Manage out is a feature of DirectAccess that allows you to connect to DirectAccess clients from management servers on the network. However, if the DA client is using IP-HTTP or Teredo to connect to the DA server, you won't be able to automatically initiate a connection from a management server on your network to the DA client.
The reason for this is that you need to create Windows Firewall Rules that allow inbound connections to the DA clients when they're behind a NAT device. You create the inbound firewall rule for the protocol you want to allow, and then you need to get into the Advanced Properties of the inbound firewall rule and enable "Edge Traversal" for the rule. You can do this on a per client basis, but that's not very scalable. Take advantage of the Windows Firewall with Advanced Security snap in to scale your DA client firewall rules.
Warning! Do NOT make the changes in the DA clients GPO, since when you update this GPO it will be overwritten. Instead, create a OU for the DA clients and assign a new GPO to that OU and populate the OU with your DA clients.
Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Absolutely! You do have the option to establish only the first, or infrastructure,tunnel. This will allow organizations to manage their remote clients without granting them access to the corporate network. If these clients require network access, legacy VPN connectivity such as PPTP, L2TP/IPsec, or SSTP (for Windows 7 and Vista SP1 clients) can be leveraged.
However, keep in mind that after you establish the VPN connection, the client will be able to detect the network location server and will disable its DA components, so it will not longer be a DA client. After you disconnect the VPN, the system will detect a change in network state and try to detect the network location server again, and when it can't, it will turn on the DA components again.
Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Pretty sly, huh? I have no idea what the ramification would be of having a DA client infrastructure tunnel established while at the same time the client has a legacy VPN connection established back to corp, but hey, I think it is possible.
Once the infrastructure connection is established, before the client has logged in, what tool(s) can be used to manage the client hardware? How would one connect to the hardware?
I can see the IPv6 addresses in the TMG log viewer but have no idea how to connect to the client.
In general, most "manage out" scenarios are triggered by agents on the client systems that make calls to the management servers on the corpnet, using the infrastructure tunnel. So while this is technically "manage out", the initial call is made by the client.
However, there are times when you want to initiate a connection from the corpnet to the DA client. In order to do this, the IP address mapping for the DA client must be in DNS. This is enabled by default when the DA client connects to the DA server. Next, you need to make sure there is a Windows Firewall with Advanced Security Firewall Rule on the DA client that allows inbound access to the protocol you want to use for "manage out" when initiating the call from the corpnet management server.
The key thing to remember when you create the rule that the rule applies to the public and private profile and that "edge traversal" is enabled on the rule. You might also want to make limit the source IP addresses on the rule as well.
These WFAS rules can be configured using the WFAS plug in Group Policy. That's really the best way to do it because you don't want to be in a situation of manually configuring all the clients to support "manage out".
I wrote the 2nd edition of the UAG DA step by step guide and if you'd like a pre-release version, please write to me and let me know what you think of it. All suggestions and recommendations warmly accepted!
he reason for this is that you need to create Windows Firewall Rules that allow inbound connections to the DA clients when they're behind a NAT device. You create the inbound firewall rule for the protocol you want to allow, and then you need to get into the Advanced Properties of the inbound firewall rule and enable "Edge Traversal" for the rule. You can do this on a per client basis, but that's not very scalable. Take advantage of the Windows Firewall with Advanced Security snap in to scale your DA client firewall rules.