/12/dns64-behavior-change-in-windows-server-2012.aspx

    Once you have name resolution you should be able to ping (if not, NAT-Transversal or protocol is not enabled in the firewall). Next move is to enable incoming network flow for remote assistance and enable NAT-Transversal. At this stage, Remote assistance should work but network flow between directaccess clients will not be protected by IPSEC tunnels of DirectAccess. We will need to build our own IPSEC transport rules for that.

    Thats a subject I'm trying to finalize in a blog post, but i'm short in time these days.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, July 3, 2014 11:29 AM
  • Hi,

    We have allow edge traversal setting already enabled on the firewall rules. Does the Set-NetDNSTransitionConfiguration –OnlySendAQuery command make any changes to the functionality of DirectAccess other than changing DNS64 configuration on DirectAccess server? Does this cause any issues with existing functionality of DirectAccess?

    We are waiting for the approval to make this change, as this powershell command does not work on the UAG DA server in our test environment.

    Also please provide us the link to the IPSEC transport rules that need to be created for communication from one DirectAccess client to another once you have published it.

    Thank you. 

    Monday, July 7, 2014 10:14 AM
  • Hi,

    Microsoft does not provide guidances for the additional IPSEC transport. You can do without it but this network flow will be unencrypted between two DirectAccess clients. And I missed one important thing for Windows Remote assistance with DirectAccess since Windows Server 2012 : You need a hotfix for Windows 7 and Update 1 of Windows 8.1 : http://danstoncloud.com/blogs/simplebydesign/archive/2014/05/10/why-update-1-of-windows-8-1-windows-2012-r2-is-important-for-directaccess.aspx and http://danstoncloud.com/blogs/simplebydesign/archive/2014/01/15/directaccess-and-windows-remote-assistance.aspx

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, July 8, 2014 8:25 PM