Direct Access 2012 Manage Out - Problems! RRS feed

  • Question

  • Hi everyone,

    I have implemented DA 2012 "by the book", first disabled ISATAP, IPv6 address is added to Application server and also added IPv6 address of my da 2012 

    server as default gateway, installed Remote Management (DA only), certificates issued to server and clients, two consecutive IPv4 address-es for Teredo, 

    Clients connect successfully via IP-HTTPS, Teredo or 6to4, I can ping/access servers on Internal network, but I have problem with Manage Out clients. At 

    first I could access (RDP) Manage Out clients from DA server and Application servers group, but I could not access (RDP) Manage Out clients when they are 

    Teredo clients. Then checked firewall on clients, "Enable NAT Traversal" was enabled on rule regarding RDP. 

    Looked up for some problems with Teredo and did this:

    C:\Users\administrator.OBLAK>netsh int ipv6 sh int 16

    Interface Teredo Tunneling Pseudo-Interface Parameters
    IfLuid                             : tunnel_7
    IfIndex                            : 16
    State                              : connected
    Metric                             : 50
    Link MTU                           : 1472 bytes
    Reachable Time                     : 25500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : enabled <- this was disabled
    Advertising                        : enabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled <- this was disabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : enabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    ECN capability                     : application

    but this did not help. Then I reinstalled everything and clients connect but now my manage out clients don't work via IP-HTTPS or Teredo.

    I don't know what to do anymore. Still I think that is something regarding firewall.

    So, can anyone share info from their  implementation, or look the firewall rules, maybe I'm missing something. Also, I can ping internal servers but 

    application server group can not ping manage out client.

    I will list firewall rules thah I found:

    DirectAccess Client Settings

    inbound rules: NONE
    outbound rules: Core Networking - IPHTTPS (TCP-Out)...........Private & Public......Any Any (Scope)......All ports IPHTTPS (protocols and ports)

    Connection Security Rules: 

    DirectAccess Policy - ClienttoAppServer......Private & Public.....Computer (Kerberos V5) User (Kerberos V5) (Auth)....Any Any (protocols)
    DirectAccess Policy - ClienttotoCorp.......any 2002:XXXXXX:1::/64 fdc3:XXXXXXXX:7777::/96 (remote comp)....Private & Public....Comp Cert User (Kerberos V5) 

    DirectAccess Policy - ClienttoDNS64NAT64Prefix......Private & Public.....Do not (Auth)....AllPorts All Ports (protocols)
    DirectAccess Policy - ClienttoInfra.......any 2002:XXXXXX:1::/64 fdc3:XXXXXXXX:7777::/96 (remote comp)....Private & Public....Comp Cert User (NTLMv2) 

    DirectAccess Policy - ClienttoNlaExempt.......2002:XXXXXXX:1::/64 - Isatap address of my DA server, fdc3:XXXXXXXX:7777::/96 (remote comp)....Private & 

    Public....Comp Cert User (Kerberos V5) (authentication)

    DirectAccess Application Server Settings

    inbound rules: NONE
    outbound rules: NONE

    Connection Security Rules: 

    DirectAccess Policy - AppServertoClient...........Domain (profile)....Computer (Kerberos V5) User (Kerberos V5) (authentication).....Any ALL ALL 

    (protocols).... ANY ::-2002:XXXXX:1::, 2002:XXXXXXXXX:1:ffffffffffffff-feff:XXXXXXXX:fffffff

    Do I need any kind of certificate on APP servers group?

    Tnx in advance :)

    Thursday, December 20, 2012 9:54 AM

All replies

  • Just want to add some update info.

    I added firewall rules like in this article http://blogs.technet.com/b/tomshinder/archive/2010/12/01/uag-directaccess-and-the-windows-firewall-with-advanced-security-things-you-should-know.aspx and ICMPv6 started to work. I can ping outside clients, but still I can not RDP on client. 

    In Network Monitor when I am on DA server I can see ICMPv6 packets from App server going through DA server to client and I see ICMPv6 on client (network monitor). Also I can see TLS between IPv4 public addresses. But, when I try RDP I can see packets going through DA server and nothing on the client.

    Thursday, December 20, 2012 3:12 PM