Summary:
Remote Management is often disabled on Direct Access clients. The Windows Firewall blocks this specific traffic. You need to add or edit rules to Windows Firewall with Advanced Security to enable Remote Management (WinRM). Pay attention especially to the following settings:
- Profiles: Domain and Public
- Allow edge traversal
- IPv6 source address and IPv6 destination address
Problem of not being able to manage DA clients:
By default, Direct Access clients are not remotely manageable, because of the Windows Firewall blocking these connections. Services like Remote Desktop, Event Viewer, Service Manager, Computer Management and Powershell will not be available.
You might wonder why you can’t manage these clients, while you CAN manage internal clients. Most likely this is because
- you configured the appropriate ports in only the Domain Profile of the Windows Firewall. Direct Access does not make use of the Domain Profile, but instead the ports need to be configured in the Private and Public Profile.
- you didn’t allow Edge traversal in the Firewall Rule. You must set Edge Traversal to “Allow Edge Traversal”
- you set the source and destination addresses to IPv4. Direct Access uses tunneling and only speaks IPv6-language. You must define an IPv6 source address / range and a IPv6 destination address / range.
To test whether a port is open from a management system to your Direct Access Client, it’s pretty fast to use Test-NetConnection. This example shows you a test to port 3389. The ping succeeds, but the TCPTest on port 3389 fails:
Test-NetConnection -ComputerName DAclient -Port 3389 WARNING: TCP connect to DAclient:3389 failed ComputerName : DAclient RemoteAddress : fd95:e8a5:b7d4:1002:897e:77f3:f69e:bcab RemotePort : 3389 InterfaceAlias : isatap.mydomain.com SourceAddress : fd95:e8a5:b7d4:1:0:5efe:10.10.1.247 PingSucceeded : True PingReplyDetails (RTT) : 15 ms TcpTestSucceeded : False
Solution to enable Remote Management over Direct Access clients:
Make sure you can ping the DA clients. If you can’t, you have another bigger issue. For now I assume you are able to ping the device.
- Configure all your remote management firewall rules to apply to the Private and Public Profile.
- Configure Edge Traversal to be allowed
- Configure the right IPv6 addresses in your firewall rule. If unsure, first try to allow Any to Any. This will help you narrow down the issue(s).
After changing the related firewall rules, your Test-NetConnection should now return TCPTestSucceeded: True:
Test-NetConnection -ComputerName DAclient -CommonTCPPort RDP ComputerName : DAclient RemoteAddress : fd95:e8a5:b7d4:1000:7169:69c5:b4e5:51b0 RemotePort : 3389 InterfaceAlias : isatap.mydomain.com SourceAddress : fd95:e8a5:b7d4:1:0:5efe:10.10.1.247 TcpTestSucceeded : True
Thanks to an older blog post involving RDP Access and Direct Access.