DirectAccess 2012 and manage Out capabilites without IPV6 for SCCM 2012

Setting up DirectAccess 2012 for SCCM Manage Out


Often when thinking about management functions, we think of them as the software or settings that are being pushed out to the client computers. This is actually not true in many cases. A lot of management tools are initiated on the client side, and so their method of distributing these settings and patches are actually client pulls.


A pull is a request that has been initiated by the client, and in this case, the server is simply responding to that request. In the DirectAccess (DA) world, this kind of request is handled very differently than an actual push, which would be any case where the internal server or resource is creating the initial outbound communication with the client, a true outbound initiation of packets. Pulls typically work just fine over DirectAccess. For example, Group Policy processing is initiated by the client. When a laptop decides that it’s time for a Group Policy refresh, it reaches out to Active Directory and says “Hey AD, give me my latest stuff”. The Domain Controllers then replies to that request, and the settings are pulled down successfully. This works all day, every day over DirectAccess.


Pushes, on the other hand, require some special considerations. This scenario is what we commonly refer to as DirectAccess Manage Out, and this does not work by default in a stock DirectAccess implementation.


Historically SCCM manage-out capabilities were only available if you setup Internet Based Client Management (IBCM), used an alternate VPN solution or if your network was real, native IPv6. However, after extended research the following method was discovered to enable SCCM manage-out capabilities by leveraging the ISATAP router capabilities on the DirectAccess servers.


Configuring IPv6 Isatap Router on the DirectAccess Server

The first step is to run the following commands on each DirectAccess server in your environment. This will setup the DirectAccess server(s) as ISATAP router(s).


  1. Run command “netsh interface ipv6 show interface” and find adapter index with or isatap.{GUID} (index or IDX number is 12 which is to the left of the name below)


  1. Netsh int ipv6 sh int 12(12 being the index number associated with the ISATAP adapter)
    1. verify advertise=enabled
    2. verify forwarding=enabled
    3. verify advertisedefaultroute=enabled


  1. If the above are not enabled run one or all of the below commands to enable the features on the adapter
    1. Netsh int ipv6 SET int 12 advertise=enabled
    2. Netsh int ipv6 SET int 12 forwarding=enabled
    3. Netsh int ipv6 SET int 12 advertisedefaultroute=enabled

Your adaptor is now configured as needed for manage out.

DNS Entries

To continue the configuration there needs to be one or more DNS entries pointing to the DirectAccess server being used as the ISATAP router in your environment.

If you are running a clustered array of DirectAccess servers that are configured for load balancing, then you will need multiple DNS records. All of the records have the same name, example; MyCompany_ISATAP, and you point them at each internal IP address being used by the cluster.


For example, one gets pointed at the internal Virtual IP (VIP), and one gets pointed at each of the internal Dedicated IPs (DIP). In a two-node cluster, you will have three DNS records for MyCompany_ISATAP.


DNS IP VIP: x.x.x.x DIP: X.x.x.x DIP: x.x.x.x

Group Policy Objects

To fully implement the solution you will need to push out a GPO to all DA manage out machines.


  1. Create a new Windows security group calledUAG DirectAccess Manage Out Clients
  2. Open the Group Policy Management Console (GPMC)
  3. Create a new group policy object called DirectAccess: Manage Out Clients (Enable ISATAP)
  4. Configure the following properties:
    1. Under theScope tab, remove Authentication Users from the Security Filtering section and add the Windows security group created above UAG DirectAccess Manage Out Clients in our example.



  1. Under theDetails tab, set the GPO Status to User configuration settings disabled


  1. Right click and choose Edit on the newly created GPO and define the following settings:
  2. In Computer Configuration | Policies | Administrative Templates | Network | TCPIP Settings | IPv6 Transition Technologies:
    1. Open ISATAP Router Name:
      1. Enabled
      2. Enter a router or relay (this should be the DNS name created above to point to the IP Address(es) of the DirectAccess server.)
    2. Choose OK



  1. Open ISATAP State:
    1. Enabled
    2. Select from the following states:Enabled State



  1. Choose OK.


  1. Once completed, this should result in the following output in theSettings tab:



More information: Limiting ISATAP Services to DirectAccess Manage Out Clients


Deploying Manage Out

To deploy the manage out capability to the DirectAccess manage out machines must be added to the DirectAccess Manage Out Clients Windows security group. The clients must be rebooted prior to the group membership becoming active. The Group Policy should apply after the reboot and the specific manage out machines that you have defined by group membership should receive ISATAP addressing and prefix information making them IPv6 capable.



To validate the configuration there should be an IPv6 format (2002:WWXX:YYZZ:8000:5efe:w.x.y.z) address on the ISATAP adapter


  1. From a command prompt type IPCONFIG /ALL
  2. Verify on the ISATAP adapter you have an IPV6 Address and not only a link-local IPV6 address as illustrated in the figure below






If the ISATAP adapter address assignment is not successful, it may also be necessary to use the following commands to refresh the adapter state:

  1. From an administrator Command Prompt run:
    1. sc control iphlpsvc paramchange
    2. Add the server you want to manage out through DirectAccess to the security group created above
    3. reboot the server
    4. Perform an IPCONFIG once server is up and verify you are now receiving an IPV6 close to the DirectAccess server IPV6 address found on the server or in DNS.
      1. Logging onto DNS will easily show if server added actually registered the IPV6 address in DNS and if you sort it by data you will see they are in the same IPV6 address range with first several octets matching
  2. Once all items have been confirmed try to connect to machine via UNC
    1. This will only work if you have configured firewall settings to allow such connection, if not create a firewall rule for RDP and then test
    2. If you cannot connect follow steps below for each protocol to allow connections
  3. Setting up client-side firewall rules:
    1. It is a common mistake to modify the existing DirectAccess Client Settings GPO that DirectAccess creates and uses, and to plug these new rules into that GPO rather than create another new GPO. Please don’t do this. The DA GPOs should be left alone, because they are automatically adjusted by the wizards, so your changes may get thrown out at some point.
    2. Use a separate GPO for these WFAS settings.
      1. Perhaps the same one you created for the Teredo and 6to4 best practice settings, because these are also settings that need to be applied only to the DirectAccess client computers.
  4. Inside the GPO that you have chosen for this task add some WFAS rules using following configuration:
    1. In Computer Configuration | Policies | Windows Settings | Security Settings | Windows Firewall with Advanced Security | Windows Firewall with Advanced Security | Inbound Rules
      1. Right-click and choose New Rule….
      2. Choose Port rule and click Next
      3. Specify which port you would like to allow. (Either include multiple ports in one rule, or create multiple rules, one for each port.)
      4. Choose Allow the connection9
      5. Choose Domain, Public and Private Firewall Profiles for application
      6. Finish the wizard by naming the rule


  • once your rule is complete right-click on the rule and choose properties
  • Choose the Advanced tab and change the Edge traversal drop-down menu to Allow edge traversal. This is important for making these rules function when the client is connected using the Teredo protocol.



  1. Create rules for each protocol that you want to be accessible when reaching out to these DA clients from the internal network. Typically allowed items include:
    1. RDP (TCP 3389)
    2. File Access (TCP 445)
    3. ICMPv6 for ping replies


Firewall Rule Configuration

The rule is properly configured but security is wide open allowing RDP from anywhere to tighten down security on that rule a little it should be set up so that this RDP rule is only allowing RDP connections from computers that are inside the ISATAP network.


  1. Go to Properties
  2. Scope tab
  3. Select the Remote IP address field
  4. Change it to These IP addresses
  5. Enter in the IPv6 prefix that the ISATAP environment uses.
    1. The easiest way to determine that prefix is to look at the ipconfig /all that from an internal ISATAP connected computer
    2. If the ISATAP IPv6 address is 2002:836b:1e:1:0:5efe: Notice that the end of this is the actual IPv4 address.
    3. For the prefix to add to this WFAS rule, we want to allow RDP connection from any ISATAP host, so the prefix is going to be 2002:836b:1e:1:0:5efe:


  1. Click on OK, and you should see something similar to this in your Scope.



More information: Configuring Manage Out DirectAccess Clients


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s