Designing Forefront UAG DirectAccess for remote management
Published: January 11, 2010
Updated: February 1, 2010
Applies To: Unified Access Gateway
This topic describes some considerations for the remote management of DirectAccess clients.
DirectAccess client computers are connected to the intranet whenever the DirectAccess client is connected to the Internet, regardless of whether the user has logged on to the computer. This means that they can be more easily managed as intranet resources and kept up-to-date with Group Policy changes, operating system updates, anti-malware software updates, and other changes.
Intranet management servers that client computers use to keep themselves up-to-date, can be:
Microsoft System Center Configuration Manager 2007 servers.
Windows Update servers.
Servers for anti-malware updates, such as antivirus servers.
In some cases, intranet servers or computers must initiate connections to DirectAccess clients. For example, helpdesk department computers can use remote desktop connections to connect to and troubleshoot remote DirectAccess clients. To ensure that DirectAccess clients accept incoming traffic from these types of computers, and that the traffic is protected over the Internet, you should identify sets of these intranet management computers, record either their names, or all of their IPv4 addresses and IPv6 addresses, and configure them in the Managing remote client computers page of the Forefront UAG DirectAccess Configuration Wizard.
Because DirectAccess clients can be located behind network address translation (NAT) devices, and use Teredo for the IPv6 connectivity across the Internet, any inbound rules for Windows Firewall with Advanced Security that permit unsolicited incoming traffic from management computers, must be modified to enable edge traversal and authenticated bypass, and must have an inbound ICMPv6 Echo Request rule with edge traversal enabled. For more information, see Packet filtering for management computers.