Design for Remote Management
Applies To: Windows 7, Windows Server 2008 R2
This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkId=179988).
Because DirectAccess client computers are connected to the intranet whenever the DirectAccess client is connected to the Internet, regardless of whether the user has logged on to the computer, they can be more easily managed as intranet resources and kept current with Group Policy changes, operating system updates, anti-malware software updates, and other changes.
Intranet management servers that client computers use to keep themselves current can consist of the following:
Microsoft System Center Configuration Manager 2007 servers
Windows Update servers
Servers for anti-malware updates, such as antivirus servers
In some cases, intranet servers or computers must initiate connections to DirectAccess clients. For example, helpdesk department computers can use remote desktop connections to connect to and troubleshoot remote DirectAccess clients. To ensure that DirectAccess clients will accept incoming traffic from these types of computers and require the protection of that traffic over the Internet, you must identify the set of these intranet management computers and configure their addresses in Step 3 of the DirectAccess Setup Wizard.
Once you have identified the computers, record their names, their Internet Protocol version 4 (IPv4) addresses (if you have no Internet Protocol version 6 (IPv6) infrastructure), or their IPv6 addresses (if you have an IPv6 infrastructure, either their public native or Intra-Site Automatic Tunnel Addressing Protocol [ISATAP] addresses) and configure them in Step 3 of the DirectAccess Setup Wizard. The DirectAccess Setup Wizard creates an additional set of connection security rules for a management tunnel between DirectAccess clients and the DirectAccess server. This management tunnel is encrypted with Internet Protocol security (IPsec), uses computer credentials for authentication, and is separate from the intranet and infrastructure tunnels in the full intranet and selected server access models.
Because DirectAccess clients can be behind network address translators (NATs) and use Teredo for the IPv6 connectivity across the Internet, any inbound rules for Windows Firewall with Advanced Security that permit unsolicited incoming traffic from management computers must be modified to enable edge traversal and must have an inbound ICMPv6 Echo Request rule with edge traversal enabled. For more information, see Packet Filters for Management Computers
When you are using end-to-end peer authentication with data integrity and remote management traffic is sent within the intranet tunnel, you should use Encapsulating Security Payload (ESP)-Null instead of Authentication Header (AH) for data integrity.
If the computer that is managing a DirectAccess client from the intranet is running Windows Vista or Windows Server 2008 and IPsec transport mode is required between the managing computer and the DirectAccess client, both computers must have the same quick mode lifetimes.
To demonstrate remote management, configure the DirectAccess test lab (http://go.microsoft.com/fwlink/?Linkid=150613) with the Remote Management extension (http://go.microsoft.com/fwlink/?LinkId=192280).