Packet filtering for management computers

This topic describes how to enable packet filtering for management server traffic to your DirectAccess clients.

To allow management computers to initiate connections with your intranet computers, you might already have in place a set of inbound firewall rules for management traffic on your intranet. To allow DirectAccess clients to be managed in the same way when they are on the Internet, you can do one of the following:

Configure your existing set of inbound firewall rules for management traffic so that they also apply to the public and private profiles and have edge traversal enabled. Although easier to configure, this option is not recommended because the inbound rules might allow greater exposure than intended.
Create a duplicate set of inbound firewall rules for your management traffic in the Group Policy object for DirectAccess clients so that they only apply to the public and private profiles, have the appropriate source Internet Protocol version 6 (IPv6) addresses of management computers or the IPv6 prefix of your intranet, and have edge traversal enabled. This is the recommended option because it applies the rules only to DirectAccess clients, is scoped for your intranet IPv6 addresses or prefix, and does not affect other domain computers on the intranet or Internet.

Note:
To create the connection rules below using the Netsh command-line tool, but in a GPO context, see Use Netsh to Configure GPOs (http://go.microsoft.com/fwlink/?LinkId=169485). It is recommended that you create a separate DirectAccess client GPO for the rules below. This is because when the Forefront UAG DirectAccess configuration script is applied, the Windows Firewall and Advanced Security section of the DirectAccess client GPO is cleared.

Note:

To create the connection rules below using the Netsh command-line tool, but in a GPO context, see Use Netsh to Configure GPOs (http://go.microsoft.com/fwlink/?LinkId=169485).
It is recommended that you create a separate DirectAccess client GPO for the rules below. This is because when the Forefront UAG DirectAccess configuration script is applied, the Windows Firewall and Advanced Security section of the DirectAccess client GPO is cleared.

Your existing set of inbound packet filters that allow management computers to initiate connections with your intranet computers, must be modified to enable edge traversal for Teredo-based DirectAccess clients. For information about creating inbound rules, see Create an Inbound Program or Service Rule (http://go.microsoft.com/fwlink/?LinkId=178213).

You can enable edge traversal for a Windows Firewall inbound rule in the following ways:

Using the Windows Firewall with Advanced Security snap-in, obtain the properties of an inbound rule, click the Advanced tab, then, in Edge traversal select Allow edge traversal.
Use the edge=yes option for the netsh advfirewall firewall command when adding or changing an inbound rule.

The following is an example of a Netsh.exe command that enables edge traversal for the built-in Remote Desktop (TCP-In) inbound rule:

netsh advfirewall firewall set rule name=”Remote Desktop (TCP-In)” dir=in new edge=yes

To further ensure that the Remote Desktop connection is authenticated and encrypted, use the following Netsh.exe command:

netsh advfirewall firewall set rule name=”Remote Desktop (TCP-In)” dir=in new security=authenc edge=yes

Note:
To use the security=authenc setting, ensure that there is a connection security rule that protects the connection between the remote desktop computer and the DirectAccess client.

Note:
If the computer that is managing a DirectAccess client from the intranet is running Windows Vista or Windows Server 2008, and IPsec transport mode is required between the managing computer and the DirectAccess client, both computers must have the same quick mode lifetime.