The following are some troubleshooting steps if you run into problems getting inside-out management working. Inside-out management is the ability
for a machine on the internal corporate network, such as a helpdesk machine, to be able to initiate communications to remote, internet-based DirectAccess clients, such as by using RDP sessions, remote registry, or mapping drives.
1. Ensure the remote DirectAccess client has registered its IPv6 address and name in DNS and that it can be resolved by the Inside-Out management machine. The IPv6 address will correlate to which ever connection mechanism the client is using, either:
a. Native IPv6 (unlikely)
b. 6to4
c. Teredo
d. IP-HTTPS
Note. A link local IPv6 address will not work.
2. Ensure the Inside-Out management machine is configured with IPv6 via ISATAP (this could also be native IPv6 but we will assume ISATAP).
Note. A link local IPv6 address will not work.
If the Inside-Out management machine is not receiving an ISATAP address, check
a. All the ISATAP IP addresses are registered (see point 4 below)
b. That all the ISATAP IP addresses are all in the same subnet, and that the subnet mask allocated is correct
c. That the Intranet firewall is allowing Protocol 41 (See point 5 below)
3. Ensure the Inside-Out management machine has registered its IPv6 address and name in DNS and can be resolved successfully. This will be the machines ISATAP IPv6 address.
If the helpdesk machine does not have an ISATAP address refresh ISATAP (and other) settings from the command line using one of the following commands:
i. SC CONTROL IPHLPSVC PARAMCHANGE
Or
ii. NET STOP IPHLPSVC then NET START IPHLPSVC
4. Ensure the ISATAP router name is resolving to the internal interfaces of the DirectAccess server acting as the ISATAP router from the internal network, or other ISATAP router if you are using one.
a. In a WNLB 2-node array, this would be the 2 x servers dedicated IP addresses plus the virtual IP address, so 3 addresses in total all resolving to the ISATAP name.
5. Ensure that the Intranet Firewall is allowing Protocol 41 (IPv6 encapsulation) to UAG servers in both directions. Do not confuse Protocol 41 with Port 41. IPv6 Encapsulation is a protocol like TCP or UDP, not a Port.
6. Ensure any required client side firewall rules are in place on the remote DirectAccess clients with Edge traversal allowed
a. ICMPv4 for pinging IPv4 addresses
b. ICMPv6 for pinging IPv6 addresses
c. F&P for whichever services you require, such as SMB file share mapping
d. Remote Desktop
e. Etc. Etc.
7. Ensure all the DirectAccess Servers have a valid ISATAP configuration.
a. NETSH INT IPV6
a.1. Find the index number for ISATAP
b. NETSH INT IPV6 SH INT Index#
b.1. Ensure that Forwarding, Advertising and Advertise Default Route, are all enabled
b.2. If not
b.2.1. NETSH INT IPV6 SET INT Index# FORWARDING =EN ADVERTISE=EN ADVERTISEDEFAULTROUTE=EN
b.3. Validate changes
b.3.1. NETSH INT IPV6 SHOW INT Index#
b.4. NET STOP IPHLPSVC
b.5. NET STOP IPHLPSVC
8. Collect some trace logs:
a. NETSH TRACE START SCENARIO=DIRECTACCESS CAPTURE=YES REPORT=YES
b. NET STOP IPHLPSVC
c. NET START IPHLPSVC
d. Wait 10 seconds
e. NETSH TRACE STOP
The logs are called NETTRACE.ETL and NETTRACE.CAB files and will be located in the %TEMP%\NetTraces folder. Either analyse the logs yourself or send them to your support representative.
9. Note. If you want to be able to manage the remote DirectAccess computers even when no one is logged on to them, add the Inside-Out management machines to the management servers group on the DirectAccess servers, where you define Domain Controllers, SCCM and AV machines. Machines defined in these groups can access the client when only the infrastructure tunnel is up, i.e. before the remote user logs on and establishes the Intranet tunnel. If you have been trying to connect to a remote machine that is not logged on, this could be your problem.
Finally, if the troubleshooting steps have still not helped, just be aware of the issue in this knowledge base article, DirectAccess Manage Out fails for any non-ICMP traffic in Forefront Unified Access Gateway 2010, caused by custom security policies regarding the local security rights for the DirectAccess Manage-Out machine and clients (e.g. modifying the setting "Access this computer from the network").
If you are still having problems you will need to set up network traces from the inside-out management machine, the DirectAccess servers, and the remote DirectAccess client to see where things are going wrong.
HTH.
Colin Brown, Architect.
Microsoft Consulting Services.
One of the hottest topics in IT these days is identity management. Sure, IdM has been important for a long time but with the advent and the acceleration of cloud computing, it’s taken a prominent position on the IT stage. There are a lot of issues that you need to consider with the new computing paradigms that we didn’t have to deal with before. But how do you figure out what’s important and what’s not?
Typically, you’d go do a Bing search and see what’s out there. That’s what I did. The problem I ran into was that there really wasn’t a lot of good information on identity architecture. Most of the information I found was very product specific, so the assumption was that you were already an identity architect and therefore you already knew about foundational issues and essential capabilities. Too bad for me, since I was not an identity architect.
So what was the solution to the problem? Since I work at Microsoft, why not take advantage of the fact that we have some pretty smart people who work as identity architects in Microsoft Consulting Services? That’s what my colleague Gaiana Bagdasaryan and I did – talk to the these architects who have had many years of experience architecting, designing, planning, deploying an operating identity management solutions.
The result of this effort is a collection of two papers:
The Four Pillars of Identity: Identity Management in the Age of Hybrid IT
Identity Infrastructure Capabilities: Identity Management in the Age of Hybrid IT
I think we did pretty good with these papers, at least for a start. But there’s still a lot of work to be done. These are architectural papers, so we tried to keep the amount of product and technology specifics to a minimum and focused on what the problems are and what capabilities are required to solve these problems. We plan to follow up on these by providing more information on Microsoft technologies that can be used to solve many of the problems you’ll encounter when architecting an identity management solution.
Let me know what you think of these papers and please feel free to share any ideas you have on how to make them better and what kind of information you’d like to see moving forward.
HTH,
Tom
Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, SCD iX Solutions Group
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder 
Windows Server 2012 is the greatest operating system Microsoft has ever unleashed on your data center. There are so many new features and capabilities that it would take several books to illuminate them all. And with all that goodness comes a number of new and improved security technologies. This is what the book Windows Server 2012 Security from End to Edge and Beyond written by me, Yuri Diogenes and Debra Littlejohn Shinder is all about.
Why did we pick the name “From End to Edge and Beyond”? The “End” is the endpoint – the client device that connects to server based applications and services and the servers themselves. The “Edge” is the edge of the network, a firewall or a remote access server. And “Beyond” is about the cloud. Windows Server 2012 Security from End to Edge and Beyond addresses all of these issues, security has it applies to the endpoint, network edge and the cloud.
What’s inside? Check this out:
And there’s an added bonus – Tim Rains from the Microsoft Trustworthy Computing Group will be writing a forward for the book! Tim Rains is the Director of Product Management in Microsoft’s Trustworthy Computing group. Tim and his team of product managers support the Microsoft Security Response Center (MSRC), the Microsoft Malware Protection Center (MMPC), and the Microsoft Security Engineering Center (MSEC) which includes the Security Development Lifecycle (SDL) and Security Science. Among other things, Tim’s team manages production of the Microsoft Security Intelligence Report (www.microsoft.com/sir). Tim has worked in several roles at Microsoft including the Senior Public Relations Manager of Security Response at Microsoft, Senior Product Manager of the Microsoft Malware Protection Center, Program Manager of the Windows Network Diagnostics team, Technical Lead on the Security Incident Response team in the Product Support Services (PSS) Security team and Technical Lead on the PSS Windows Server Networking team.
It’s quite a compliment to have Tim endorse our book. Not only will he write a forward for the book, he has made several key suggestions that enhance the overall value of the book to any security minded administrator who needs that extra leg up to secure his data center. Yuri, Debi and I truly appreciate Tim’s insights and we hope you will benefit from Tim’s input into this book.
We just about done with the writing and expect that the book will be available in December or January. Stay tuned!
HTH,
Tom
Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, SCD iX Solutions Group
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder
Hey folks,
You might have noticed that the old Edge Man hasn’t posted for almost a year. The Edge Man blog began as part of my work with UAG DirectAccess. I think we did a lot of great work here and provided some keen value for all of you who were working with UAG DirectAccess and even for those who were using the Windows DirectAccess. For you DirectAccess fans, I can assure you that DirectAccess is alive and well and I think you’ll find some welcome improvements as we move forward to the next version of DirectAccess. If you want to know more about that, then check the TechNet library.
While those were good times, its good to expand one’s horizons and explore new technologies and ways of thinking. I’ve since moved on from the UAG DirectAccess team and now work on the Server and Cloud Information Experience Solutions Group (that’s a mouthful!) Our primary focus is private cloud and you can find the body of our work in the Private Cloud Solutions Hub on TechNet.
My perspective on private cloud is that it provides you an opportunity to start over. I don’t see many people running data centers today who feel that their current datacenter is what they would have built on purpose. There are a number of reasons for this, but due to a confluence of things under their control and not under their control, their datacenters aren’t the well architected, well-designed, smooth running machines that they’d like them to be.
This is where private cloud represents a unique opportunity to start over. The private cloud provides you the chance to start over, to rebuild your datacenter into what you want it to be. And while some say (including myself) that the “cloud” presents a new paradigm for delivering software and services, the fact is that private cloud does all the things our current datacenters do – but does it in a way that enables them to be cheaper (sometimes), faster, more reliable, and better at delivering services to our customers.
So there you have it. The Edge Man has become the Private Cloud Architecture man. Does that mean I’m going to always have my head in the clouds and stick with conceptual stuff? Not likely. I’m doing a lot of work now on the technologies included in the Windows 8 operating system that enable the cloud. I’ll take a lot about those technologies in the future – but if you want an early glimpse of what I’ve been working on, check the TechNet library HERE.
As we move forward, I’ll run fun things like contests, games, and other things that will put some lightening into the cloud! Looking forward to you all joining my on this trek. It’s going to be a wild ride!
Thanks!
Tom
Tom
Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, SCD iX Solutions Group
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder
