DirectAccess Manage Out and System Center Configuration Manager (SCCM)

The seamless and transparent nature of DirectAccess makes it wonderfully easy to use. In most cases, it requires no user interaction at all to access internal corporate resources while away from the office. This enables users to be more productive. At the same time, it offers important connectivity benefits for IT administrators and systems management engineers as well.

Always Managed

DirectAccess Manage Out and System Center Configuration Manager (SCCM)DirectAccess clients are automatically connected to the corporate network any time they have a working Internet connection. Having consistent corporate network connectivity means they receive Active Directory group policy updates on a regular basis, just as on-premises systems do. Importantly, they check in with internal management systems such as System Center Configuration Manager (SCCM) and Windows Server Update Services (WSUS) servers, enabling them to receive updates in a timely manner. Thus, DirectAccess clients are better managed, allowing administrators to more effectively maintain the configuration state and security posture for all their managed systems, including those that are predominantly field-based. This is especially crucial considering the prevalence WannaCry, Cryptolocker, and a variety of other types of ransomware.

DirectAccess Manage Out

DirectAccess Manage Out and System Center Configuration Manager (SCCM)When manage out is configured with DirectAccess, hosts on the internal network can initiate connections outbound to remote connected DirectAccess clients. SCCM Remote Control and Remote Desktop Connection (RDC) are commonly used to remotely connect to systems for troubleshooting and support. With DirectAccess manage out enabled, these and other popular administrative tools such as VNC, Windows Remote Assistance, and PowerShell remoting can also be used to manage remote DirectAccess clients in the field. In addition, enabling manage out allows for the proactive installation of agents and other software on remote clients, such as the SCCM and System Center Operation Manager (SCOM) agents, third-party management agents, antivirus and antimalware software, and more. A user does not have to be logged on to their machine for manage out to work.

IPv6

DirectAccess manage out requires that connections initiated by machines on the internal network to remote-connected DirectAccess clients must be made using IPv6. This is because DirectAccess clients use IPv6 exclusively to connect to the DirectAccess server. To enable connectivity over the public IPv4 Internet, clients use IPv6 transition technologies (6to4, Teredo, IP-HTTPS), and IPv6 translation components on the server (DNS64 and NAT64) enable clients to communicate with internal IPv4 resources. However, DNS64 and NAT64 only translate IPv6 to IPv4 inbound. They do not work in reverse.

Native or Transition?

It is recommended that IPv6 be deployed on the internal network to enable DirectAccess manage out. This is not a trivial task, and many organizations can’t justify the deployment for just this one specific use case. As an alternative, IPv6 can be configured with an IPv6 transition technology, specifically the Intrasite Automatic Tunnel Addressing Protocol (ISATAP). ISATAP functions as an IPv6 overlay network, allowing internal hosts to obtain IPv6 addresses and routing information from an ISATAP router to support manage out for DirectAccess clients.

ISATAP

When DirectAccess is installed, the server is automatically configured as an ISATAP router. Guidance for configuring ISATAP clients can be found here. Using ISATAP can be an effective approach to enabling DirectAccess manage out for SCCM when native IPv6 is not available, but it is not without its drawbacks.

• Using the DirectAccess server for ISATAP is only supported with single server DirectAccess deployments.
• Using the DirectAccess server for ISATAP does work when using Network Load Balancing (NLB) with some additional configuration, but it is not supported.
• Using the DirectAccess server for ISATAP does not work when an external load balancer is used, or if multisite is enabled.

ISATAP with Load Balancing and Multisite

It is technically possible to enable DirectAccess manage out for SCCM using ISATAP in load-balanced and multisite DirectAccess deployments, however. It involves deploying a separate ISATAP router and some custom configuration, but once in place it works perfectly. I offer this service to my customers as part of a consulting engagement. If you’re interested in restoring DirectAccess manage out functionality to support SCCM remote control, RDC, or VNC in load-balanced or multisite DirectAccess deployments, fill out the form below and I’ll provide you with more information.

Additional Resources

ISATAP Recommendations for DirectAccess Deployments
DirectAccess Manage Out with ISATAP Fails on Windows 10 and Windows Server 2016
DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out
Video: Windows 10 DirectAccess in action (includes manage out demonstration)

IPv6 Recommend Reading for DirectAccess Administrators

IPv6 Recommended ReadingDirectAccess uses IPv6 exclusively for communication between the DirectAccess client and server. The DNS64 and NAT64 services running on the DirectAccess server allow the client to connect to IPv4-only resources on the corporate network. Although no IPv6 knowledge is necessary to implement DirectAccess, it is most certainly required to support it going forward. A fundamental understanding of IPv6 is vital when it comes to troubleshooting DirectAccess connectivity issues, so learning IPv6 is critically important for the DirectAccess administrator.

To help you learn more about IPv6, here are three essential resources I think you will find helpful!

Understanding IPv6 Practical IPv6 for Windows Administrators IPv6 Address Planning


Understanding IPv6
(Joe Davies) – This is an excellent reference for the IPv6 protocol and should be on every DirectAccess administrator’s desk. This book provides detailed documentation and explanations for the IPv6 protocol including IPv6 transition protocols, which are commonly used with DirectAccess.

Practical IPv6 for Windows Administrators (Ed Horley) – Another essential title for learning IPv6. This book focuses on the use of IPv6 for a variety of popular Windows workloads, including DirectAccess.

IPv6 Address Planning (Tom Coffeen) – This book is an optional read for DirectAccess administrators, but a recommended one still. There is no IPv6 address planning required to implement DirectAccess, as most commonly IPv6 addressing happens automatically. However, this book will help you understand IPv6 subnetting, which can be helpful for fully understanding DirectAccess.

If you prefer video training, be sure to check out this great course on Pluralsight from Ed Horley. Don’t be afraid of IPv6. Embrace it! Start learning IPv6 today!

Understanding IPv6 Third Edition

Joseph Davies’ latest book Understanding IPv6: Your Essential Guide to IPv6 on Windows Networks is now available. Now in its third edition, this book is an excellent reference for systems administrators and network engineers wanting to learn the fundamentals of IPv6, and specifically how IPv6 is deployed on Microsoft networks. The book explains in detail the inner workings of the IPv6 protocol, including addressing, IPv6 headers, ICMPv6, and neighbor discover. In addition the book also covers IPv6 name resolution, routing, and transition technologies such as ISATAP, 6to4, Teredo, IP-HTTPS, DNS64, and NAT64. New in this addition is a chapter covering DirectAccess in Windows Server 2008 R2 and Windows Server 2012. Get your copy today!