One of the major advantages that DirectAccess has over traditional remote access solutions is that it enables IT to always be connected to their managed clients. This allows you to make sure your managed clients are always up to date and meet your desired configuration requirements. This is a far cry from the VPN client, where the VPN might never connect to the corpnet and then finally connect months later when visiting the home office and share all the worms and viruses it collected during its sojourn away for the corpnet.
There are actually two types of management connections we think of when working with direct access:
- Connections established by the client, such as by a client agent, to a management server on the intranet
- Connections established by a management server on the intranet to the DirectAccess client on the Internet
The second type of connection is often referred to as the “manage out” connection, because the management server is establishing an outbound connection to a DirectAccess client.
The challenge with manage out connections is that there need to be firewall rules on the client that allow the connections from the management servers when the DirectAccess client is located behind a NAT device. So while you don’t need to do anything special to enable manage out connections to DirectAccess clients when they are acting as 6to4 client (6to4 is used when the DirectAccess client is assigned a public IP address), you will need them when the DirectAccess client is using either the Teredo or IP-HTTPS IPv6 transition technologies to connect to the UAG DirectAccess server.
However, the situation isn’t isolated to just manage out connections. For example, some protocols that are used by the DirectAccess client to connect to the intranet server require “call backs” to the DirectAccess clients. These call backs are essentially seen as unsolicited inbound connection attempts to the DirectAccess client. To fix this, you just need to create Firewall Rules in Windows Firewall with Advanced Security to allow the incoming connection and also enable Edge Traversal on the rule.
Jim Harrison shows a great example of this scenario in his article on enabling the Hyper-V console on the DirectAccess client. Check it out at:
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)