DirectAccess and Windows 10 in Action

DirectAccess and Windows 10 in ActionRecently I recorded a short video to outline some of the benefits of using Windows 10 and DirectAccess. The video highlights common uses cases and includes a working demonstration of DirectAccess and Windows 10, both from the user’s and the administrator’s perspective.

The video shows how users transparently connect to the network and seamlessly access corporate resources over the DirectAccess connection. It also shows how administrators can leverage existing system management tools such as the Computer Management MMC, PowerShell remoting, and the Remote Desktop Protocol (RDP) to manage remote connected Windows 10 DirectAccess clients.

If you have any questions about implementing DirectAccess, integrating Windows 10 clients, or enabling outbound management, click here.

DirectAccess Manage Out from Windows 10 Does Not Work

For DirectAccess manage out deployments using ISATAP, you may encounter a scenario in which you are unable to initiate outbound connections to connected DirectAccess clients from a Windows 10 computer. Outbound connections using ISATAP from Windows 7, Windows 8, Windows Server 2008/R2, or Windows Server 2012/R2 systems work without issue.

DirectAccess Manage Out from Windows 10 Does Not Work

As it turns out, there is a bug in the Windows 10 DNS client code that prevents manage out using ISATAP from a Windows 10 client from working correctly. Thanks to the diligent effort of DirectAccess administrators Mike Piron and Jason Kuhns, a workaround has been identified. To deploy the workaround, it will be necessary to implement registry changes to alter the default behavior of the DNS resolver in Windows 10. You can implement these changes on a Windows 10 DirectAccess manage out machine by using the following PowerShell commands:

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name DisableParallelAandAAAA -PropertyType dword -Value 1 -Force

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name DisableServerUnreachability -PropertyType dword -Value 1 –Force

Once these registry changes have been made, you should now be able to use ISATAP for DirectAccess manage out connections from a Windows 10 machine.

Enterprise Nirvana with Surface Pro 4, Windows 10, and DirectAccess

Introduction

DirectAccess and Windows 10 - Better Together

The Microsoft Surface Pro 4 was made available for sale to the public on October 26, 2015. The latest in a line of powerful and flexible tablets from Microsoft, the Surface Pro 4 features a full version of the Windows 10 desktop client operating system and includes more available power, memory, and storage than previous editions. Significant improvements were also made to the keyboard and pen. The Surface Pro 4 is designed to be an all-in-one laptop replacement, enabling users to carry a single device for all of their needs.

Surface Pro 4 and the Enterprise

Microsoft is pushing the Surface Pro 4 heavily to large enterprise organizations by expanding the resale business channel and offering the device through companies like Dell and HP. In fact, Microsoft has made the Surface Pro 4 available through more than 5000 business resellers in 30 global markets. This new enterprise sales initiative strives to deliver world class service and support for enterprise customers adopting the new Surface Pro 4, and includes a new warranty offer and a business device trade-in program designed to promote the adoption of Surface and Windows 10 in the enterprise.

Enterprise Nirvana with Surface Pro 4, Windows 10, and DirectAccess

In addition, Microsoft will have a training program for IT management and support professionals as well as new Windows users that will help streamline the deployment of the Surface Pro 4 and Windows 10. Organizations are rapidly adopting the Surface Pro 4 and Windows 10, as Microsoft has already signed on a number of high-profile companies in the retail, financial services, education, and public sector verticals. Today, Microsoft has deployed Windows 10 to over 110 million devices since it was released in late October 2015, making it the most rapidly adopted operating system in their history.

Enterprise Requirements

One of the primary motivating factors for enterprise organizations migrating to the Surface Pro 4 is cost reduction. The Surface Pro 4 functions as both a full PC and a tablet, eliminating the need for users to carry two devices. More importantly, it eliminates the need for IT to procure, manage, and support two different hardware and software platforms (for example a Windows-based laptop and an iPad). Additionally, IT organizations can leverage their existing Windows systems management infrastructure and expertise to deploy and maintain their Surface devices.

DirectAccess and the Surface Pro 4

For organizations seeking to maximize their investment in the Surface Pro 4 with Windows 10, implementing a secure remote access solution using Windows Server 2012 R2 DirectAccess is essential. DirectAccess provides seamless and transparent, always on secure remote corporate network connectivity for managed (domain-joined) Windows clients. DirectAccess enables streamlined access to on-premises application and data, improving end user productivity and reducing help desk costs. DirectAccess connectivity is bi-directional, making possible new and compelling management scenarios for field-based assets. DirectAccess clients can be managed the same way, regardless if they are inside or outside of the corporate network. DirectAccess ensures that clients are better managed, consistently maintained, and fully monitored.

Enterprise Nirvana with Surface Pro 4, Windows 10, and DirectAccess

Windows 10 and DirectAccess

The Surface Pro 4 with Windows 10 provides full support for all enterprise features of DirectAccess in Windows Server 2012 R2, including automatic site selection and transparent fail over for multisite deployments, as well as scalability and performance improvements. In addition, supportability for Windows 10 clients is much improved with DirectAccess GUI integration and full PowerShell support. Additional information about how DirectAccess and Windows 10 are better together, click here.

Additional Cost Savings

Enterprise Nirvana with Surface Pro 4, Windows 10, and DirectAccess

DirectAccess does not require any additional software to be installed on the client, and does not incur per user licensing to implement. Another benefit is that DirectAccess can easily be deployed on most popular hypervisors such as Hyper-V and VMware, eliminating the need for expensive proprietary hardware-based remote access solutions and taking full advantage of current investments in virtual infrastructure. Additionally, existing Windows systems management skill sets can be leveraged to support a DirectAccess implementation, eliminating the need for expensive dedicated administrators.

Note: Windows 10 Enterprise edition is required to support DirectAccess, and it is assumed that large organizations will be deploying Surface Pro 4 with Windows 10 Enterprise.

Summary

The Surface Pro 4 is the thinnest, lightest, and most powerful Surface tablet ever. It features Windows 10, and it can run the full version of Office and any other applications you need. The Surface Pro 4 is aimed squarely at large enterprises, governments, and schools. Not coincidentally, these verticals are also excellent uses cases for DirectAccess. DirectAccess is the perfect complement to the Surface Pro 4 and Windows 10 in the enterprise, as it helps organizations address the unique pain points of large scale enterprise adoption of Windows devices. DirectAccess allows the Surface Pro 4 to be much more effectively managed, while at the same time significantly improving the end user experience.

To realize the full potential of your Windows 10 and Surface Pro 4 deployment, consider a DirectAccess consulting engagement. By leveraging our experience you’ll have the peace of mind knowing that you have deployed DirectAccess in the most optimal, flexible, secure, and highly available manner possible. For more information about a DirectAccess consulting engagement, click here.

DirectAccess and Surface Pro for the Enterprise

DirectAccess, Windows 10, and Surface ProToday Microsoft announced a new partnership with Dell to deliver the Surface Pro and Windows 10 to enterprise customers around the world. This new initiative addressees the specific needs of large enterprises, whose increasingly mobile workforce places unique demands on IT to provide high levels of security and consistent platform management. This partnership will ensure that Dell’s enterprise customers have access to the Microsoft Surface Pro along with Dell’s enterprise-class service and support offerings.

Of course DirectAccess on Windows Server 2012 R2 complements this initiative quite nicely. Using DirectAccess with it’s always on functionality ensures that remote Windows devices like the Surface Pro are always managed and consistently updated, providing IT administrators greater control and visibility for their field-based assets than traditional VPN is capable of providing. In addition, DirectAccess connectivity is bi-directional, allowing administrators to “manage out” to their connected DirectAccess devices. This opens up compelling use cases such as initiating remote desktop sessions for the purposes of troubleshooting or conducting vulnerability scans to determine the client’s security posture.

In addition, Windows 10 now supports the full enterprise feature set of DirectAccess on Windows Server 2012 R2, including geographic redundancy and transparent site failover, along with significant performance improvements over Windows 7 for perimeter/DMZ deployments. DirectAccess with Windows 10 is also easier to manage and support.

For more information about the Microsoft/Dell partnership, watch Microsoft CEO Satya Nadella’s message here. For assistance with the planning, design, and implementation of a DirectAccess solution, click here.

DirectAccess Consulting Services Now Available

Microsoft Certified Solutions Associate (MCSA)For the last five years I’ve been helping organizations large and small deploy DirectAccess. During that time I have amassed a wealth of knowledge and experience with this unique technology. DirectAccess is not trivial to install, configure, or troubleshoot. Also, it’s easy to make mistakes in the planning and design phase that can turn in to serious issues later in the deployment. To make matters worse, many organizations are deploying DirectAccess for the first time, and without essential guidance they are prone to making common mistakes or choosing configuration options that are less than optimal both in terms of supportability and performance.

Having deployed DirectAccess for some of the largest companies in the world, there isn’t much I haven’t already encountered. If you are looking for the best chance of success for your DirectAccess deployment, consider a consulting engagement with me. I can provide assistance with all facets of DirectAccess implementation including planning and design, installation, configuration, and troubleshooting. Consulting services at reasonable rates are available for all types of DirectAccess work including:

  • New DirectAccess installations
  • Migration from previous versions of DirectAccess
  • Upgrade or expansion of existing DirectAccess deployment
  • Enterprise planning and design for large-scale, multisite DirectAccess deployments
  • DirectAccess high availability (local and geographic)
  • Manage-out for DirectAccess with external hardware load balancers and/or multisite configuration
  • Multisite DirectAccess with geographic redundancy for Windows 7 clients
  • Existing DirectAccess design review and security assessment
  • Windows Server 2012 R2 client-based VPN configuration
  • DirectAccess client connectivity troubleshooting
  • DirectAccess training

Additionally, consulting services are available for a variety of security solutions as well as on-premises and cloud networking technologies such as:

  • Azure networking and infrastructure
  • Cross-premises connectivity to Azure
  • Certificate services (PKI)
  • IP address management
  • ISA Server and Forefront Threat Management Gateway (TMG) migration

All services can be performed on-site or remotely. If you are interested in obtaining my services, drop me a note at rich@richardhicks.com for more details.

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

For DirectAccess manage out scenarios, it is necessary to configure the Windows firewall on the DirectAccess client to allow any required inbound communication from the corporate network. For example, if management hosts on the internal network need to initiate Remote Desktop sessions with remote connected DirectAccess clients, the Remote Desktop – User Mode (TCP-In) Windows firewall rule will need to be enabled for the Public and Private profiles.

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

While enabling this rule will allow remote desktop connections to be made from the corporate network, its default configuration will also accept remote desktop connections from any network. From a security perspective this is not desirable.

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

A better solution is to restrict access to connections originating only from the corporate network. To do this it will be necessary to identify the ISATAP prefix used internally. To determine the corporate ISATAP prefix, run the ipconfig command on a management workstation that is configured for ISATAP. The ISATAP prefix will be the first 96 bits of the IPv6 address assigned to the ISATAP tunnel adapter (essentially everything with the exception of the embedded IPv4 address).

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

On the DirectAccess client, right-click the firewall rule and choose Properties. Choose the Scope tab and then select These IP addresses . Click Add and then enter the ISATAP prefix as shown here.

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

Once the firewall rule is configured to restrict access to the ISATAP prefix, only corporate management workstations on the internal network will have access to remote DirectAccess clients.

Active Directory IP Subnets for DirectAccess Clients

Introduction

When deploying Windows Server 2012 R2 DirectAccess I’m often asked which Active Directory (AD) site a client is associated with when it establishes DirectAccess connectivity. The answer depends on the client’s operating system. Windows 8.x and later clients automatically associate themselves with the site to which the DirectAccess server they are connected to belongs. Windows 7 clients lack this capability, and depending on current AD configuration, Windows 7 clients may associate with an incorrect site. This can lead to potential problems such as slow logon times and mapped drive failures. To address this issue it is important to configure IP subnets in AD for DirectAccess clients to eliminate any potential problems. In this article I’ll demonstrate how to create IP subnets in AD and how to identify IPv6 subnets used by DirectAccess clients.

Active Directory IP Subnets

Configuring IP subnets in AD is relatively straightforward. In the Active Directory Sites and Services management console, right-click Subnets and choose New Subnet. Enter the IP subnet prefix and select the AD site where the DirectAccess server for this subnet resides.

Active Directory IP Subnets for DirectAccess Clients

IPv6 Subnets for DirectAccess Clients

To configure AD IP subnets for DirectAccess clients, it will be necessary to identify all potential IP subnets that may be in use. IP subnets used by DirectAccess clients depend on the IPv6 transition protocols supported by the DirectAccess configuration. DirectAccess supports 6to4, Teredo, and IP-HTTPS for client to server communication, and the Intrasite Automatic Tunnel Addressing Protocol (ISATAP) for manage-out connectivity. Any or all of these protocols may be used for a particular DirectAccess configuration.

  • 6to4 – Supported if the DirectAccess server is edge-facing with a public IPv4 address assigned to its external network interface.
  • Teredo – Supported if the DirectAccess server is edge-facing with two consecutive public IPv4 addresses assigned to its external network interface.
  • IP-HTTPS – Supported in all deployment scenarios, and is used exclusively if the DirectAccess server is located behind a NAT device in a perimeter or DMZ network.
  • ISATAP – Optionally used when manage out is enabled and configured.

IP subnets should be configured in AD for all IPv6 transition protocols supported for the DirectAccess deployment.

Identify the 6to4 IPv6 Subnet

Note: Information for the 6to4 protocol is provided here for completeness. However, it is generally recommended that 6to4 be disabled for DirectAccess deployments, making this configuration unnecessary. More information about disabling 6to4 can be found here.

The 6to4 IPv6 transition protocol is only supported when the DirectAccess server is edge-facing with a public IPv4 address assigned to its external network interface. 6to4 IPv6 addresses are assigned using the 2002::/16 prefix. For single site DirectAccess deployments, an administrator should create an IP subnet in AD using this prefix and assign it to the AD site where the DirectAccess server resides. If public IPv4 addressing is used internally and the 6to4 transition protocol has not been disabled, it is essential that more specific IP subnets for internal 6to4 clients also be configured.

6to4 and DirectAccess Multisite Challenges

The 6to4 IPv6 transition protocol presents a challenge for multisite DirectAccess deployments. When a client creates a 6to4 IPv6 address, it appends the 2002::/16 prefix with its public IPv4 address represented in hexadecimal using the form WWXX:YYZZ::WWXX:YYZZ. For example, if the DirectAccess client’s public IPv4 address is 198.51.100.83, its 6to4 address would be 2002:c633:6453::c633:6453. Since this IPv6 address is created using only the client’s IPv4 address, there is no way to associate the client to a specific entry point. This is one of the reasons why 6to4 is not recommended for use in DirectAccess deployments. If you must support the 6to4 IPv6 transition protocol in a multisite configuration, assign the 2002::/16 IP subnet to the most centrally located AD site.

Identify the Teredo IPv6 Subnet

The Teredo IPv6 transition protocol is only supported when the DirectAccess server is edge facing with two consecutive public IPv4 addresses assigned to its external network interface. Teredo IPv6 addresses begin with 2001: followed by the primary public IPv4 address (represented in hexadecimal) of the DirectAccess server. For example, if the DirectAccess server’s primary public IPv4 address is 203.0.113.240, the DirectAccess client will be assigned a Teredo IPv6 address using the 2001:cb00:71f0::/48 prefix. An administrator should create an IP subnet in AD using this prefix and assign it to the AD site where the DirectAccess server resides. For multisite deployments, repeat these steps for each DirectAccess entry point.

Identify the IP-HTTPS IPv6 Subnet

The IP-HTTPS IPv6 transition protocol is supported in all DirectAccess configurations and its IPv6 subnet should always be assigned to an AD site. The IP-HTTPS IPv6 prefix assignment differs between single site and multisite deployments.

Single Site Deployment

For single site deployments, a /64 IPv6 prefix is assigned for DirectAccess clients. To identify this subnet, run the Get-RemoteAccess PowerShell command on the DirectAccess server and locate the value of ClientIPv6Prefix

Active Directory IP Subnets for DirectAccess Clients

Multisite Deployment

For multisite deployments, a unique /64  IPv6 subnet is assigned to single node entry points. If load balancing is enabled, a /59 IPv6 subnet is assigned to the entry point, and each server within the entry point is assigned a /64 prefix for DirectAccess clients. To identify the IPv6 prefixes for each entry point, highlight DirectAccess and VPN below the Configuration node in the Remote Access Management console, and then select the DirectAccess entry point.

Active Directory IP Subnets for DirectAccess Clients

For edge facing deployments with a public IPv4 address assigned to the external network interface, the IPv6 prefix assigned to DirectAccess clients is from the 2002::/16 globally unique address (GUA) range. If the DirectAccess server is configured using a private IPv4 address with a single network interface or with two network interfaces behind a NAT, the IPv6 prefix assigned to DirectAccess clients will be from the fd00::/8 unique local address (ULA) range. An administrator should create an IP subnet in AD using this prefix and assign it to the AD site where the DirectAccess server resides.

Note: Uninstalling and reinstalling DirectAccess will result in a new IP-HTTPS network ID being created. If these changes are made, be sure to update AD IP subnets accordingly.

Identify the ISATAP IPv6 Subnet

Although this article focuses primarily on the IPv6 subnets used by remote DirectAccess clients, it is also important not to overlook AD IP subnet configuration for internal clients if ISATAP is configured for manage out. IP subnets used by ISATAP clients vary depending on the network configuration of the DirectAccess server.

Edge Deployment

For edge deployments, ISATAP addresses are assigned from the 2002::/16 GUA range. This is appended with the public IPv4 address of the DirectAccess server in hexadecimal using the form WWXX:YYZZ:1:0:5efe and the IPv4 address of the ISTAP client in familiar dotted-decimal notation. For example, if the DirectAccess server’s primary public IPv4 address is 203.0.113.240 and the client’s IP address is 172.16.1.77, the DirectAccess client will be assigned the ISATAP address 2002:cb00:71f0:1:0:5efe:172.16.1.77. The subnet to be created by the administrator in AD will then be 2002:cb00:71f0:1:0:5efe::/96 plus the IPv4 network prefix. For example, if the client’s IP address uses a /24 prefix, the AD IP subnet would be configured using 2002:cb00:71f0:1:0:5efe:172.16.1.0/120. This IP subnet should be assigned to the same site where the corresponding IPv4 subnet is assigned.

Perimeter/DMZ Deployment

For perimeter/DMZ deployments, ISATAP addresses are assigned randomly from the fd00::/8 ULA range and begin with fdXX:XXXX:XXXX:1:0:5efe followed by the IPv4 address of the ISTAP client in dotted-decimal notation. For example, if the DirectAccess client’s IP address is 172.16.1.77, its ISATAP address might look like fdca:3ce5:b0a:1:0:5efe:172.16.1.77. The subnet to be created by the administrator in AD will then be fdca:3ce5:b0a:1:0:5efe::/96 plus the IPv4 network prefix. If the clients’ IP address uses a /24 prefix, the AD IP subnet would be configured using fdca:3ce5:b0a:1:0:5efe:172.16.1.0/120. This IP subnet should be assigned to the same site where the corresponding IPv4 subnet is assigned.

Summary

The configuration of Active Directory IP subnets for DirectAccess clients is an often overlooked aspect of DirectAccess deployments. Proper IP subnet mapping to AD sites is critical, especially for large enterprise deployments with complex networks spanning multiple physical locations. It ensures that Windows 7 DirectAccess clients communicate with the closest AD domain controller when they establish a DirectAccess connection, which can eliminate potential issues. In addition, it is recommended to disable 6to4 for DirectAccess clients to avoid the pitfalls that come with the use of this IPv6 transition protocol. Also, don’t forget to configure IP subnets for any internal clients that use ISATAP for manage out.

Remote Assistance to Windows 7 SP1 DirectAccess Client Fails

Microsoft recently made available a hotfix to address an issue where Remote Assistance connections to remote DirectAccess clients fails. The issue occurs specifically when Windows 7 clients connect to a Windows Server 2012 DirectAccess server using the IP-HTTPS IPv6 transition protocol. In this scenario, DirectAccess clients are assigned a Unique Local IPv6 Address (ULA) using the prefix FD00::/8 for which Remote Assistance service would not listen on. If you are planning to support Windows 7 clients on your Windows Server 2012/R2 DirectAccess server and you need Remote Assistance functionality, you’ll definitely want to ensure that this hotfix is applied to all of your Windows 7 DirectAccess clients.

For more information and to download the hotfix, please refer to Microsoft Knowledge Base article KB2912883.

ISATAP Recommendations for DirectAccess Deployments

From a client perspective, DirectAccess is an IPv6 only solution. The client communicates with the DirectAccess server and intranet resources using IPv6 exclusively. To enable communication between DirectAccess clients and IPv4 only resources on the Intranet, Windows Server 2012 DirectAccess (as well as Forefront UAG/DirectAccess) includes two important protocol translatorsDNS64 and NAT64. Unfortunately DNS64 and NAT64 provide only inbound protocol translation, so another measure is required for communication initiated outbound to connected DirectAccess clients. To support outbound communication originating from the Intranet to connect DirectAccess clients, the DirectAccess server is configured as an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router. ISATAP is an IPv6 transition protocol that allows hosts on the intranet to initiate outbound communication to DirectAccess clients on the Internet by tunneling IPv6 communication over the internal IPv4 network. ISTAP is enabled by populating internal DNS with a host record called ISATAP that resolves to the IPv4 address assigned to the Internal network adapter on the ISATAP router, in this case the DirectAccess server (don’t forget to remove ISATAP from the DNS global query block list!). When a client resolves ISATAP to an IP address successfully, it enables an ISATAP tunnel adapter and assigns itself an ISATAP IPv6 address. Once enabled, any host with an ISATAP tunnel adapter configured can initiate outbound communication to DirectAccess clients on the Internet.

When configured and enabled, ISATAP opens up new and interesting network communication scenarios. For example, a helpdesk engineer can proactively initiate a remote desktop session to a remote client connected via DirectAccess to troubleshoot an application. Systems management engineers can push software out to DirectAccess clients without requiring an agent on the remote client to “phone home” to receive software updates. This model is often referred to as “manage out”.

In the early days of DirectAccess with Windows Server 2008 R2 and Forefront UAG, configuring and enabling ISTAP as described above was standard operating procedure. However, we soon learned that there are some serious drawbacks to deploying ISATAP. While the DirectAccess manage out scenario is an important and frequently requested feature of a DirectAccess implementation, it often causes more trouble than it solves. In its default configuration, ISATAP is a global change that affects all hosts that can resolve the hostname ISATAP to an IP address. The challenge here is that this change can break or impair normal network communication for some hosts on the Intranet. For example, if an Intranet host is able to resolve a public hostname to an IPv6 address, it may attempt to connect to the site via ISATAP. Unfortunately, in this scenario ISATAP does not lead to the public Internet. Rather, ISATAP is used to provide network connectivity exclusively for our DirectAccess clients. Since IPv6 is preferred in most modern operating system’s networking stacks, it can lead to failed or seriously delayed communication to Internet resources. In addition, once ISATAP is enabled globally there will be a lot of IPv6 communication taking place on the network, which in large enterprise networks can be a source of confusion for those individuals with the responsibility for monitoring the network.

ISATAP also suffers from a lack of robust monitoring tools for this very essential service. Additionally, ISTAP turns the OSI model upside down. ISATAP relies on upper-layer protocols (DNS) to provide its service. If there are issues with DNS that prevent proper name resolution, ISTAP routing will cease to function, which is fundamentally backward.

As I mentioned earlier, by default, ISATAP is a global setting. However, in most environments there will only be a few systems that will require the ability to initiate outbound communication from the Intranet to DirectAccess clients. Typically these will be helpdesk administrators’ workstations or management systems. Today we are recommending that you deploy IPv6 on any internal systems that will participate in any DirectAccess manage out scenarios. Unfortunately this will not be possible in many cases, as additional network changes are often required to support IPv6 on the Intranet. In these cases we recommend that instead of configuring ISATAP in DNS globally, you target individual systems for ISATAP configuration as required. This can be accomplished in a number of ways.

Group Policy – This is best way to deploy ISATAP settings to systems that require DirectAccess manage out functionality. It is the easiest to manage and the most scalable as well. It involves creating a unique ISATAP hostname and assigning it to individual systems via group policy. Thankfully my buddy Jason Jones has already documented that process here, saving me the time and effort of doing it myself. Why reinvent the wheel, right? : )

PowerShell – Using PowerShell is an alternative method of configuring an individual system to use ISATAP. Although not as scalable as the group policy method, it is still very effective. On the system that requires network connectivity to DirectAccess clients, from an elevated PowerShell prompt execute the following command:

Set-NetISATAPConfiguration -Router <NameOrIPAddress>

Netsh – Another command line method for configuring the ISATAP is to use netsh.exe. From an elevated command prompt execute the following command:

netsh interface isatap set router <NameOrIPAddress>

HOSTS file – This is the least desirable way to configure ISATAP, but I’ll mention it here because it is quick and simple and does work. On any system that requires ISATAP for DirectAccess manage out, simply edit the HOSTS file in C:\Windows\System32\Drivers\Etc and add a host record for ISTAP that resolves to the IPv4 address assigned to the internal network interface of the DirectAccess server. Obviously this is the least scalable alternative and should only be used in test environments or very small production networks.

As you can see there are numerous drawbacks to configuring ISATAP on a global scale. Fortunately there are simple and effective workarounds that allow you to target specific systems for ISTAP configuration. Choose the one that works best for you and have fun managing your DirectAccess clients!

Manage Out Fails for Non-ICMP Traffic with UAG DirectAccess

You may encounter a scenario in which the ability to manage out fails for DirectAccess clients using Forefront UAG 2010. You may also receive the following error:

4984 “An IPsec extended mode negotiation failed”

This can happen when custom security policies are applied to the DirectAccess client, specifically altering the settings for “Access this computer from the network“.

For more information regarding this error and how to resolve it, please refer to Microsoft Knowledge Base article 2663354.

%d bloggers like this: