none
UAG DirectAccess how to clear Active Session RRS feed

  • Question

  • I want to clear the Active session while we are testing.  so it act just like it the 1st time the client has logon.

     

    Any help would be great, Thanks

    Wednesday, March 2, 2011 4:07 PM

Answers

  • Hi

     

    Good question. One idea may be to restart the "IKE and AuthIP IPSEC Keying Modules" services on UAG. This would terminate active sessions.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by Erez Benari Tuesday, May 10, 2011 10:37 PM
    Thursday, March 3, 2011 6:54 AM
  • Hi,

     

    Initiating remote desktop session from an internal client to a DirectAccess client will work if session is initiated from a IPv6 capable client (Windows XP + IPV6 Stack, Vista, Seven, ...). On the client side. RDP protocol must be allowed on the firewall for Public and or Home profiles. That the general case.

     

    Now the Teredo case : When your DirectAccess client is located on a private network, he will be using Teredo transition protocol (unless you select the Force tunneling option). By default Teredo does not allow Edge transveral. Have a look at this for detailled informations : http://msdn.microsoft.com/en-us/library/aa965911%28VS.85%29.aspx.

     

    In your case, you should not be able to ping DirectAccess client while outside the network. You should enable the "Allow Edge Transversal" Checkbox on the advanced tab of the incoming RDP rule to solve your problem.

     

    Have a nice day

     


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by Erez Benari Tuesday, May 10, 2011 10:37 PM
    Saturday, March 5, 2011 10:21 AM
  • Hi,

     

    Yes, it will work but force tunneling limit you to IP-HTTPS transition technology. Firewall rule can be added to an existing group policy. In my point of view this is a better approach.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by Erez Benari Tuesday, May 10, 2011 10:37 PM
    Thursday, March 10, 2011 8:06 AM
  • Hi,

     

    Using an alternate Firewall for DirectAccess is a big challenge. I'm also working on the same subject at present time. I will be building a lab in a few days.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by Erez Benari Tuesday, May 10, 2011 10:37 PM
    Thursday, March 10, 2011 4:23 PM

All replies

  • Hi

     

    Good question. One idea may be to restart the "IKE and AuthIP IPSEC Keying Modules" services on UAG. This would terminate active sessions.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by Erez Benari Tuesday, May 10, 2011 10:37 PM
    Thursday, March 3, 2011 6:54 AM
  • Thanks for answering both my questions.  Got another we are unable to remote desktop to the client but we are able to remote in. 
    Friday, March 4, 2011 4:18 PM
  • Hi,

     

    Initiating remote desktop session from an internal client to a DirectAccess client will work if session is initiated from a IPv6 capable client (Windows XP + IPV6 Stack, Vista, Seven, ...). On the client side. RDP protocol must be allowed on the firewall for Public and or Home profiles. That the general case.

     

    Now the Teredo case : When your DirectAccess client is located on a private network, he will be using Teredo transition protocol (unless you select the Force tunneling option). By default Teredo does not allow Edge transveral. Have a look at this for detailled informations : http://msdn.microsoft.com/en-us/library/aa965911%28VS.85%29.aspx.

     

    In your case, you should not be able to ping DirectAccess client while outside the network. You should enable the "Allow Edge Transversal" Checkbox on the advanced tab of the incoming RDP rule to solve your problem.

     

    Have a nice day

     


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by Erez Benari Tuesday, May 10, 2011 10:37 PM
    Saturday, March 5, 2011 10:21 AM
  • so if we put it into Force tunneling all will work without doing Firewall rules?
    Wednesday, March 9, 2011 2:55 PM
  • Hi,

     

    Yes, it will work but force tunneling limit you to IP-HTTPS transition technology. Firewall rule can be added to an existing group policy. In my point of view this is a better approach.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by Erez Benari Tuesday, May 10, 2011 10:37 PM
    Thursday, March 10, 2011 8:06 AM
  • Ok, I have to see how to use DirectAccess\UAG without Microsoft Firewall as they bought McAfee Host Intrusion Prevention and I don't want to manage two firewall policies.

     

    The major reason we want to use DA is a large number of laptop never VPN into the network and we want to start manage them better with SCCM, patches and updates.

     

    You got any advice how to achive this?

    Thursday, March 10, 2011 3:00 PM
  • Hi,

     

    Using an alternate Firewall for DirectAccess is a big challenge. I'm also working on the same subject at present time. I will be building a lab in a few days.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by Erez Benari Tuesday, May 10, 2011 10:37 PM
    Thursday, March 10, 2011 4:23 PM