locked
Configuring "Manage Out" Server 2012 DirectAccess IP-HTTPS RRS feed

  • Question

  • Hoping someone with hands on experience configuring Manage Out functionality can answer a few questions for me?

    We have built a Server 2012 VM and deployed DirectAccess successfully.  Have tested with both Win7 and Win8 clients successfully.  After some initial issues with DNS were addressed with a Microsoft hotfix, it seems to be running stable.

    I want to configure Manage Out capabilities, so that I can remotely help the DA clients with software installs and similar.  I've read up on as many blog entries as I can find, but still finding it a bit mystifying. 

    We are using IP-HTTPS connectivity.  As best I can tell, we are not using Teredo or ISATAP.  The DA server is dual-NIC and is configured behind an Edge device (NIC #1 is DMZ and receives NAT'd traffic from external IPv4 address on firewall, NIC #2 is internal LAN).  Our internal networks are IPv4 only (no IPv6 at all); therefore DNSv4 and DHCPv4 internally).

    Am hoping that somewhere there might be a step-by-step configuration guide to match our scenario.  Alternatively, if someone can recommend a Local (i.e. Melbourne, Australia) consultant who knows this stuff backwards, I'd consider paying for that.



    • Edited by 0499FROSTY Monday, September 23, 2013 1:07 AM
    Monday, September 23, 2013 1:05 AM

All replies

  • I have made contact with a good technical resource, so it looks like this is under control now ...
    Wednesday, September 25, 2013 4:34 AM
  • Would you so be kind to share the acquired knowledge about the solution

    Thanx in advance

    Charles

    Friday, September 27, 2013 9:24 AM
  • Can you please share your contact or what was done. Thank You
    Wednesday, March 12, 2014 1:10 PM
  • OKay, so finally I am in a position to share some information ... it has taken me about 6 months of off-and-on (mostly "off") activity to get things working.

    We engaged a third-party company to do the initial installation of Direct Access.  This got us 90% of the way to where we needed to go.

    The configuration of Manage Out was eventually achieved, but we did take some further expert advice, because I didn't want to change anything without first understanding What was being changed and Why it needed to be changed.  So I had to be educated quite a bit about IPv6, IP-HTTPS and ISATAP.

    We ended up disabling all IPv6 on the clients EXCEPT for the IP-HTTPS protocol.  This was done via a GPO.

    I ran into some problems with IPv6 and ISATAP initially when configuring our IT PCs to be able to "manage out" to the DA clients.  We went with a non-standard name for the ISATAP Router (we called ours ISATAP-DirectAccess) and pointed this in DNS to the internal IPv4 address of the DA server.  This was enforced via a GPO.  However our PCs did not get IPv6 addresses on their ISATAP adapters.  This was eventually resolved by changing some settings on the ISATAP adapter for the Internal NIC on the DA server.  The settings were:  Forwarding=Enabled and also Advertising=Enabled

    After that the IT PCs were getting ISATAP addresses fine, but some of the DA Clients were not registering themselves with an IPv6 address in our Internal DNS.  This was eventually resolved when we discovered that some of the DA Clients' DNS records had 'bad' security permissions on them.  Once we fixed those permissions we found the DA Clients would register an IPv6 address when operating in Direct Access mode (and would remove their old IPv4 address) and would register an IPv6 address when connected internally (and would remove their unwanted IPv6 address).

    There was also a hitch with getting Windows Remote Assistance working with the DA clients.  This required a Hotfix from Microsoft to get it working properly.

    Setting the Firewall rules for the DA clients with Edge Traversal enabled was the easiest part of the process frankly.  The most difficult part was troubleshooting the problems with DNS registration and the problems with getting selected internal PCs to get a valid ISATAP adapter address from the DA server.

    Monday, May 5, 2014 5:24 AM
  •  The most difficult part was troubleshooting the problems with DNS registration and the problems with getting selected internal PCs to get a valid ISATAP adapter address from the DA server.

    I know its a 6 years old topic but could you please hint me about how did you resolve your DNS problem :) Its seems like I have a similar problem.
    Tuesday, April 7, 2020 7:11 PM
  • I've just stumbled across this thread too.. I've literally got the problem of server 2016 and win 10 1909.

    Wonder if there are any similarities in your setup to mine?

    IP-HTTPS Clients, works just fine

    Computer in the office with ISATAP enabled, pointed at the DA server, can ping a client connected on DA. Can tracert, pathping etc etc everything works as expected, apart from RDP! Firewall rules are enabled to allow, edge traversal is also on..

    Tuesday, April 7, 2020 8:50 PM