Enable Remote Management (Remote Desktop (RDS/RDP) and eventviewer (eventvwr) for Direct Access clients


Remote Management is often disabled on Direct Access clients. The Windows Firewall blocks this specific traffic. You need to add or edit rules to Windows Firewall with Advanced Security to enable Remote Management (WinRM). Pay attention especially to the following settings:

  • Profiles: Domain and Public
  • Allow edge traversal
  • IPv6 source address and IPv6 destination address

Problem of not being able to manage DA clients:

By default, Direct Access clients are not remotely manageable, because of the Windows Firewall blocking these connections. Services like Remote Desktop, Event Viewer, Service Manager, Computer Management and Powershell will not be available.

You might wonder why you can’t manage these clients, while you CAN manage internal clients. Most likely this is because

  1. you configured the appropriate ports in only the Domain Profile of the Windows Firewall. Direct Access does not make use of the Domain Profile, but instead the ports need to be configured in the Private and Public Profile.
  2. you didn’t allow Edge traversal in the Firewall Rule. You must set Edge Traversal to “Allow Edge Traversal”
  3. you set the source and destination addresses to IPv4. Direct Access uses tunneling and only speaks IPv6-language. You must define an IPv6 source address / range and a IPv6 destination address / range.

To test whether a port is open from a management system to your Direct Access Client, it’s pretty fast to use Test-NetConnection. This example shows you a test to port 3389. The ping succeeds, but the TCPTest on port 3389 fails:

Test-NetConnection -ComputerName DAclient -Port 3389
WARNING: TCP connect to DAclient:3389 failed

ComputerName           : DAclient
RemoteAddress          : fd95:e8a5:b7d4:1002:897e:77f3:f69e:bcab
RemotePort             : 3389
InterfaceAlias         : isatap.mydomain.com
SourceAddress          : fd95:e8a5:b7d4:1:0:5efe:
PingSucceeded          : True
PingReplyDetails (RTT) : 15 ms
TcpTestSucceeded       : False

Solution to enable Remote Management over Direct Access clients:

Make sure you can ping the DA clients. If you can’t, you have another bigger issue. For now I assume you are able to ping the device.

  1. Configure all your remote management firewall rules to apply to the Private and Public Profile.
  2. Configure Edge Traversal to be allowed
  3. Configure the right IPv6 addresses in your firewall rule. If unsure, first try to allow Any to Any. This will help you narrow down the issue(s).Configure firewall ports and edge traversal for Direct Access

After changing the related firewall rules, your Test-NetConnection should now return TCPTestSucceeded: True:

Test-NetConnection -ComputerName DAclient -CommonTCPPort RDP

ComputerName     : DAclient
RemoteAddress    : fd95:e8a5:b7d4:1000:7169:69c5:b4e5:51b0
RemotePort       : 3389
InterfaceAlias   : isatap.mydomain.com
SourceAddress    : fd95:e8a5:b7d4:1:0:5efe:
TcpTestSucceeded : True


Thanks to an older blog post involving RDP Access and Direct Access.


0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x