Packet Filters for Management Computers
Applies To: Windows 7, Windows Server 2008 R2
This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkId=179988).
To allow management computers to initiate connections with your intranet computers, you might already have in place a set of inbound firewall rules for management traffic on your intranet. To allow DirectAccess clients to be managed in the same way when they are on the Internet, you can do one of the following:
Configure your existing set of inbound firewall rules for management traffic so that they also apply to the public and private profiles and have edge traversal enabled. Although easier to configure, this option is not recommended because the inbound rules might allow greater exposure what is intended for DirectAccess management functionality.
Create a duplicate set of inbound firewall rules for your management traffic in the Group Policy object for DirectAccess clients so that they only apply to the public and private profiles, have the appropriate source Internet Protocol version 6 (IPv6) addresses of management computers or the IPv6 prefix of your intranet, and have edge traversal enabled. This is the recommended option because it applies the rules only to DirectAccess clients, is scoped for your intranet IPv6 addresses or prefix, and does not affect other domain computers on the intranet or Internet.
For information about creating inbound rules, see Create an Inbound Program or Service Rule (http://go.microsoft.com/fwlink/?LinkId=159864). For more information, see Configure Packet Filters to Allow Management Traffic to DirectAccess Clients in the DirectAccess Deployment Guide.
You can enable edge traversal for a Windows Firewall inbound rule in the following ways:
Using the Windows Firewall with Advanced Security snap-in, obtain properties of an inbound rule. On the Advanced tab, in Edge traversal, select Allow edge traversal.
Use the edge=yes option for the netsh advfirewall firewall command when adding or changing an inbound rule.
Here is an example of how to use a Network Shell (Netsh) command-line tool command to enable edge traversal for the built-in Remote Desktop (TCP-In) inbound rule:
netsh advfirewall firewall set rule name=”Remote Desktop (TCP-In)” dir=in new edge=yes
To further ensure that the Remote Desktop connection is authenticated and encrypted, use the following Netsh command:
netsh advfirewall firewall set rule name=”Remote Desktop (TCP-In)” dir=in new security=authenc edge=yes
To use the security=authenc setting, ensure that there is a connection security rule that protects the connection between the remote desktop computer and the DirectAccess client.
If the computer that is managing a DirectAccess client from the intranet is running Windows Vista or Windows Server 2008 and Internet Protocol security (IPsec) transport mode is required between the managing computer and the DirectAccess client, both computers must have the same quick mode lifetimes.