What about manage out? (Full Version)

All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess



Message

tshinder -> What about manage out? (12.Mar.2010 8:04:59 PM)

Manage out is a feature of DirectAccess that allows you to connect to DirectAccess clients from management servers on the network. However, if the DA client is using IP-HTTP or Teredo to connect to the DA server, you won't be able to automatically initiate a connection from a management server on your network to the DA client.

The reason for this is that you need to create Windows Firewall Rules that allow inbound connections to the DA clients when they're behind a NAT device. You create the inbound firewall rule for the protocol you want to allow, and then you need to get into the Advanced Properties of the inbound firewall rule and enable "Edge Traversal" for the rule. You can do this on a per client basis, but that's not very scalable. Take advantage of the Windows Firewall with Advanced Security snap in to scale your DA client firewall rules.

Warning! Do NOT make the changes in the DA clients GPO, since when you update this GPO it will be overwritten. Instead, create a OU for the DA clients and assign a new GPO to that OU and populate the OU with your DA clients.

HTH,
Tom



tshinder -> RE: What about manage out? (13.Mar.2010 10:13:32 AM)

Wow! That "manage out" feature is really cool!

Can I setup DirectAccess so that I *only* have "manage out" and no inbound connections from the DA clients?

Thanks!
Tom



richardhicks -> RE: What about manage out? (13.Mar.2010 12:27:23 PM)

Absolutely! You do have the option to establish only the first, or infrastructure,tunnel. This will allow organizations to manage their remote clients without granting them access to the corporate network. If these clients require network access, legacy VPN connectivity such as PPTP, L2TP/IPsec, or SSTP (for Windows 7 and Vista SP1 clients) can be leveraged.

[:)]



tshinder -> RE: What about manage out? (17.Mar.2010 8:54:12 PM)

Hi Richard,

However, keep in  mind that after you establish the VPN connection, the client will be able to detect the network location server and will disable its DA components, so it will not longer be a DA client. After you disconnect the VPN, the system will detect a change in network state and try to detect the network location server again, and when it can't, it will turn on the DA components again.

HTH,
Tom



richardhicks -> RE: What about manage out? (17.Mar.2010 11:09:15 PM)

So what happens if I create an access rule denying traffic from the VPN clients network to the Network Location Server (NLS)? [;)]



Jason Jones -> RE: What about manage out? (18.Mar.2010 4:45:56 AM)

What a cheeky monkey! [:D]



richardhicks -> RE: What about manage out? (18.Mar.2010 12:29:18 PM)

Pretty sly, huh? I have no idea what the ramification would be of having a DA client infrastructure tunnel established while at the same time the client has a legacy VPN connection established back to corp, but hey, I think it is possible. [:)]



tshinder -> RE: What about manage out? (27.Mar.2010 10:08:55 AM)

I suspect that the DA connection would stay up.

However, there would be a preferred route, which I suspect will be the VPN connection - but we'd have to test that to know for sure.

:)

Thanks!
Tom



BigDon86 -> RE: What about manage out? (27.Mar.2010 3:32:00 PM)

Hi All;

Using DA with UAG ....

Once the infrastructure connection is established, before the client has logged in, what tool(s) can be used to manage the client hardware? How would one connect to the hardware?

I can see the IPv6 addresses in the TMG log viewer but have no idea how to connect to the client.

Thoughts?

Don Adams
USEast Technologies



tshinder -> RE: What about manage out? (30.Mar.2010 8:09:50 AM)

Hi Don,
Good question.

In general, most "manage out" scenarios are triggered by agents on the client systems that make calls to the management servers on the corpnet, using the infrastructure tunnel. So while this is technically "manage out", the initial call is made by the client.

However, there are times when you want to initiate a connection from the corpnet to the DA client. In order to do this, the IP address mapping for the DA client must be in DNS. This is enabled by default when the DA client connects to the DA server. Next, you need to make sure there is a Windows Firewall with Advanced Security Firewall Rule on the DA client that allows inbound access to the protocol you want to use for "manage out" when initiating the call from the corpnet management server.

The key thing to remember when you create the rule that the rule applies to the public and private profile and that "edge traversal" is enabled on the rule. You might also want to make limit the source IP addresses on the rule as well.

These WFAS rules can be configured using the WFAS plug in Group Policy. That's really the best way to do it because you don't want to be in a situation of manually configuring all the clients to support "manage out".

HTH,
Tom



Jason Jones -> RE: What about manage out? (30.Mar.2010 8:26:47 AM)

This covers it well: http://technet.microsoft.com/en-us/library/ee809076.aspx

I hope to cover this in my DirectAccess "lessons learnt" blog article, if I ever get time to create it :(

Cheers

JJ



tshinder -> RE: What about manage out? (30.Mar.2010 8:48:51 AM)

Hi Jason,

Thanks! Good link.

Looking forward to your lessons learned post - and hope you get a break some time so that you can actually write it!

Thanks!
Tom



BigDon86 -> RE: What about manage out? (31.Mar.2010 11:32:45 PM)

Thanks .... I'll give this a try.



tshinder -> RE: What about manage out? (2.Apr.2010 6:07:41 AM)

Hi Don,

I wrote the 2nd edition of the UAG DA step by step guide and if you'd like a pre-release version, please write to me and let me know what you think of it. All suggestions and recommendations warmly accepted!

Thanks!
Tom



luckydog -> RE: What about manage out? (7.Dec.2012 2:06:55 AM)

he reason for this is that you need to create Windows Firewall Rules that allow inbound connections to the DA clients when they're behind a NAT device. You create the inbound firewall rule for the protocol you want to allow, and then you need to get into the Advanced Properties of the inbound firewall rule and enable "Edge Traversal" for the rule. You can do this on a per client basis, but that's not very scalable. Take advantage of the Windows Firewall with Advanced Security snap in to scale your DA client firewall rules.


















































































































_______________________________________________________________________

_____________
Lexia-3



futcoinsboy -> RE: What about manage out? (9.May2014 8:19:25 AM)

his will allow organizations to manage their remote clients without granting them access to the corporate network.

____________________________

Aion Gold



Page: [1]