locked
DirectAccess - Remote Management RRS feed

  • Question

  • Hi,

    I'm building a DirectAccess solution using an UAG array with 2 nodes. Everything works as expected, except for one thing; remote management.

    A remote support machine is connected to the LAN, I am able to resolve a DA client's IPv6 address which is connected to internet, I receive request time outs instead of reply's.

    As a test on DA client's local firewall I enabled logging of blocked packets and ICMPv6 echo requests are blocked. When the DA client is pinged from the support machine, I see the machines name successfully resolve to an IPv6 address and get "request timeout" as expected. When I look in the DA client firewall log I find the blocked packets. That tells me that the packets travel from LAN to the DA client. This exact same behaviour goes for remote desktop connection attemps aswell.

    However, when I allow ICMPv6 echo request and remote desktop (TCP 3389) it still doens't work.

    When I connect the DA client to LAN, remote desktop works fine. The local firewall policy, has ICMPv6 and Remote Desktop rules and are for all firewall-profiles identical. Also ICMPv6 and the Remote Desktop rules both have "allow edge traversal" configured.

    Has anyone an idea what I could try to get an idea whats going wrong?

    thanks in advance,

    Sander

    Thursday, October 6, 2011 4:25 PM

All replies

  • Do you still see the dropped packets after the firewall option is put in?

     

    Are you using a GPO to set the firewall settings or just using the firewall interface from the client?


    http://geekcroft.wordpress.com
    Thursday, October 6, 2011 6:51 PM
  • thanks for replying,

     

    When I allow ICMPv6 and remote desktop, I dont get anything in the logs.

    I tried both policy and manual GUI firewall settings, same result.

    Thursday, October 6, 2011 7:15 PM
  • Actually sounds similar to what I have atm :(

     

    What kind of tunnel are you using? Is both the infrastructure and intranet part up?


    http://geekcroft.wordpress.com
    Thursday, October 6, 2011 7:16 PM
  • It works as expected. I am able to ping a LAN server from the DA client, trough a Teredo tunnel.

    I'll try other tunneling techniques this weekend.

    Thursday, October 6, 2011 7:32 PM
  • I recently had a customer with a similar problem that ended up being caused by conflicting WFAS policies that were being applied by tattooed group policies on the DA client. This was causing legitimate packets to get dropped by the firewall service, even though the rules looked correct...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, October 6, 2011 9:04 PM
  • I recently had a customer with a similar problem that ended up being caused by conflicting WFAS policies that were being applied by tattooed group policies on the DA client. This was causing legitimate packets to get dropped by the firewall service, even though the rules looked correct...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wouldn't WFAS log the dropped packets though?
    http://geekcroft.wordpress.com
    Friday, October 7, 2011 7:04 AM
  • I recently had a customer with a similar problem that ended up being caused by conflicting WFAS policies that were being applied by tattooed group policies on the DA client. This was causing legitimate packets to get dropped by the firewall service, even though the rules looked correct...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Thanks Jason for replying, your suggestion could well be the case. They have several policies inplace that define WFAS (Windows Firewall with Advanced Security) settings. I'll start investigating it by building a machine with only DA policies applied. if Remote management works then i can search which WFAS setting conflicts with remote management functionality.

    I'll report my findings here.

    thanks again.

    Friday, October 7, 2011 7:52 AM
  • I recently had a customer with a similar problem that ended up being caused by conflicting WFAS policies that were being applied by tattooed group policies on the DA client. This was causing legitimate packets to get dropped by the firewall service, even though the rules looked correct...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wouldn't WFAS log the dropped packets though?
    http://geekcroft.wordpress.com

    No, I thought so too, but you could only see the dropped packets at a lower level (apparently, as I wasn't fully involved in the troubleshooting).
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, October 7, 2011 8:30 AM
  • I recently had a customer with a similar problem that ended up being caused by conflicting WFAS policies that were being applied by tattooed group policies on the DA client. This was causing legitimate packets to get dropped by the firewall service, even though the rules looked correct...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wouldn't WFAS log the dropped packets though?
    http://geekcroft.wordpress.com

    No, I thought so too, but you could only see the dropped packets at a lower level (apparently, as I wasn't fully involved in the troubleshooting).
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    That is strange - would a Network Packet capture show the packets?

     

    I hate to thread hijack but I have a similar issue (there is a thread open for it) where I can Ping (when the relevant Firewall rules are in) - however the moment I try to "manage out" I get nothing.

     

    Rules are in - and I've even relaxed them to be less stringent - but I get nothing :(


    http://geekcroft.wordpress.com
    Friday, October 7, 2011 11:22 AM
  • No sure, I know MS was involved and it was handled by the Windows guys, not UAG guys...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, October 7, 2011 11:24 AM