Configure Packet Filters to Allow Management Traffic to DirectAccess Clients

  • Article

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Important

This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).

To allow unsolicited incoming traffic from intranet computers to DirectAccess clients, the inbound rules that allow management computers to initiate connections with intranet computers must have edge traversal enabled for Teredo-based DirectAccess clients. See Packet Filters for Management Computers for more information about whether to use your existing inbound rules or to create new inbound rules just for DirectAccess clients.

For existing or duplicated inbound rules for management traffic to DirectAccess clients, you can enable edge traversal in the following ways:

  • With the Windows Firewall with Advanced Security snap-in

  • With commands in the netsh advfirewall firewall set rule context

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to change Group Policy settings. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To enable edge traversal for an inbound rule with the Windows Firewall with Advanced Security snap-in

  1. Click Start, click Run, type gpmc.msc, and then press ENTER.

  2. In the console tree, open **Forest\Domains\**YourDomain, right-click the appropriate Group Policy object (GPO), and then click Edit.

    For example, your inbound rules for management traffic that are specific to DirectAccess clients would reside in the DirectAccess client GPO named DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}.

  3. In the console tree of the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules.

  4. In the contents pane, right-click a rule for management traffic, and then click Properties.

  5. Click the Advanced tab, in Edge traversal, select Allow edge traversal, and then click OK.

  6. Repeat steps 4 and 5 for the additional rules for management traffic.

To enable edge traversal for an inbound rule with the Netsh.exe command-line tool

  1. On a domain controller, start a command prompt as an administrator

  2. From the Command Prompt window, run the netsh –c advfirewall command.

  3. From the netsh advfirewall prompt, run the **set store gpo=DomainName\**GPOName command.

    For example, the name of the DirectAccess client GPO for the corp.contoso.com domain is DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}. Therefore, the command is set store gpo=”corp.contoso.com\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}".

  4. From the netsh advfirewall prompt, run the firewall show rule name=all command.

  5. From the display of this command, copy or write down the names of the inbound rules for management traffic to DirectAccess clients.

  6. From the netsh advfirewall prompt, run the **firewall name=**RuleName edge=yes command for each rule noted in step 5.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.