This topic describes how to enable packet filtering for management server traffic to your DirectAccess clients.
To allow management computers to initiate connections with your intranet computers, you might already have in place a set of inbound firewall rules for management traffic on your intranet. To allow DirectAccess clients to be managed in the same way when they are on the Internet, you can do one of the following:
- Configure your existing set of inbound
firewall rules for management traffic so that they also apply to
the public and private profiles and have edge traversal enabled.
Although easier to configure, this option is not recommended
because the inbound rules might allow greater exposure than
- Create a duplicate set of inbound firewall
rules for your management traffic in the Group Policy object for
DirectAccess clients so that they only apply to the public and
private profiles, have the appropriate source Internet Protocol
version 6 (IPv6) addresses of management computers or the IPv6
prefix of your intranet, and have edge traversal enabled. This is
the recommended option because it applies the rules only to
DirectAccess clients, is scoped for your intranet IPv6 addresses or
prefix, and does not affect other domain computers on the intranet
Your existing set of inbound packet filters that allow management computers to initiate connections with your intranet computers, must be modified to enable edge traversal for Teredo-based DirectAccess clients. For information about creating inbound rules, see Create an Inbound Program or Service Rule (http://go.microsoft.com/fwlink/?LinkId=178213).
You can enable edge traversal for a Windows Firewall inbound rule in the following ways:
- Using the Windows Firewall with Advanced
Security snap-in, obtain the properties of an inbound rule, click
the Advanced tab, then, in Edge traversal select
Allow edge traversal.
- Use the edge=yes option for the
netsh advfirewall firewall command when adding or changing
an inbound rule.
The following is an example of a Netsh.exe command that enables edge traversal for the built-in Remote Desktop (TCP-In) inbound rule:
netsh advfirewall firewall set rule name=”Remote Desktop (TCP-In)” dir=in new edge=yes
To further ensure that the Remote Desktop connection is authenticated and encrypted, use the following Netsh.exe command:
netsh advfirewall firewall set rule name=”Remote Desktop (TCP-In)” dir=in new security=authenc edge=yes
|To use the security=authenc setting, ensure that there is a connection security rule that protects the connection between the remote desktop computer and the DirectAccess client.|
|If the computer that is managing a DirectAccess client from the intranet is running Windows Vista or Windows Server 2008, and IPsec transport mode is required between the managing computer and the DirectAccess client, both computers must have the same quick mode lifetime.|