Over the last 6 months I have been part of quite a few Direct Access installations, some have been single server and some have been larger clustered Direct Access deployments. After a few weeks I always here that a support call has been logged similar to the following.
I cant ping my direct access clients…I cant send updates to my direct access clients..I cant RDP to my direct access clients etc.
The reason people log these calls is because they do not understand the technology behind Direct Access. Direct access uses IPV6 to connect to your Direct Access server, if you do not have a native IPV6 network then you will use 6to4 conversion when the direct access client connects into the network, once in the network it uses standard DNS. So an external client can talk to anything internally, however there is no such thing as 4to6 conversion…so any internal servers or clients CANNOT initiate communications back to the Direct Access endpoint, all connectivity is started externally.
Here are a few scenarios that explain this situation further:
- Direct Access clients can pull down Anti Virus Updates from your Anti Virus update server such as Mcafee but if you need to quickly deploy an update the Anti Virus server cannot speak to the Direct Access Clients.
- Your Direct Access clients can RDP into your network to use resources but you cannot offer remote assistance to the same endpoint as your cannot RDP to the IPV6 address that the endpoint has.
To put it in one line, you cannot initiate contact with Direct Access clients unless your network is native IPV6. However there is a workaround, we can configure ISATAP to enable servers to “manage out”/ connect to our Direct Access clients, in the steps below we configure a “selective ISATAP” environment that will allow specific servers in a group to manage out.
Direct Access – Configuring a Selective ISATAP Environment
- We first need to create a new A record that points to our Direct Access server. Replace domain.com with your own domain and replace techieshelpisatap with your domainnameIASTAP, for example;
- We now need to create a security group, we make any server that we want to “manage out” a member of this group, call the group DAManageOUT.
- Now in Group Policy Management create a new GPO and call it Direct Access ISATAP, under the scope settings remove Authenticated Users and add the DAManageOUT group, set the GPO settings to User Configuration Settings Disabled.
- Now browse to Computer Configuration | Policies | Administrative Templates | Network | TCPIP Settings | IPv6 Transition Technologies. Enable the following:
ISATAP Router Name: Enabled
Enter the router name to be the A record we created earlier, in my case it was TechieshelpISATAP.domain.com.
ISATAP State: Enabled
- Finally reboot any server you added to your security group and also any client you you require to use this server, make sure that the GPO has propagated.