Hello,

We have a strange issue... We have DirectAccess single-NIC behind TMG 2010 setup and working over IPHTTPS. The client can ping internal servers, no problem. We have also setup selective ISATAP for several internal servers that we wanted to use for manage-out. Those servers have IP6 addresses and ISATAP appears to work and each server can ping each other over IP6 successfully. We have setup all the firewall rules needed for the clients to allow internal ping, file and printer sharing and remote desktop.

We can successfully ping DirectAccess clients and have tested all of the manage out functionality we need from the DirectAccess server, however we cannot ping or in any way access the clients from the other manage out servers we've configured. Any help is apprec

Hi,

From your "Manage-Out" server, are you able to ping the IPHTTPSInterface IPv6 addresses of the DirectAccess server ?

Gerald

Just to make sure, please note the following:

• If a user is not logged in on a DirectAccess Client; an infrastructure-tunnel is establish. This tunnel only allows inbound and outbound (DirectAccess Manage-Out)connectivity to and from your DirectAccess Servers, Domain Controllers and Infrastructure Server (which you configured in DirectAccess on step 3).
• Once a user logs in on a DirectAccess Client; an intranet-tunnel is established. This tunnel allows full inbound and outbound (DirectAccess Manage-Out) connectivity from and to all intranet resouces, including all your DirectAccess Manage-Out Clients configured with ISATAP.

So, if you test it, make sure a user is logged in on a DirectAccess Client. Or make sure the DirectAccess Manage-Out Client (ISATAP Client) you are using is configured as an Infrastructure Server in step 3.

Yes, I can ping the IPHTTPS interface of the DA server from one of the management servers.

I am not sure I understand your statements fully, but to confirm:

• The user laptop is logged in with domain credentials and can access file shares, etc. Manage out still only works from the DA server - it does NOT work from the domain controllers or other management servers.
• I have placed our DC's, our SCCM server and one other server on the Management portion of step 3

Ok,

In your DirectAccess Client GPO, you should have created specific Firewall rules (for Private and/or Public profile) to allow Manage-Out stations to connect to your clients. Have you made some restrictions when configuring the Remote Addresses allowed to connect to the clients? Have you also allowed ICMPv6 to reply to your ISATAP addresses?

When you perform a "tracert <client>" command from your server, where is trace blocked?

Gerald