none
Able to Manage Out to DA clients regardless of Management Servers RRS feed

  • Question

  • I have come across an interesting situation with my UAG/DA testing. I currently have one UAG server that appears to be working fine, all my DA clients are connecting with no issues over Teredo and IPHTTPS and I am able to manage out to these computers.

    However I have noticed now that any computer that is getting an ISATAP address (controlling this through the Host file) is able to RDP to the DA clients when noone is logged on even though they are not listed in the Management Servers within the UAG configuration.

    For instance I have a laptop at a remote location with noone logged in and it is showing that a IP-HTTPS infrastructre tunnel is active. I then am able to RDP to the DA client from a workstation on the corporate network but is not listed in the Management Servers and suddenly it connects and an Intranet tunnel is created.

    I thought that only clients that were listed as a management server could commuicate with DA clients when there was only an infrastructure tunnel.

    I am a little bit confused.. any help you could provide as to why this could be happening would be appreciated.

    Friday, November 18, 2011 9:51 PM

All replies

  • However I have noticed now that any computer that is getting an ISATAP address (controlling this through the Host file) is able to RDP to the DA clients when noone is logged on even though they are not listed in the Management Servers within the UAG configuration.

    For instance I have a laptop at a remote location with noone logged in and it is showing that a IP-HTTPS infrastructre tunnel is active. I then am able to RDP to the DA client from a workstation on the corporate network but is not listed in the Management Servers and suddenly it connects and an Intranet tunnel is created.

    I thought that only clients that were listed as a management server could commuicate with DA clients when there was only an infrastructure tunnel.

    I am a little bit confused.. any help you could provide as to why this could be happening would be appreciated.


    Hi,

    No, this is by design and expected behaviour.

    The management servers that you define during DA setup are specifically used to control which servers are available via the first (infrastructure) tunnel before the client has established the second (intranet) tunnel. This has no bearing on remote management of DA clients from the corporate network.

    Any IPv6 capable devices will be able to manage DA clients, assuming they have a default IPv6 route that passes traffic via UAG.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, November 29, 2011 9:30 AM
    Moderator
  • It helps to think of a DirectAccess connection as an extension of your network rather than a remote user coming in. It really is very similar to those computers being directly connected to your network (in IPv6 fashion).

    The reason that any ISATAP computer is allowed to RDP in is probably because when you established the Windows Firewall rules on the client machines to allow RDP access you specified your organization's whole ISATAP prefix. So you could limit who has this access by modifying the client-side firewall rules if you wanted.
    Wednesday, November 30, 2011 3:53 PM
  • Ok I think that makes sense. My understanding was that when a DA client was connected just by the infrastructure tunnel (nobody logged on) that you need to have your computer listed in the management servers to make a connection through the tunnel.

    I thought the intranet tunnel was only created when a user logs onto the DA client at which time it is treated like it is just on the corporate network.

    Are the management servers then just listing what is available to the DA client when it is tunneling into the corporate network over the infrastructure tunnel?

    Thursday, December 1, 2011 9:51 PM
  • Ok I think that makes sense. My understanding was that when a DA client was connected just by the infrastructure tunnel (nobody logged on) that you need to have your computer listed in the management servers to make a connection through the tunnel.

    I thought the intranet tunnel was only created when a user logs onto the DA client at which time it is treated like it is just on the corporate network.

    Are the management servers then just listing what is available to the DA client when it is tunneling into the corporate network over the infrastructure tunnel?


    >>Ok I think that makes sense. My understanding was that when a DA client was connected just by the infrastructure tunnel (nobody logged on) that you need to have your computer listed in the management servers to make a connection through the tunnel.

    No, not the case. The mamagement servers list simply defines what is accessible via the infra tunnel before the user has fully authenticated. Any IPv6 capable device that has an IPv6 route via UAG will be able to connect to DA clients.

    >>I thought the intranet tunnel was only created when a user logs onto the DA client at which time it is treated like it is just on the corporate network.

    Correct, but as management uses the infrastructure tunnel, this is not relevant.

    >>Are the management servers then just listing what is available to the DA client when it is tunneling into the corporate network over the infrastructure tunnel?

    Yes, think of them a little bit like a quarantine network that is accessbile before the client is "fully" trusted.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, December 2, 2011 9:45 AM
    Moderator
  • Can an intranet tunnel be created with no user logged on and by only using the computer certificate?

     

     

    I think this is what is happening in my situation. It appears that it is using the Computer Certificate for the first authentication but then using the computer account as the second authentication as well.

     

    Is this what is expected ?

    Thursday, December 15, 2011 7:46 PM
  • No, I wouldn't expect that...maybe a service account which runs under a specific user context could do this though...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, December 15, 2011 11:22 PM
    Moderator
  • Hi,

    You're seeing this behavior because both the infrastructure tunnel and the intranet tunnel can be established when no user is logged in.

    In your case, the intranet tunnel is being established using the computer account's credential.

    When you try to manage out to a DirectAccess client using an internal server which isn't listed as a management server, IPsec needs to establish the intranet tunnel with the DA client. The DirectAccess client needs to authenticate using the credentials of the process that is receiving the traffic, in our case that's the RDP service on your DA client. Since RDP service runs under your Network Service account, it is using your computer credentials for Kerberos authentication of the tunnel.

    The reason it is recommended to list the internal servers you want to manage-out from as management servers is because when Two Factor Authentication is enabled there is authorization configured on the infrastrucutre tunnel, and this makes it impossible for the computer account to establish the intranet tunnel without the user logging in and doing the 2nd factor auth. So manage out becomes unreliable in this case when the internal server is not listed as a management server.

    Tuesday, December 27, 2011 11:26 PM