• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

What about manage out?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> What about manage out? Page: [1]
Login
Message << Older Topic   Newer Topic >>
What about manage out? - 12.Mar.2010 8:04:59 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Manage out is a feature of DirectAccess that allows you to connect to DirectAccess clients from management servers on the network. However, if the DA client is using IP-HTTP or Teredo to connect to the DA server, you won't be able to automatically initiate a connection from a management server on your network to the DA client.

The reason for this is that you need to create Windows Firewall Rules that allow inbound connections to the DA clients when they're behind a NAT device. You create the inbound firewall rule for the protocol you want to allow, and then you need to get into the Advanced Properties of the inbound firewall rule and enable "Edge Traversal" for the rule. You can do this on a per client basis, but that's not very scalable. Take advantage of the Windows Firewall with Advanced Security snap in to scale your DA client firewall rules.

Warning! Do NOT make the changes in the DA clients GPO, since when you update this GPO it will be overwritten. Instead, create a OU for the DA clients and assign a new GPO to that OU and populate the OU with your DA clients.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: What about manage out? - 13.Mar.2010 10:13:32 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Wow! That "manage out" feature is really cool!

Can I setup DirectAccess so that I *only* have "manage out" and no inbound connections from the DA clients?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to tshinder)
Post #: 2
RE: What about manage out? - 13.Mar.2010 12:27:23 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Absolutely! You do have the option to establish only the first, or infrastructure,tunnel. This will allow organizations to manage their remote clients without granting them access to the corporate network. If these clients require network access, legacy VPN connectivity such as PPTP, L2TP/IPsec, or SSTP (for Windows 7 and Vista SP1 clients) can be leveraged.



_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to tshinder)
Post #: 3
RE: What about manage out? - 17.Mar.2010 8:54:12 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Richard,

However, keep in  mind that after you establish the VPN connection, the client will be able to detect the network location server and will disable its DA components, so it will not longer be a DA client. After you disconnect the VPN, the system will detect a change in network state and try to detect the network location server again, and when it can't, it will turn on the DA components again.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to richardhicks)
Post #: 4
RE: What about manage out? - 17.Mar.2010 11:09:15 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
So what happens if I create an access rule denying traffic from the VPN clients network to the Network Location Server (NLS)?

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to tshinder)
Post #: 5
RE: What about manage out? - 18.Mar.2010 4:45:56 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
What a cheeky monkey!

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to richardhicks)
Post #: 6
RE: What about manage out? - 18.Mar.2010 12:29:18 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Pretty sly, huh? I have no idea what the ramification would be of having a DA client infrastructure tunnel established while at the same time the client has a legacy VPN connection established back to corp, but hey, I think it is possible.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to Jason Jones)
Post #: 7
RE: What about manage out? - 27.Mar.2010 10:08:55 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
I suspect that the DA connection would stay up.

However, there would be a preferred route, which I suspect will be the VPN connection - but we'd have to test that to know for sure.

:)

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to richardhicks)
Post #: 8
RE: What about manage out? - 27.Mar.2010 3:32:00 PM   
BigDon86

 

Posts: 7
Joined: 8.May2003
Status: offline
Hi All;

Using DA with UAG ....

Once the infrastructure connection is established, before the client has logged in, what tool(s) can be used to manage the client hardware? How would one connect to the hardware?

I can see the IPv6 addresses in the TMG log viewer but have no idea how to connect to the client.

Thoughts?

Don Adams
USEast Technologies

(in reply to richardhicks)
Post #: 9
RE: What about manage out? - 30.Mar.2010 8:09:50 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Don,
Good question.

In general, most "manage out" scenarios are triggered by agents on the client systems that make calls to the management servers on the corpnet, using the infrastructure tunnel. So while this is technically "manage out", the initial call is made by the client.

However, there are times when you want to initiate a connection from the corpnet to the DA client. In order to do this, the IP address mapping for the DA client must be in DNS. This is enabled by default when the DA client connects to the DA server. Next, you need to make sure there is a Windows Firewall with Advanced Security Firewall Rule on the DA client that allows inbound access to the protocol you want to use for "manage out" when initiating the call from the corpnet management server.

The key thing to remember when you create the rule that the rule applies to the public and private profile and that "edge traversal" is enabled on the rule. You might also want to make limit the source IP addresses on the rule as well.

These WFAS rules can be configured using the WFAS plug in Group Policy. That's really the best way to do it because you don't want to be in a situation of manually configuring all the clients to support "manage out".

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to BigDon86)
Post #: 10
RE: What about manage out? - 30.Mar.2010 8:26:47 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
This covers it well: http://technet.microsoft.com/en-us/library/ee809076.aspx

I hope to cover this in my DirectAccess "lessons learnt" blog article, if I ever get time to create it :(

Cheers

JJ

< Message edited by Jason Jones -- 30.Mar.2010 8:30:34 AM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 11
RE: What about manage out? - 30.Mar.2010 8:48:51 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jason,

Thanks! Good link.

Looking forward to your lessons learned post - and hope you get a break some time so that you can actually write it!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 12
RE: What about manage out? - 31.Mar.2010 11:32:45 PM   
BigDon86

 

Posts: 7
Joined: 8.May2003
Status: offline
Thanks .... I'll give this a try.

_____________________________

Don Adams
USEast Technologies

(in reply to Jason Jones)
Post #: 13
RE: What about manage out? - 2.Apr.2010 6:07:41 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Don,

I wrote the 2nd edition of the UAG DA step by step guide and if you'd like a pre-release version, please write to me and let me know what you think of it. All suggestions and recommendations warmly accepted!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to BigDon86)
Post #: 14
RE: What about manage out? - 7.Dec.2012 2:06:55 AM   
luckydog

 

Posts: 3
Joined: 7.Dec.2012
Status: offline
he reason for this is that you need to create Windows Firewall Rules that allow inbound connections to the DA clients when they're behind a NAT device. You create the inbound firewall rule for the protocol you want to allow, and then you need to get into the Advanced Properties of the inbound firewall rule and enable "Edge Traversal" for the rule. You can do this on a per client basis, but that's not very scalable. Take advantage of the Windows Firewall with Advanced Security snap in to scale your DA client firewall rules.


















































































































_______________________________________________________________________

_____________
Lexia-3

(in reply to tshinder)
Post #: 15
RE: What about manage out? - 9.May2014 8:19:25 AM   
futcoinsboy

 

Posts: 3
Joined: 9.May2014
Status: offline
his will allow organizations to manage their remote clients without granting them access to the corporate network.

____________________________

Aion Gold

(in reply to luckydog)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> What about manage out? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts