none
Problem connecting with RDP to DA clients in internet RRS feed

  • Question

  • Hi

    I have problem with connecting computers in direct access connection with remote desktop and ping.

    Clients that are using DA use Teredo to connect in company network. Also I have made firewall rule that allows RDP connection from DA server into computer in DA tunnel. Also I can't ping computer that are in DA tunnel.

    Connections from computer in DA tunnel in intranet works fine and I can ping and get RDP connections.

    Can anyone help me?


    • Edited by A.A Club Friday, March 23, 2012 1:10 PM
    Friday, March 23, 2012 10:56 AM

All replies

  • There are two things that need to be accomplished before you can initiate outbound connections from your corporate network to your DA client computers:

    1. The machines inside your network that are trying to reach out must be IPv6 enabled. For example, when a helpdesk PC tries to RDP into a DA laptop, the helpdesk PC is going to ask DNS for an IP address. DNS will have the DA laptop's IPv6 address and will respond with that. The helpdesk PC must be IPv6 connected to be able to make that request happen successfully. If you do not have native IPv6 inside your network (most companies don't) then you can use ISATAP to give yourself a "virtual IPv6 environment".

    2. Once you have IPv6 connectivity established in #1, you must also define what ports need to be allowed from the corporate network to these DA client machines. The Windows Firewall on the DA machine by default blocks these incoming requests. You should create a GPO that contains the rules you need to allow. Here is a post describing that: http://blogs.technet.com/b/edgeaccessblog/archive/2010/09/14/how-to-enable-remote-desktop-sharing-rds-rdp-from-corporate-machines-to-directaccess-connected-machines.aspx

    Friday, March 23, 2012 6:28 PM
  • Hi

    All conputers that use Direct Access have been forced to use Teredo to connect corporative network.

    I try to make RDP connect in conputers that are in DA tunnel from DA server, and I think that there is ipv6 enebled by default?

    Also we have made firewall policy like in behind that link above.

    Here is information on ipconfig /all from DA servers NIC that is connected in corporation network:

       Connection-specific DNS Suffix  . : company.local
       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
       Physical Address. . . . . . . . . : 00-0C-*********

       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::dd3e:1de0:***********(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.****(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . :
       DHCPv6 IAID . . . . . . . . . . . : 234884137
       DHCPv6 Client DUID. . . . . . . . : ********************************

       DNS Servers . . . . . . . . . . . : 192.168*****

                                          192.168*****
       NetBIOS over Tcpip. . . . . . . . : Enabled

    I think that the problem is in DNS and IPV6 because chen I ping clinet thst is in DA tunnel with sort or long name, always I get answer in IPV4 address.

    SO; what would I do?

    Wednesday, March 28, 2012 6:09 AM
  • Are the clients configured to automatically update DNS?

    Steve Angell - IAM Practice Director http://www.InfraScience.com)

    Wednesday, March 28, 2012 12:22 PM
  • Yes, I think so, because when I look on DNS I can see those machices and IPV6 addresses for them.
    Wednesday, March 28, 2012 12:28 PM
  • Have you configured #1 in my post above? Do you have any native IPv6 or ISATAP running inside your network? Without establishing some form of IPv6 connectivity for your internal machines that need to accomplish this RDP to the DA clients, it's never going to work.
    Wednesday, March 28, 2012 12:57 PM
  • Hi

    I try to connect client that are in DA tunnel from UAG DirectAccess server. So do you say that UAG DirectAccess server dosen't know how to connect client that are in DA tunnel if in my network native IPv6 or ISATAP running?

    Is it enough that ISATAP is enabled in UAG DirectAccess server? Or do I have to something else?

    Thursday, March 29, 2012 9:24 AM
  • Testing RDP from the UAG server is not the same as testing from an ISATAP host because when you defined your firewall rules on the DA client you probably defined your ISATAP prefix as being allowed to connect, right? That is the most common way to do it, and no that does not allow the UAG server itself to connect. I have that exact scenario right now in my lab where I have a client-side firewall rule allowing RDP from the whole ISATAP prefix. I can RDP into a client from a file server that is an ISATAP host, but I cannot RDP into a client from the UAG server itself. If you follow both of the steps I outlined in my first post and try to RDP into a client from an ISATAP host, it should work.

    Thursday, March 29, 2012 1:07 PM
  • Testing RDP from the UAG server is not the same as testing from an ISATAP host because when you defined your firewall rules on the DA client you probably defined your ISATAP prefix as being allowed to connect, right? That is the most common way to do it, and no that does not allow the UAG server itself to connect. I have that exact scenario right now in my lab where I have a client-side firewall rule allowing RDP from the whole ISATAP prefix. I can RDP into a client from a file server that is an ISATAP host, but I cannot RDP into a client from the UAG server itself. If you follow both of the steps I outlined in my first post and try to RDP into a client from an ISATAP host, it should work.

    I have made that firewall rule actually from your blog write. But now I read it realy good and found the problem. That is the lack of ISATAP router. I also found article how to make ISATAP router: http://www.windowsnetworking.com/articles_tutorials/Configuring-ISATAP-Router-Windows-Server-2008-R2-Part2.html

    Can that ISATAP router be some one else that DNS server, because my DNS server is 2008, not 2008 R2? I will make some 2008 R2 server ISATAP router and make that "Configuring the ISATAP Router" from that article. Do I also need to "Publishing Specific Routes"?

    Friday, March 30, 2012 6:34 AM
  • The UAG server (as long as it is not plugged into a native IPv6 environment) is an ISATAP router. All you need to do is point your internal clients that you want to be ISATAP clients at the internal NIC of the UAG server and then they will grab ISATAP information from the UAG server.

    If you want to do a simple test with one internal server, you can use the hosts file on that particular server to point "ISATAP" at the internal IP address of the UAG box. If you want to create a better, easier to manage on a larger scale ISATAP environment, follow Jason's post: http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html

    Friday, March 30, 2012 2:36 PM