Connecting to DA clients from internal network RRS feed

  • Question

  • Hi,

    We are running Direct Access and for the end users it runs fine, but I'm facing an issue in managing the DA clients.

    When using DA, the clients can connect to all servers and services over IPv6, pinging an server FQDN will return a IPv6 address.

    But when internal servers(SCCM / AV), other then the DA servers, want to connect to these clients they can't make connection.

    I don't have any IPv6 DHCP scopes, but all servers have a link-local address.
    When doing a NSLOOKUP for a client name, it returns 3 IPv6 addresses (FD00 / 2001 / 2A02).
    Doing a ping from the DA-servers it is successful, when doing a ping from the AV or SCCM server it just can't resolve the clients IP address.

    Since I don't want to break the DA-environment I need some help in fixing this issue.

    Anyone knows where to start?

    Thanks, Dennis 

    Friday, May 25, 2018 5:57 PM

All replies

  • If you want to be able to connect to your DA clients when they are outside the company network, you need to implement the Manage-Out configuration.
    This kind of configuration is only supported if you are using a single DirectAccess server.

    What type of installation are you using?


    Sunday, May 27, 2018 8:48 PM
  • Hi,

    I'm using two servers for load balancing.
    Does this mean that we are unable to manage the clients? Is it because the client is only accessible via the DA server it is conected with?

    Tuesday, May 29, 2018 5:05 AM
  • Yes...

    ISATAP is disabled by a firewall rule on all servers when the servers are added in a cluster.

    You can have a look at this article from Richard Hicks (MVP)but it is not supported by Microsoft:

    DirectAccess Manage Out with ISATAP and NLB Clustering



    Wednesday, May 30, 2018 12:56 PM
  • Just a small correction on this one (if you're still looking into it Dennis) - ISATAP gets disabled as soon as you enable Multi-Site DirectAccess, but not when doing a two-node NLB cluster.

    If running a single-site two-node NLB cluster, you can still use ISATAP to do manage-out, it simply requires two additional DNS host records to make it work. However, if your two DA servers are in separate sites and configured with Multi-Site, that is when ISATAP can't figure out the routing and it disables itself.

    This article will help to explain what is necessary in setting up ISATAP-based manage-out: https://hub.packtpub.com/configuring-manage-out-directaccess-clients/

    Monday, July 30, 2018 5:59 PM