Having implemented Direct Access with UAG (Microsoft Unified Access Gateway) at a customer location there were some questions when we were done. Their helpdesk is using SCCM (System Center Configuration Manager) and the remote management tools included, how would they go about managing the clients? Would that work even if the user wasn’t logged in? Well, after some research we found out that they could actually manage the client if someone was logged in. If nobody was, no remote management would occur.
The reason? Well, traffic initiated from the inside of the network have to go through the management tunnel if nobody is logged in. For that to happen the servers or workstations that wish to communicate have to be included in the management group. If you’re going to use a management server or workstation for your work it’ll have to be IPv6 capable too because DA / UAG won’t translate IPv4 to IPv6 for traffic initiated from the inside.
The UAG needs to include ALL the computers you want to use for remote management of DA clients where nobody is logged on. Ie using the management tunnel. As soon as a user logs on communication can occur on the user tunnel.
If you’re using mobile connections you’ll need to make sure that they will register their address in DNS. If you don’t do this your clients won’t register, and you won’t be able to find them from your internal network.
Clients needs to have their firewall configuration updated with rules that allow the traffic you need, for example RDP. Please note that the profile you must use for this is the PUBLIC profile since that’s the one applied when the DA client is connected from the internet. You must also allow “edge traversal” for these rules to work over all tunnels.
More resources for manage out with Direct Access: