often when thinking about management functions, we think of them as the software or settings that are being pushed out to the client computers. This is actually not true in many cases. A lot of management tools are initiated on the client side, and so their method of distributing these settings and patches are actually client pulls.

 

A pull is a request that has been initiated by the client, and in this case, the server is simply responding to that request. In the DirectAccess (DA) world, this kind of request is handled very differently than an actual push, which would be any case where the internal server or resource is creating the initial outbound communication with the client, a true outbound initiation of packets. Pulls typically work just fine over DirectAccess. For example, Group Policy processing is initiated by the client. When a laptop decides that it’s time for a Group Policy refresh, it reaches out to Active Directory and says “Hey AD, give me my latest stuff”. The Domain Controllers then replies to that request, and the settings are pulled down successfully. This works all day, every day over DirectAccess.

 

Pushes, on the other hand, require some special considerations. This scenario is what we commonly refer to as DirectAccess Manage Out, and this does not work by default in a stock DirectAccess implementation.

 

Historically SCCM manage-out capabilities were only available if you setup Internet Based Client Management (IBCM), used an alternate VPN solution or if your network was real, native IPv6. However, after extended research the following method was discovered to enable SCCM manage-out capabilities by leveraging the ISATAP router capabilities on the DirectAccess servers.

 

Configuring IPv6 Isatap Router on the DirectAccess Server

The first step is to run the following commands on each DirectAccess server in your environment. This will setup the DirectAccess server(s) as ISATAP router(s).

 

  1. Run command “netsh interface ipv6 show interface” and find adapter index with isatap.domain.com or isatap.{GUID} (index or IDX number is 12 which is to the left of the name below)

https://jeffreymaxan.files.wordpress.com/2014/10/1.png

2. Netsh int ipv6 sh int 12(12 being the index number associated with the ISATAP adapter)

  1. verify advertise=enabled
  2. verify forwarding=enabled
  3. verify advertisedefaultroute=enabled

https://jeffreymaxan.files.wordpress.com/2014/10/2.png

 

  1. If the above are not enabled run one or all of the below commands to enable the features on the adapter
    1. Netsh int ipv6 SET int 12 advertise=enabled
    2. Netsh int ipv6 SET int 12 forwarding=enabled
    3. Netsh int ipv6 SET int 12 advertisedefaultroute=enabled

Your adaptor is now configured as needed for manage out.

DNS Entries

To continue the configuration there needs to be one or more DNS entries pointing to the DirectAccess server being used as the ISATAP router in your environment.


If you are running a clustered array of DirectAccess servers that are configured for load balancing, then you will need multiple DNS records. All of the records have the same name, example; MyCompany_ISATAP, and you point them at each internal IP address being used by the cluster.

 

For example, one gets pointed at the internal Virtual IP (VIP), and one gets pointed at each of the internal Dedicated IPs (DIP). In a two-node cluster, you will have three DNS records for MyCompany_ISATAP.

 

DNS IP
MyCompany_ISATAP.domain.com VIP: x.x.x.x
MyCompany_ISATAP.domain.com DIP: X.x.x.x
MyCompany_ISATAP.domain.com DIP: x.x.x.x

Group Policy Objects

To fully implement the solution you will need to push out a GPO to all DA manage out machines.

 

  1. Create a new Windows security group calledUAG DirectAccess Manage Out Clients
  2. Open the Group Policy Management Console (GPMC)
  3. Create a new group policy object called DirectAccess: Manage Out Clients (Enable ISATAP)
  4. Configure the following properties:
    1. Under theScope tab, remove Authentication Users from the Security Filtering section and add the Windows security group created above UAG DirectAccess Manage Out Clients in our example.

https://jeffreymaxan.files.wordpress.com/2014/10/3.png

 

  1. Under theDetails tab, set the GPO Status to User configuration settings disabled

4

  1. Right click and choose Edit on the newly created GPO and define the following settings:
  2. In Computer Configuration | Policies | Administrative Templates | Network | TCPIP Settings | IPv6 Transition Technologies:
    1. Open ISATAP Router Name:
      1. Enabled
      2. Enter a router or relay name:MyCompany_ISATAP.domain.com (this should be the DNS name created above to point to the IP Address(es) of the DirectAccess server.)
    2. Choose OK

6

 

  1. Choose OK.

 

  1. Once completed, this should result in the following output in theSettings tab:

7

 

More information: Limiting ISATAP Services to DirectAccess Manage Out Clients

 

Deploying Manage Out

To deploy the manage out capability to the DirectAccess manage out machines must be added to the DirectAccess Manage Out Clients Windows security group. The clients must be rebooted prior to the group membership becoming active. The Group Policy should apply after the reboot and the specific manage out machines that you have defined by group membership should receive ISATAP addressing and prefix information making them IPv6 capable.

 

Validation

To validate the configuration there should be an IPv6 format (2002:WWXX:YYZZ:8000:5efe:w.x.y.z) address on the ISATAP adapter

 

  1. From a command prompt type IPCONFIG /ALL
  2. Verify on the ISATAP adapter you have an IPV6 Address and not only a link-local IPV6 address as illustrated in the figure below

8

 

 

Troubleshooting

 

If the ISATAP adapter address assignment is not successful, it may also be necessary to use the following commands to refresh the adapter state:

  1. From an administrator Command Prompt run:
    1. sc control iphlpsvc paramchange
    2. Add the server you want to manage out through DirectAccess to the security group created above
    3. reboot the server
    4. Perform an IPCONFIG once server is up and verify you are now receiving an IPV6 close to the DirectAccess server IPV6 address found on the server or in DNS.
      1. Logging onto DNS will easily show if server added actually registered the IPV6 address in DNS and if you sort it by data you will see they are in the same IPV6 address range with first several octets matching
  2. Once all items have been confirmed try to connect to machine via UNC
    1. This will only work if you have configured firewall settings to allow such connection, if not create a firewall rule for RDP and then test
    2. If you cannot connect follow steps below for each protocol to allow connections
  3. Setting up client-side firewall rules:
    1. It is a common mistake to modify the existing DirectAccess Client Settings GPO that DirectAccess creates and uses, and to plug these new rules into that GPO rather than create another new GPO. Please don’t do this. The DA GPOs should be left alone, because they are automatically adjusted by the wizards, so your changes may get thrown out at some point.
    2. Use a separate GPO for these WFAS settings.
      1. Perhaps the same one you created for the Teredo and 6to4 best practice settings, because these are also settings that need to be applied only to the DirectAccess client computers.
  4. Inside the GPO that you have chosen for this task add some WFAS rules using following configuration:
    1. In Computer Configuration | Policies | Windows Settings | Security Settings | Windows Firewall with Advanced Security | Windows Firewall with Advanced Security | Inbound Rules
      1. Right-click and choose New Rule….
      2. Choose Port rule and click Next
      3. Specify which port you would like to allow. (Either include multiple ports in one rule, or create multiple rules, one for each port.)
      4. Choose Allow the connection9
      5. Choose Domain, Public and Private Firewall Profiles for application
      6. Finish the wizard by naming the rule

12