DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

For DirectAccess manage out scenarios, it is necessary to configure the Windows firewall on the DirectAccess client to allow any required inbound communication from the corporate network. For example, if management hosts on the internal network need to initiate Remote Desktop sessions with remote connected DirectAccess clients, the Remote Desktop – User Mode (TCP-In) Windows firewall rule will need to be enabled for the Public and Private profiles.

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

While enabling this rule will allow remote desktop connections to be made from the corporate network, its default configuration will also accept remote desktop connections from any network. From a security perspective this is not desirable.

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

A better solution is to restrict access to connections originating only from the corporate network. To do this it will be necessary to identify the ISATAP prefix used internally. To determine the corporate ISATAP prefix, run the ipconfig command on a management workstation that is configured for ISATAP. The ISATAP prefix will be the first 96 bits of the IPv6 address assigned to the ISATAP tunnel adapter (essentially everything with the exception of the embedded IPv4 address).

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

On the DirectAccess client, right-click the firewall rule and choose Properties. Choose the Scope tab and then select These IP addresses . Click Add and then enter the ISATAP prefix as shown here.

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

Once the firewall rule is configured to restrict access to the ISATAP prefix, only corporate management workstations on the internal network will have access to remote DirectAccess clients.

Leave a comment

21 Comments

  1. Erlend

     /  March 19, 2016

    Is it possible to have traffic flowing between directaccess clients as well?

    Reply
  2. Roman

     /  April 30, 2020

    My isatap prefix is fe80::5efe:
    How I can change it?

    Reply
  3. Kyle

     /  May 5, 2020

    Thanks for your guides! I’ve been able to get DA working except for Manage Out. My ISATAP connection does not get the ipv6 address, only the local(which we know doesn’t help). I get the other 2 needed connections(IP-HTTPS/Teredo). I can RDP/Ping any DA client from the DA server but that is it, I cannot do the same for any other internal client. Which makes SCCM pretty much useless for RDP/RemoteAssist. SCCM software center does work, where we can install software.

    Reply
    • That’s a common issue. Download and run the following script on your DirectAccess server and let me know if that helps. 🙂

      https://github.com/richardhicks/directaccess/blob/master/Reset-DaIsatapConfiguration.ps1

      Reply
      • Kyle

         /  May 6, 2020

        Thanks for the reply! I did run it..

        Set-NetIPInterface : Cannot validate argument on parameter ‘InterfaceIndex’. The argument is null. Provide a valid
        value for the argument, and then try running the command again.

      • Not sure what’s up there. I’ve tested on Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. Not had any issues thus far.

      • Timo

         /  May 8, 2020

        Hi Richard,

        we currently have the same issue as Kyle described earlier. Unfortunately using your PS script didn’t help. We also can RDP/ping every DA Client from the DA server but from no other internal client using ISATAP. All have been newly setup based on Windows Server 2019 and Windows 10 1909 following your Direct Access book. We recognized the internal machines won’t get a DNS sufiix or default gateway configured on their ISATAP adapter. Also there is no IPV6 route to the DA clients present. Do you have any suggestions on this?

        Thanks in advance
        Timo

      • Does the DirectAccess server now have a global unicast IPv6 address on the ISATAP interface after running the script? Also, does your client have a global unicast IPv6 address on its ISATAP interface as well?

  4. Kyle

     /  May 14, 2020

    Mine does have global unicast ipv6 address on ISTaP(server), client does not. Only local link

    Reply
    • It will need that for sure. Make sure the DirectAccess server is configured to advertise on the ISATAP interface. My script should do that for you. If you run my script and then restart your client, does it not work then?

      Reply
    • BTW, you would run my script on the server, not the client…just for clarification. 🙂

      Reply
      • Kyle

         /  May 14, 2020

        I did run it on our server, it errored out, I commented out the section that sets the advertising(its already enabled, verified via powershell).

      • If you’re willing to provide more detailed information, reach out to me directly via email and I’ll see what I can do. I’d like to understand why the script is failing specifically, and hopefully provide you with some guidance for getting it to work.

  1. DirectAccess Manage Out with ISATAP Fails on Windows 10 and Windows Server 2016 | Richard Hicks' DirectAccess Blog
  2. DirectAccess Manage Out with ISATAP Fails on Windows 10 and Windows Server 2016 | Richard M. Hicks Consulting, Inc.
  3. DirectAccess Manage Out and System Center Configuration Manager (SCCM) | Richard M. Hicks Consulting, Inc.
  4. ISATAP Recommendations for DirectAccess Deployments | Richard M. Hicks Consulting, Inc.
  5. DirectAccess Manage Out with ISATAP and NLB Clustering | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: