DirectAccess and ManageOut - I'm missing something! RRS feed

  • Question

  • I have read many forum posts and web pages trying to get DirectAccess Manage-Out to work and I think I'm missing something with my configuration.

    I have:

    • 1 x DirectAccess server (Win2012 R2)
    • 2 x Manage-Out servers (Win2012 R2)

    From the DirectAccess server I can connect to clients that are currently connected through that DirectAccess server no problem (eg RDP, admin share, remote assistance etc). However from the Manage-Out server I am unable to do so.

    I have tried to setup ISATAP however I can't seem to get it to work.

    From reading on forums the DirectAccess servers are automatically configured as ISATAP routers. On one Manage-Out server I've set the ISATAP router using 

    netsh interface isatap set router

    The Manage-Out ISATAP interface gets a link-local IPv6 address, however in the articles I've read online it also gets a "proper" IPv6 address. Do I need to do any other configuration on the DirectAccess server itself?

    I have also tried setting up another server as the ISATAP router using the article here and I get the same result - client only receives a link local IPv6 address on the ISATAP interface.

    Any ideas what I'm missing?

    Tuesday, July 1, 2014 6:44 AM

All replies

  • One of the chapters in this DA book spells out the steps for creating a manage-out environment based on ISATAP. Part of that chapter is published on Packt's website:

    Wednesday, July 2, 2014 1:20 PM
  • ISATAP is  no longer recommended in DirectAccess 2012 - see this link - and the manage out scenario using GPO is not supported by Microsoft as I understand.

    Therefore the resolution to the issue is to use Native IPv6 on a Jump Host Server (RDS Server) or on your Management Servers. This can be done by applying a static IPv6 Address in the same range as your DirectAccess server and using the DirectAccess Server as the default gateway for this static address or adding an IPv6 Route to the Servers with the DFG as the DirectAccess Server.

    john davies

    Wednesday, July 9, 2014 11:36 AM