For DirectAccess manage out scenarios, it is necessary to configure the Windows firewall on the DirectAccess client to allow any required inbound communication from the corporate network. For example, if management hosts on the internal network need to initiate Remote Desktop sessions with remote connected DirectAccess clients, the Remote Desktop – User Mode (TCP-In) Windows firewall rule will need to be enabled for the Public and Private profiles.
While enabling this rule will allow remote desktop connections to be made from the corporate network, its default configuration will also accept remote desktop connections from any network. From a security perspective this is not desirable.
A better solution is to restrict access to connections originating only from the corporate network. To do this it will be necessary to identify the ISATAP prefix used internally. To determine the corporate ISATAP prefix, run the ipconfig command on a management workstation that is configured for ISATAP. The ISATAP prefix will be the first 96 bits of the IPv6 address assigned to the ISATAP tunnel adapter (essentially everything with the exception of the embedded IPv4 address).
On the DirectAccess client, right-click the firewall rule and choose Properties. Choose the Scope tab and then select These IP addresses . Click Add and then enter the ISATAP prefix as shown here.
Once the firewall rule is configured to restrict access to the ISATAP prefix, only corporate management workstations on the internal network will have access to remote DirectAccess clients.
Erlend
/ March 19, 2016Is it possible to have traffic flowing between directaccess clients as well?
Richard M. Hicks
/ March 20, 2016Yes, as long as they are connected to the same server and client Windows firewall rules allow it. 🙂
Roman
/ April 30, 2020My isatap prefix is fe80::5efe:
How I can change it?
Richard M. Hicks
/ April 30, 2020That is a link-local IPv6 prefix, and there’s no way to change it.
Richard M. Hicks
/ April 30, 2020Also, just for clarification, the link-local IPv6 address cannot be used for manage out. You must have a global unicast IPv6 address to manage out.
Kyle
/ May 5, 2020Thanks for your guides! I’ve been able to get DA working except for Manage Out. My ISATAP connection does not get the ipv6 address, only the local(which we know doesn’t help). I get the other 2 needed connections(IP-HTTPS/Teredo). I can RDP/Ping any DA client from the DA server but that is it, I cannot do the same for any other internal client. Which makes SCCM pretty much useless for RDP/RemoteAssist. SCCM software center does work, where we can install software.
Richard M. Hicks
/ May 6, 2020That’s a common issue. Download and run the following script on your DirectAccess server and let me know if that helps. 🙂
https://github.com/richardhicks/directaccess/blob/master/Reset-DaIsatapConfiguration.ps1
Kyle
/ May 6, 2020Thanks for the reply! I did run it..
Set-NetIPInterface : Cannot validate argument on parameter ‘InterfaceIndex’. The argument is null. Provide a valid
value for the argument, and then try running the command again.
Richard M. Hicks
/ May 14, 2020Not sure what’s up there. I’ve tested on Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. Not had any issues thus far.
Timo
/ May 8, 2020Hi Richard,
we currently have the same issue as Kyle described earlier. Unfortunately using your PS script didn’t help. We also can RDP/ping every DA Client from the DA server but from no other internal client using ISATAP. All have been newly setup based on Windows Server 2019 and Windows 10 1909 following your Direct Access book. We recognized the internal machines won’t get a DNS sufiix or default gateway configured on their ISATAP adapter. Also there is no IPV6 route to the DA clients present. Do you have any suggestions on this?
Thanks in advance
Timo
Richard M. Hicks
/ May 14, 2020Does the DirectAccess server now have a global unicast IPv6 address on the ISATAP interface after running the script? Also, does your client have a global unicast IPv6 address on its ISATAP interface as well?
Kyle
/ May 14, 2020Mine does have global unicast ipv6 address on ISTaP(server), client does not. Only local link
Richard M. Hicks
/ May 14, 2020It will need that for sure. Make sure the DirectAccess server is configured to advertise on the ISATAP interface. My script should do that for you. If you run my script and then restart your client, does it not work then?
Richard M. Hicks
/ May 14, 2020BTW, you would run my script on the server, not the client…just for clarification. 🙂
Kyle
/ May 14, 2020I did run it on our server, it errored out, I commented out the section that sets the advertising(its already enabled, verified via powershell).
Richard M. Hicks
/ May 14, 2020If you’re willing to provide more detailed information, reach out to me directly via email and I’ll see what I can do. I’d like to understand why the script is failing specifically, and hopefully provide you with some guidance for getting it to work.