DirectAccess Manage Out with ISATAP and NLB Clustering

DirectAccess Manage Out with ISATAP and NLB ClusteringDirectAccess connections are bidirectional, allowing administrators to remotely connect to clients and manage them when they are out of the office. DirectAccess clients use IPv6 exclusively, so any communication initiated from the internal network to remote DirectAccess clients must also use IPv6. If IPv6 is not deployed natively on the internal network, the Intrasite Automatic Tunnel Addressing Protocol (ISATAP) IPv6 transition technology can be used to enable manage out.

ISATAP Supportability

According to Microsoft’s support guidelines for DirectAccess, using ISATAP for manage out is only supported for single server deployments. ISATAP is not supported when deployed in a multisite or load-balanced environment.

Not supported” is not the same as “doesn’t work” though. For example, ISATAP can easily be deployed in single site DirectAccess deployments where load balancing is provided using Network Load Balancing (NLB).

ISATAP Configuration

To do this, you must first create DNS A resource records for the internal IPv4 address for each DirectAccess server as well as the internal virtual IP address (VIP) assigned to the cluster.

DirectAccess Manage Out with ISATAP and NLB Clustering

Note: Do NOT use the name ISATAP. This name is included in the DNS query block list on most DNS servers and will not resolve unless it is removed. Removing it is not recommended either, as it will result in ALL IPv6-enabled hosts on the network configuring an ISATAP tunnel adapter.

Once the DNS records have been added, you can configure a single computer for manage out by opening an elevated PowerShell command window and running the following command:

Set-NetIsatapConfiguration -State Enabled -Router [ISATAP FQDN] -PassThru

DirectAccess Manage Out with ISATAP and NLB Clustering

Once complete, an ISATAP tunnel adapter network interface with a unicast IPv6 address will appear in the output of ipconfig.exe, as shown here.

DirectAccess Manage Out with ISATAP and NLB Clustering

Running the Get-NetRoute -AddressFamily IPv6 PowerShell command will show routes to the client IPv6 prefixes assigned to each DirectAccess server.

DirectAccess Manage Out with ISATAP and NLB Clustering

Finally, verify network connectivity from the manage out host to the remote DirectAccess client.

Note: There is a known issue with some versions of Windows 10 and Windows Server 2016 that may prevent manage out using ISATAP from working correctly. There’s a simple workaround, however. More details can be found here.

Group Policy Deployment

If you have more than a few systems on which to enable ISATAP manage out, using Active Directory Group Policy Objects (GPOs) to distribute these settings is a much better idea. You can find guidance for creating GPOs for ISATAP manage out here.

DirectAccess Client Firewall Configuration

Simply enabling ISATAP on a server or workstation isn’t all that’s required to perform remote management on DirectAccess clients. The Windows firewall running on the DirectAccess client computer must also be configured to securely allow remote administration traffic from the internal network. Guidance for configuring the Windows firewall on DirectAccess clients for ISATAP manage out can be found here.

ISATAP Manage Out for Multisite and ELB

The configuration guidance in this post will not work if DirectAccess multisite is enabled or external load balancers (ELB) are used. However, ISATAP can still be used. For more information about enabling ISATAP manage out with external load balancers and/or multisite deployments, fill out the form below and I’ll provide you with more details.

Summary

Once ISATAP is enabled for manage out, administrators on the internal network can remotely manage DirectAccess clients wherever they happen to be. Native Windows remote administration tools such as Remote Desktop, Windows Remote Assistance, and the Computer Management MMC can be used to manage remote DirectAccess clients. In addition, enterprise administration tools such as PowerShell remoting and System Center Configuration Manger (SCCM) Remote Control can also be used. Further, third-party remote administration tools such as VNC, TeamViewer, LogMeIn, GoToMyPC, Bomgar, and many others will also work with DirectAccess ISATAP manage out.

Additional Information

ISATAP Recommendations for DirectAccess Deployments

DirectAccess Manage Out with ISATAP Fails on Windows 10 and Windows Server 2016 

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

DirectAccess Manage Out and System Center Configuration Manager (SCCM)

Contact Me

Interested in learning more about ISATAP manage out for multisite and external load balancer deployments? Fill out the form below and I’ll get in touch with you.

Always On VPN Device Tunnel Configuration Guidance Now Available

Always On VPN Device Tunnel Configuration Guidance Now AvailableWhen Always On VPN is configured for Windows 10, the VPN connection is established automatically when the user logs on to their device. This differs fundamentally from DirectAccess, where the connection is established by the machine, before the user logs on. This subtle but important difference has some important ramifications. For example, it means that a user cannot use Always On VPN until they’ve logged on to their device at least once while connected to the corporate network. DirectAccess doesn’t have this limitation, as a connection to an on-premises domain controller is available to authenticate a new user upon first logon.

Device Tunnel Support

To address this shortcoming with Always On VPN, and to provide better feature parity with DirectAccess, Microsoft introduced an update to Windows 10 in the recent Fall Creators update (v1709) that allows for the configuration of a device tunnel for Windows 10 Always On VPN. Once enabled, the device itself can automatically establish a secure remote connection before the user logs on. This enables scenarios such as device provisioning for new remote users without cached credentials. It also enables support for password reset using CTRL+ALT+DEL.

Manage Out

Device tunnel for Windows 10 Always On VPN also enables important manage out scenarios that DirectAccess administrators have come to rely upon. With a device tunnel configured, administrators can initiate connections to remote connected Always On VPN clients to provide remote management and support, without requiring a user to be logged on at the time.

Requirements

To support an Always On VPN device tunnel, the client must be running Windows 10 Enterprise or Education v1709 or later. The computer must be domain-joined and have a machine certificate installed. Device tunnel can only be configured using the built-in Windows 10 VPN client (no support for third-party clients) and the IKEv2 protocol must be used.

Caveat

When configuring a device tunnel, traffic filters can be implemented to restrict communication to only those internal resources required, such as domain controllers, Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) servers. However, when traffic filters are used, no inbound traffic to the client is allowed. If manage out is required over the device tunnel, traffic filters cannot be configured. Microsoft expects to remove this limitation in a future update.

Provisioning and Documentation

Configuring and provisioning a Windows 10 Always On VPN device tunnel is similar to the process for the Always On VPN connection itself. A VPN profileXML file is created and then deployed via a Mobile Device Management (MDM) solution such as Microsoft Intune. Optionally, the VPN profileXML can be deployed using SCCM or PowerShell. Additional information about Windows 10 Always On VPN device tunnel configuration, including a sample profileXML and PowerShell script, can be found here.

Additional Resources

Configure a VPN Device Tunnel in Windows 10

Always On VPN and the Future of DirectAccess

5 Things DirectAccess Administrators Should Know about Always On VPN

DirectAccess Manage Out and System Center Configuration Manager (SCCM)

The seamless and transparent nature of DirectAccess makes it wonderfully easy to use. In most cases, it requires no user interaction at all to access internal corporate resources while away from the office. This enables users to be more productive. At the same time, it offers important connectivity benefits for IT administrators and systems management engineers as well.

Always Managed

DirectAccess Manage Out and System Center Configuration Manager (SCCM)DirectAccess clients are automatically connected to the corporate network any time they have a working Internet connection. Having consistent corporate network connectivity means they receive Active Directory group policy updates on a regular basis, just as on-premises systems do. Importantly, they check in with internal management systems such as System Center Configuration Manager (SCCM) and Windows Server Update Services (WSUS) servers, enabling them to receive updates in a timely manner. Thus, DirectAccess clients are better managed, allowing administrators to more effectively maintain the configuration state and security posture for all their managed systems, including those that are predominantly field-based. This is especially crucial considering the prevalence WannaCry, Cryptolocker, and a variety of other types of ransomware.

DirectAccess Manage Out

DirectAccess Manage Out and System Center Configuration Manager (SCCM)When manage out is configured with DirectAccess, hosts on the internal network can initiate connections outbound to remote connected DirectAccess clients. SCCM Remote Control and Remote Desktop Connection (RDC) are commonly used to remotely connect to systems for troubleshooting and support. With DirectAccess manage out enabled, these and other popular administrative tools such as VNC, Windows Remote Assistance, and PowerShell remoting can also be used to manage remote DirectAccess clients in the field. In addition, enabling manage out allows for the proactive installation of agents and other software on remote clients, such as the SCCM and System Center Operation Manager (SCOM) agents, third-party management agents, antivirus and antimalware software, and more. A user does not have to be logged on to their machine for manage out to work.

IPv6

DirectAccess manage out requires that connections initiated by machines on the internal network to remote-connected DirectAccess clients must be made using IPv6. This is because DirectAccess clients use IPv6 exclusively to connect to the DirectAccess server. To enable connectivity over the public IPv4 Internet, clients use IPv6 transition technologies (6to4, Teredo, IP-HTTPS), and IPv6 translation components on the server (DNS64 and NAT64) enable clients to communicate with internal IPv4 resources. However, DNS64 and NAT64 only translate IPv6 to IPv4 inbound. They do not work in reverse.

Native or Transition?

It is recommended that IPv6 be deployed on the internal network to enable DirectAccess manage out. This is not a trivial task, and many organizations can’t justify the deployment for just this one specific use case. As an alternative, IPv6 can be configured with an IPv6 transition technology, specifically the Intrasite Automatic Tunnel Addressing Protocol (ISATAP). ISATAP functions as an IPv6 overlay network, allowing internal hosts to obtain IPv6 addresses and routing information from an ISATAP router to support manage out for DirectAccess clients.

ISATAP

When DirectAccess is installed, the server is automatically configured as an ISATAP router. Guidance for configuring ISATAP clients can be found here. Using ISATAP can be an effective approach to enabling DirectAccess manage out for SCCM when native IPv6 is not available, but it is not without its drawbacks.

• Using the DirectAccess server for ISATAP is only supported with single server DirectAccess deployments.
• Using the DirectAccess server for ISATAP does work when using Network Load Balancing (NLB) with some additional configuration, but it is not supported.
• Using the DirectAccess server for ISATAP does not work when an external load balancer is used, or if multisite is enabled.

ISATAP with Load Balancing and Multisite

It is technically possible to enable DirectAccess manage out for SCCM using ISATAP in load-balanced and multisite DirectAccess deployments, however. It involves deploying a separate ISATAP router and some custom configuration, but once in place it works perfectly. I offer this service to my customers as part of a consulting engagement. If you’re interested in restoring DirectAccess manage out functionality to support SCCM remote control, RDC, or VNC in load-balanced or multisite DirectAccess deployments, fill out the form below and I’ll provide you with more information.

Additional Resources

ISATAP Recommendations for DirectAccess Deployments
DirectAccess Manage Out with ISATAP Fails on Windows 10 and Windows Server 2016
DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out
Video: Windows 10 DirectAccess in action (includes manage out demonstration)

Managing and Supporting DirectAccess with Windows Server 2016 Video Training Course on Pluralsight

Planning and Implementing DirectAccess with Windows Server 2016I’m pleased to announce my newest video training course, Managing and Supporting DirectAccess with Windows Server 2016, is now available on Pluralsight! This new course is a follow-up to my previous course, Planning and Implementing DirectAccess with Windows Server 2016. This latest course builds upon the first one and covers advanced configuration such as enabling load balancing, configuring geographic redundancy, and enforcing strong user authentication using one-time passwords (OTP) and smart cards.

In addition, monitoring and reporting is covered, as well as implementing manage out for DirectAccess clients in supported scenarios. The course also includes a full hour of in-depth DirectAccess configuration and connectivity troubleshooting that will be valuable for all DirectAccess administrators.

The course includes the following training modules:

Configuring High Availability
Enabling Strong User Authentication
DirectAccess Monitoring and Reporting
Implementing Outbound Management for DirectAccess Clients
DirectAccess Troubleshooting

Throughout the course, I share valuable knowledge and insight gained from more than 5 years of experience deploying DirectAccess for some of the largest organizations in the world. Pluralsight offers a free trial subscription if you don’t already have one, so watch my latest DirectAccess video training course today!

Additional Resources

Planning and Implementing DirectAccess with Windows Server 2016 on Pluralsight
Managing and Supporting DirectAccess with Windows Server 2016 on Pluralsight
Implementing DirectAccess with Windows Server 2016 book

DirectAccess and Windows 10 in Action

DirectAccess and Windows 10 in ActionRecently I recorded a short video to outline some of the benefits of using Windows 10 and DirectAccess. The video highlights common uses cases and includes a working demonstration of DirectAccess and Windows 10, both from the user’s and the administrator’s perspective.

The video shows how users transparently connect to the network and seamlessly access corporate resources over the DirectAccess connection. It also shows how administrators can leverage existing system management tools such as the Computer Management MMC, PowerShell remoting, and the Remote Desktop Protocol (RDP) to manage remote connected Windows 10 DirectAccess clients.

If you have any questions about implementing DirectAccess, integrating Windows 10 clients, or enabling outbound management, click here.

DirectAccess Manage Out from Windows 10 Does Not Work

Note: The issue described in this article has been resolved in Windows 10 version 1703 (Creators Update). Making these changes is no longer required after installing the Creators Update release of Windows 10.

For DirectAccess manage out deployments using ISATAP, you may encounter a scenario in which you are unable to initiate outbound connections to connected DirectAccess clients from a Windows 10 computer. Outbound connections using ISATAP from Windows 7, Windows 8, Windows Server 2008/R2, or Windows Server 2012/R2 systems work without issue.

DirectAccess Manage Out from Windows 10 Does Not Work

As it turns out, there is a bug in the Windows 10 DNS client code that prevents manage out using ISATAP from a Windows 10 client from working correctly. Thanks to the diligent effort of DirectAccess administrators Mike Piron and Jason Kuhns, a workaround has been identified. To deploy the workaround, it will be necessary to implement registry changes to alter the default behavior of the DNS resolver in Windows 10. You can implement these changes on a Windows 10 DirectAccess manage out machine by using the following PowerShell commands:

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name DisableParallelAandAAAA -PropertyType dword -Value 1 -Force

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name DisableServerUnreachability -PropertyType dword -Value 1 –Force

Once these registry changes have been made, you should now be able to use ISATAP for DirectAccess manage out connections from a Windows 10 machine.

Enterprise Nirvana with Surface Pro 4, Windows 10, and DirectAccess

Introduction

DirectAccess and Windows 10 - Better Together

The Microsoft Surface Pro 4 was made available for sale to the public on October 26, 2015. The latest in a line of powerful and flexible tablets from Microsoft, the Surface Pro 4 features a full version of the Windows 10 desktop client operating system and includes more available power, memory, and storage than previous editions. Significant improvements were also made to the keyboard and pen. The Surface Pro 4 is designed to be an all-in-one laptop replacement, enabling users to carry a single device for all of their needs.

Surface Pro 4 and the Enterprise

Microsoft is pushing the Surface Pro 4 heavily to large enterprise organizations by expanding the resale business channel and offering the device through companies like Dell and HP. In fact, Microsoft has made the Surface Pro 4 available through more than 5000 business resellers in 30 global markets. This new enterprise sales initiative strives to deliver world class service and support for enterprise customers adopting the new Surface Pro 4, and includes a new warranty offer and a business device trade-in program designed to promote the adoption of Surface and Windows 10 in the enterprise.

Enterprise Nirvana with Surface Pro 4, Windows 10, and DirectAccess

In addition, Microsoft will have a training program for IT management and support professionals as well as new Windows users that will help streamline the deployment of the Surface Pro 4 and Windows 10. Organizations are rapidly adopting the Surface Pro 4 and Windows 10, as Microsoft has already signed on a number of high-profile companies in the retail, financial services, education, and public sector verticals. Today, Microsoft has deployed Windows 10 to over 110 million devices since it was released in late October 2015, making it the most rapidly adopted operating system in their history.

Enterprise Requirements

One of the primary motivating factors for enterprise organizations migrating to the Surface Pro 4 is cost reduction. The Surface Pro 4 functions as both a full PC and a tablet, eliminating the need for users to carry two devices. More importantly, it eliminates the need for IT to procure, manage, and support two different hardware and software platforms (for example a Windows-based laptop and an iPad). Additionally, IT organizations can leverage their existing Windows systems management infrastructure and expertise to deploy and maintain their Surface devices.

DirectAccess and the Surface Pro 4

For organizations seeking to maximize their investment in the Surface Pro 4 with Windows 10, implementing a secure remote access solution using Windows Server 2012 R2 DirectAccess is essential. DirectAccess provides seamless and transparent, always on secure remote corporate network connectivity for managed (domain-joined) Windows clients. DirectAccess enables streamlined access to on-premises application and data, improving end user productivity and reducing help desk costs. DirectAccess connectivity is bi-directional, making possible new and compelling management scenarios for field-based assets. DirectAccess clients can be managed the same way, regardless if they are inside or outside of the corporate network. DirectAccess ensures that clients are better managed, consistently maintained, and fully monitored.

Enterprise Nirvana with Surface Pro 4, Windows 10, and DirectAccess

Windows 10 and DirectAccess

The Surface Pro 4 with Windows 10 provides full support for all enterprise features of DirectAccess in Windows Server 2012 R2, including automatic site selection and transparent fail over for multisite deployments, as well as scalability and performance improvements. In addition, supportability for Windows 10 clients is much improved with DirectAccess GUI integration and full PowerShell support. Additional information about how DirectAccess and Windows 10 are better together, click here.

Additional Cost Savings

Enterprise Nirvana with Surface Pro 4, Windows 10, and DirectAccess

DirectAccess does not require any additional software to be installed on the client, and does not incur per user licensing to implement. Another benefit is that DirectAccess can easily be deployed on most popular hypervisors such as Hyper-V and VMware, eliminating the need for expensive proprietary hardware-based remote access solutions and taking full advantage of current investments in virtual infrastructure. Additionally, existing Windows systems management skill sets can be leveraged to support a DirectAccess implementation, eliminating the need for expensive dedicated administrators.

Note: Windows 10 Enterprise edition is required to support DirectAccess, and it is assumed that large organizations will be deploying Surface Pro 4 with Windows 10 Enterprise.

Summary

The Surface Pro 4 is the thinnest, lightest, and most powerful Surface tablet ever. It features Windows 10, and it can run the full version of Office and any other applications you need. The Surface Pro 4 is aimed squarely at large enterprises, governments, and schools. Not coincidentally, these verticals are also excellent uses cases for DirectAccess. DirectAccess is the perfect complement to the Surface Pro 4 and Windows 10 in the enterprise, as it helps organizations address the unique pain points of large scale enterprise adoption of Windows devices. DirectAccess allows the Surface Pro 4 to be much more effectively managed, while at the same time significantly improving the end user experience.

To realize the full potential of your Windows 10 and Surface Pro 4 deployment, consider a DirectAccess consulting engagement. By leveraging our experience you’ll have the peace of mind knowing that you have deployed DirectAccess in the most optimal, flexible, secure, and highly available manner possible. For more information about a DirectAccess consulting engagement, click here.

DirectAccess and Surface Pro for the Enterprise

DirectAccess, Windows 10, and Surface ProToday Microsoft announced a new partnership with Dell to deliver the Surface Pro and Windows 10 to enterprise customers around the world. This new initiative addressees the specific needs of large enterprises, whose increasingly mobile workforce places unique demands on IT to provide high levels of security and consistent platform management. This partnership will ensure that Dell’s enterprise customers have access to the Microsoft Surface Pro along with Dell’s enterprise-class service and support offerings.

Of course DirectAccess on Windows Server 2012 R2 complements this initiative quite nicely. Using DirectAccess with it’s always on functionality ensures that remote Windows devices like the Surface Pro are always managed and consistently updated, providing IT administrators greater control and visibility for their field-based assets than traditional VPN is capable of providing. In addition, DirectAccess connectivity is bi-directional, allowing administrators to “manage out” to their connected DirectAccess devices. This opens up compelling use cases such as initiating remote desktop sessions for the purposes of troubleshooting or conducting vulnerability scans to determine the client’s security posture.

In addition, Windows 10 now supports the full enterprise feature set of DirectAccess on Windows Server 2012 R2, including geographic redundancy and transparent site failover, along with significant performance improvements over Windows 7 for perimeter/DMZ deployments. DirectAccess with Windows 10 is also easier to manage and support.

For more information about the Microsoft/Dell partnership, watch Microsoft CEO Satya Nadella’s message here. For assistance with the planning, design, and implementation of a DirectAccess solution, click here.

DirectAccess Consulting Services Now Available

Microsoft Certified Solutions Associate (MCSA)For the last five years I’ve been helping organizations large and small deploy DirectAccess. During that time I have amassed a wealth of knowledge and experience with this unique technology. DirectAccess is not trivial to install, configure, or troubleshoot. Also, it’s easy to make mistakes in the planning and design phase that can turn in to serious issues later in the deployment. To make matters worse, many organizations are deploying DirectAccess for the first time, and without essential guidance they are prone to making common mistakes or choosing configuration options that are less than optimal both in terms of supportability and performance.

Having deployed DirectAccess for some of the largest companies in the world, there isn’t much I haven’t already encountered. If you are looking for the best chance of success for your DirectAccess deployment, consider a consulting engagement with me. I can provide assistance with all facets of DirectAccess implementation including planning and design, installation, configuration, and troubleshooting. Consulting services at reasonable rates are available for all types of DirectAccess work including:

  • New DirectAccess installations
  • Migration from previous versions of DirectAccess
  • Upgrade or expansion of existing DirectAccess deployment
  • Enterprise planning and design for large-scale, multisite DirectAccess deployments
  • DirectAccess high availability (local and geographic)
  • Manage-out for DirectAccess with external hardware load balancers and/or multisite configuration
  • Multisite DirectAccess with geographic redundancy for Windows 7 clients
  • Existing DirectAccess design review and security assessment
  • Windows Server 2012 R2 client-based VPN configuration
  • DirectAccess client connectivity troubleshooting
  • DirectAccess training

Additionally, consulting services are available for a variety of security solutions as well as on-premises and cloud networking technologies such as:

  • Azure networking and infrastructure
  • Cross-premises connectivity to Azure
  • Certificate services (PKI)
  • IP address management
  • ISA Server and Forefront Threat Management Gateway (TMG) migration

All services can be performed on-site or remotely. If you are interested in obtaining my services, fill out the form below and I’ll contact you.

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

For DirectAccess manage out scenarios, it is necessary to configure the Windows firewall on the DirectAccess client to allow any required inbound communication from the corporate network. For example, if management hosts on the internal network need to initiate Remote Desktop sessions with remote connected DirectAccess clients, the Remote Desktop – User Mode (TCP-In) Windows firewall rule will need to be enabled for the Public and Private profiles.

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

While enabling this rule will allow remote desktop connections to be made from the corporate network, its default configuration will also accept remote desktop connections from any network. From a security perspective this is not desirable.

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

A better solution is to restrict access to connections originating only from the corporate network. To do this it will be necessary to identify the ISATAP prefix used internally. To determine the corporate ISATAP prefix, run the ipconfig command on a management workstation that is configured for ISATAP. The ISATAP prefix will be the first 96 bits of the IPv6 address assigned to the ISATAP tunnel adapter (essentially everything with the exception of the embedded IPv4 address).

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

On the DirectAccess client, right-click the firewall rule and choose Properties. Choose the Scope tab and then select These IP addresses . Click Add and then enter the ISATAP prefix as shown here.

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

Once the firewall rule is configured to restrict access to the ISATAP prefix, only corporate management workstations on the internal network will have access to remote DirectAccess clients.

%d bloggers like this: