locked
remote DirectAccess clients from internal network RRS feed

  • Question

  • Hello ,

    We have setup directaccess in place and all working fine , howvwer im just wondering if its possible to access a client on direct access like RDP from my internal network ?

    Wednesday, May 22, 2013 8:41 AM

All replies

  • Hello,

    1. Add the laptop on your internal network as Infrastructure server on the DirectAccess Gateway configuration
    2. On you DirectAccess client on the firewall inbound rule of the RDP allow the Edge traversal

    Regards,


    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/

    Wednesday, May 22, 2013 11:33 AM
  • i can ping the ipv 6 howevere cannt RDP the machine even thuogh i have enabled edge traversal on the local Firewall

    why do i need to add mthe laptop to the internal network as infrastructure server ?

    Monday, May 27, 2013 2:24 PM
  • Hi,

    Remote management require an IPv6 connectivity from your internal host. Your host must have an IPv6 native address or an ISATAP address. It's normal, you cannot start a communication in IPv4 and end it in IPv6. Edge transversal must be enabled for the RDP incoming firewall rule. Yes, but did remote Desktop was enabled on the client computer? At last, including the computer in the internal infrastructure server group allow you to communicate with DirectAccess clients even if no user is connected on.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, May 27, 2013 7:12 PM
  • okey ! now i got your point thanks , however i didnt eneable the ISATAP in our internal network cause im not sure if it would affect our internal servers yet

    so any idea of enabling the access on the direct access client without having ISATAP enabled internally ?

    Tuesday, May 28, 2013 10:45 AM
  • Hi

    You can configure ISATAP with the NETSH.EXE INTERFACE ISATAP Set Router <Hostname> Enabled command. This allow you to configure ISATAP at computer level and not network level. From a Network Point of view ISATAPP, is just IP41 and ICMP network trafic.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, May 28, 2013 10:48 AM
  • thanks , do i have to do this on the server UAG or on the any client or sever that im trying to rdp from to the direct access client ?

    Tuesday, May 28, 2013 1:16 PM
  • Operation must be performed on the computer initiating the RDP connection. Your UAG box is your ISATAP router. No additional configuration is required on your UAG box, except addition your computer as a member of the infrastructure tunnel group. This will allow you to initiale remote desktop throught infrastructure tunnel without user logged on DirectAccess Clients.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, May 28, 2013 1:23 PM
  • ok thanks alot ,

    so far ive did netsh interface isatap set router "mymachine fqdn" enabled

    however still cannt ping or rdp the IPV6 of the client who is connected on the direct access

    i have added my computer on UAG on the infrastructure groupe and activate the policies

    did gpupdate on uag and on my computer

    i have ipv6 checked in my network settings

    sorry im totally new to this IPV6 do i need to configure some more routes on my machine ? maybe i need to route manually the IPV6 traffic to the UAG ip ?

    Wednesday, May 29, 2013 12:56 PM
  • The NETSH must be completed with another : SC CONTROL IPHLPSVC or simply restart the IPHLPSVC service. When done, you should see an ISATAP interface in IPCONFIG results with an IP starting with 2002 and ending with your IPv4 address.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, May 29, 2013 1:23 PM
  • i have done and restarted the PH helper service and saw that i got the ISATAP ips

    howevere still cannt ping any ipv6 IP from my machine , i tried even the ip 6to4 of the UAG its getting failiur

    Pinging 2002:d47d:e6c2:8100:f9fe:68bb:2b5:e951 with 32 bytes of data:
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.

    Friday, May 31, 2013 10:18 AM
  • and one more thing that i cannt ping form my UAG server the teredo IPs from clients

    when i check on the monitoring on UAG i can see that clients are connected thruogh teredo howevere im not able to ping these IPs any reason why ?

    Friday, May 31, 2013 10:46 AM
  • Did you enable IMCPv4 and ICMPv6 echo request rules on your UAG?

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, May 31, 2013 12:08 PM
  • i have done this still not able to ping and getting general failiur on UAG and on the client machine internally i tried to ping UAG iphttps address is not working either

    and giving general failiur error

    Wednesday, June 5, 2013 11:45 AM
  • You must be able to ping the ISATAP interface of your UAG box from your internal client having an ISATAP interface. Are you sure you have an operational ISATAP interface of your UAG box?

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, June 5, 2013 7:54 PM
  • i beleive that the ISATAP will be created once i enabled the directaccess on UAG right ?

    i have done ipconfig /all


    Tunnel adapter isatap.mydomain.com:

       Connection-specific DNS Suffix  . : mydomain.com
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #6
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:d47d:e6c2:8000:0:5efe:172.16.9.222(P
    referred)
       Link-local IPv6 Address . . . . . : fe80::5efe:172.16.9.222%18(Preferred)
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : 172.16.9.25
                                           172.16.10.45
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.{0D78FF66-AD5A-49D8-B4E7-FA8334D1BB30}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    and im trying toping this ip address : 2002:d47d:e6c2:8000:0:5efe:172.16.9.222 from my internal network client who is enabled ipv6

    anything wrong here ?

    Friday, June 7, 2013 7:32 AM
  • Hi

    Your ISATAP interface on your UAG box seems to be OK. Next point:

    Did you enabled ICMPv4 and V6 incoming rules on your internal client (ISATAP client)?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, June 7, 2013 7:38 AM
  • yes i have made all traffic enabled inboud to the client

    however still not pinging

    do you know how to check on TMG that is built in in UAG with live monitore  ?

    Tuesday, June 11, 2013 7:13 AM