DirectAccess connections are bidirectional, allowing administrators to remotely connect to clients and manage them when they are out of the office. DirectAccess clients use IPv6 exclusively, so any communication initiated from the internal network to remote DirectAccess clients must also use IPv6. If IPv6 is not deployed natively on the internal network, the Intrasite Automatic Tunnel Addressing Protocol (ISATAP) IPv6 transition technology can be used to enable manage out.
ISATAP Supportability
According to Microsoft’s support guidelines for DirectAccess, using ISATAP for manage out is only supported for single server deployments. ISATAP is not supported when deployed in a multisite or load-balanced environment.
“Not supported” is not the same as “doesn’t work” though. For example, ISATAP can easily be deployed in single site DirectAccess deployments where load balancing is provided using Network Load Balancing (NLB).
ISATAP Configuration
To do this, you must first create DNS A resource records for the internal IPv4 address for each DirectAccess server as well as the internal virtual IP address (VIP) assigned to the cluster.
Note: Do NOT use the name ISATAP. This name is included in the DNS query block list on most DNS servers and will not resolve unless it is removed. Removing it is not recommended either, as it will result in ALL IPv6-enabled hosts on the network configuring an ISATAP tunnel adapter.
Once the DNS records have been added, you can configure a single computer for manage out by opening an elevated PowerShell command window and running the following command:
Set-NetIsatapConfiguration -State Enabled -Router [ISATAP FQDN] -PassThru
Once complete, an ISATAP tunnel adapter network interface with a unicast IPv6 address will appear in the output of ipconfig.exe, as shown here.
Running the Get-NetRoute -AddressFamily IPv6 PowerShell command will show routes to the client IPv6 prefixes assigned to each DirectAccess server.
Finally, verify network connectivity from the manage out host to the remote DirectAccess client.
Note: There is a known issue with some versions of Windows 10 and Windows Server 2016 that may prevent manage out using ISATAP from working correctly. There’s a simple workaround, however. More details can be found here.
Group Policy Deployment
If you have more than a few systems on which to enable ISATAP manage out, using Active Directory Group Policy Objects (GPOs) to distribute these settings is a much better idea. You can find guidance for creating GPOs for ISATAP manage out here.
DirectAccess Client Firewall Configuration
Simply enabling ISATAP on a server or workstation isn’t all that’s required to perform remote management on DirectAccess clients. The Windows firewall running on the DirectAccess client computer must also be configured to securely allow remote administration traffic from the internal network. Guidance for configuring the Windows firewall on DirectAccess clients for ISATAP manage out can be found here.
ISATAP Manage Out for Multisite and ELB
The configuration guidance in this post will not work if DirectAccess multisite is enabled or external load balancers (ELB) are used. However, ISATAP can still be used. For more information about enabling ISATAP manage out with external load balancers and/or multisite deployments, fill out the form below and I’ll provide you with more details.
Summary
Once ISATAP is enabled for manage out, administrators on the internal network can remotely manage DirectAccess clients wherever they happen to be. Native Windows remote administration tools such as Remote Desktop, Windows Remote Assistance, and the Computer Management MMC can be used to manage remote DirectAccess clients. In addition, enterprise administration tools such as PowerShell remoting and System Center Configuration Manger (SCCM) Remote Control can also be used. Further, third-party remote administration tools such as VNC, TeamViewer, LogMeIn, GoToMyPC, Bomgar, and many others will also work with DirectAccess ISATAP manage out.
Additional Information
ISATAP Recommendations for DirectAccess Deployments
DirectAccess Manage Out with ISATAP Fails on Windows 10 and Windows Server 2016
DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out
DirectAccess Manage Out and System Center Configuration Manager (SCCM)
Contact Me
Interested in learning more about ISATAP manage out for multisite and external load balancer deployments? Fill out the form below and I’ll get in touch with you.
Justin
/ July 31, 2022First, I doubt it gets said enough. The only reason I have DA working at all is because of your articles, so a huge thanks to you Mr. Hicks!
Ran into some very strange issues. Been running DA for years now with zero issues. Then all of a sudden I had problems managing out. Two very specific issues popped up.
1) Every time I reboot the DA server I lose my IPv6 routing. Sometimes the index changes (not sure if that’s normal?). So I start with getting the index again. Then when I check the settings I see advertise, forwarding and advertisedefaultroute are disabled. Re-enable them and setup the route again then my management machines can manage out again (ping, browse file system, WSUS can update…) with one exception:
2) None of my management machines can RDP into a DA Client. Sort of. It connects, accepts the password and I can see the connection (Username -> Machine Name) in Remote Client Status but all I get is a black screen. I can RDP fine into the DA clients from the DA Server.
Reboot the DA Server and all the IPv6 routing table settings go to pot again. Not the end of the world, but very annoying. The RDP issue is more annoying.
Richard M. Hicks
/ August 1, 2022Thanks for the kind words, Justin! Much appreciated. 🙂
The issue with the ISATAP interface losing its configuration is a known issue. Needless to say, Microsoft isn’t going to fix it as ISATAP is deprecated. However, I created a script you can run at system startup that will restore the ISATAP interface configuration. I have many customers using it.
https://github.com/richardhicks/directaccess/blob/master/Reset-DaIsatapConfiguration.ps1
Not sure what’s up with the RDP issue, though. Let me know if running the script on your DirectAccess server at startup helps!
Justin
/ August 1, 2022Very nice, thank you! I’ll get that implemented right away.