Designing Forefront UAG DirectAccess for remote management

Updated: February 1, 2010

Applies To: Unified Access Gateway

This topic describes some considerations for the remote management of DirectAccess clients.

DirectAccess client computers are connected to the intranet whenever the DirectAccess client is connected to the Internet, regardless of whether the user has logged on to the computer. This means that they can be more easily managed as intranet resources and kept up-to-date with Group Policy changes, operating system updates, anti-malware software updates, and other changes.

Intranet management servers that client computers use to keep themselves up-to-date, can be:

  • Microsoft System Center Configuration ManagerĀ 2007 servers.

  • Windows Update servers.

  • Servers for anti-malware updates, such as antivirus servers.

In some cases, intranet servers or computers must initiate connections to DirectAccess clients. For example, helpdesk department computers can use remote desktop connections to connect to and troubleshoot remote DirectAccess clients. To ensure that DirectAccess clients accept incoming traffic from these types of computers, and that the traffic is protected over the Internet, you should identify sets of these intranet management computers, record either their names, or all of their IPv4 addresses and IPv6 addresses, and configure them in the Managing remote client computers page of the Forefront UAG DirectAccess Configuration Wizard.

Because DirectAccess clients can be located behind network address translation (NAT) devices, and use Teredo for the IPv6 connectivity across the Internet, any inbound rules for Windows Firewall with Advanced Security that permit unsolicited incoming traffic from management computers, must be modified to enable edge traversal and authenticated bypass, and must have an inbound ICMPv6 Echo Request rule with edge traversal enabled. For more information, see Packet filtering for management computers.

Note

  • If the computer that is managing a DirectAccess client from the intranet is running Windows Vista or Windows Server 2008, and IPsec transport mode is required between the managing computer and the DirectAccess client, both computers must have the same quick mode lifetimes.

  • Intranet management servers that initiate connections to DirectAccess clients must fully support IPv6. The NAT64 implementation on the Forefront UAG DirectAccess server does not support translation of outbound connections initiated from the intranet.