none
Connecting to DA clients from internal network

    Question

  • Hi,

    We are running Direct Access and for the end users it runs fine, but I'm facing an issue in managing the DA clients.

    When using DA, the clients can connect to all servers and services over IPv6, pinging an server FQDN will return a IPv6 address.

    But when internal servers(SCCM / AV), other then the DA servers, want to connect to these clients they can't make connection.

    I don't have any IPv6 DHCP scopes, but all servers have a link-local address.
    When doing a NSLOOKUP for a client name, it returns 3 IPv6 addresses (FD00 / 2001 / 2A02).
    Doing a ping from the DA-servers it is successful, when doing a ping from the AV or SCCM server it just can't resolve the clients IP address.

    Since I don't want to break the DA-environment I need some help in fixing this issue.

    Anyone knows where to start?

    Thanks, Dennis 

    Friday, May 25, 2018 5:57 PM

All replies

  • If you want to be able to connect to your DA clients when they are outside the company network, you need to implement the Manage-Out configuration.
    This kind of configuration is only supported if you are using a single DirectAccess server.

    What type of installation are you using?

    Gérald

    Sunday, May 27, 2018 8:48 PM
  • Hi,

    I'm using two servers for load balancing.
    Does this mean that we are unable to manage the clients? Is it because the client is only accessible via the DA server it is conected with?

    Tuesday, May 29, 2018 5:05 AM
  • Yes...

    ISATAP is disabled by a firewall rule on all servers when the servers are added in a cluster.

    You can have a look at this article from Richard Hicks (MVP)but it is not supported by Microsoft:

    DirectAccess Manage Out with ISATAP and NLB Clustering

    Gérald

     

    Wednesday, May 30, 2018 12:56 PM