locked
Trying to connect to DA Clients using SCCM Server through IPHTTPS DA Connections RRS feed

  • Question

  • Hello,

       I have been working on this for some time now. I opened up a ticket with Microsoft to help us setup or DA Server, and they were able to get it setup. However, SCCM server tools (Remote Control) would not to the Client. We found a few articles stating that this was a firewall issue on the clients and we needed to open a few ports with Edge Transversal. We did so. I am able to RDP in to clients, but only from DA server. My SCCM server still cannot connect.

    I think the overall issue is not Firewall related, however.  I think it has to do with ipv6. DA uses IPv6 for clients. My internal network is ipv4. Do I have to erect a IPv6 DHCP scope in my environment for my internal SCCM Server to see the DA Clients?

    Monday, September 22, 2014 2:27 PM

Answers

All replies

  • Hi There - better option is to stand up a RDS Box as a Jump Server, assign a static IPv6 on the Jump Server and install the SCCM Tools on the Jump Host. Then use all remote assistance tools from the Jump Host. This is how it is used in many other environments. Easiest way to obtain the IPv6 is to use the IPV6 Address form the DA Server, copy and paste to the RDS Jump Box - assign the address changing the last digits to be the same as the IPv4 Address for consistency. Then set the default gateway of the RDS Jump Box to the DA Server IPv6 Address.

    Kr


    John Davies

    Monday, September 22, 2014 6:29 PM
  • Hi,

    If you want a host located on your internal network to communicate with A DirectAccess client IPv6 will be required from end to end. If your SCCM server is not ISATAP client you must setup a Jumpbox configured as an ISATAP client of the ISATAP server (your DA Gateway internal network card). Have a look at these blog posts :

    http://danstoncloud.com/blogs/simplebydesign/archive/2014/03/12/directaccess-remote-management-from-padawan-to-jedi.aspx

    http://www.isaserver.org/articles-tutorials/configuration-general/Configuring-SCCM-UAG-DirectAccess-Part1.html

    http://www.isaserver.org/articles-tutorials/configuration-general/Configuring-SCCM-UAG-DirectAccess-Part2.html


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, September 22, 2014 7:09 PM
  • Hi There - @Benoit thanks for posting the links to help the user and confirming what we both see as the correct way to go about the SCCM and DA.

    Kr


    John Davies

    Monday, September 22, 2014 7:20 PM
  • Hello Benoit and John. Thanks for the replies. Yes, after thoroughly reading some articles yesterday, I got the fact that in order for me to see those DA clients on Prem, I have to have some sort of IPv6 on prem. I actually read those articles yesterday that you posted and got an GPO created in my environment that turns on ISATAP capablilities on my SCCM server. our SCCM Server that is sitting on prem is receiving an ISATAP Address from our DA Server. Jason Jones actually details how to setup your "Manage Out" Client. It's in his article "Limiting ISATAP Services to DirectAccess Manage Out Clients." Google for that anyone who reads this.

    Thanks for your help guys. I will mark this as Closed!!!


    Tuesday, September 23, 2014 3:39 PM
  • Hi

    The only important post I forgot to provide. "Limiting ISATAP Services to DirectAccess Manage Out Clients". Now you can even move to a more secure version with an IPSEC transport from end to ennd with my approach : http://danstoncloud.com/blogs/simplebydesign/archive/2014/03/12/directaccess-remote-management-from-padawan-to-jedi.aspx


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, September 23, 2014 5:12 PM
  • Hi There - although JJ's and Benoit's articles are a good approach to the issue and were an acceptable workaround to blanket ISATAP for UAG and resolved the Manage Out issues for DA 2012 - Premier Support prefer that Native IPv6 is used from an official supportability point of view (according to my sources at Microsoft). So whilst the approach works, the naturally supported way is to use IPv6, however, there is no real right or wrong answer.

    I guess we are both glad the issue is resolved and we are both glad to help.

    Kr


    John Davies

    Wednesday, September 24, 2014 7:10 AM
  • Microsoft position changed from UAG to Windows Server 2012 about ISATAP. If we enable ISATAP at large scale a single ISATAP prefix will be shared by all ISATAP clients. So all these clients will be located on the same ISATAP subnet. From an Active Directory point of view, it can be a problem because it's a big change of AD Topology.From a LAN point of view, an IPv6 capable client will use IPv6 to communicate with another host if DNS response provide a IPv6 address. So yes Native IPv6 is a better approach, especially with high-availability scenarios.

    Moving to native IPv6 is not so easy.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, September 24, 2014 7:25 AM