I'm trying to understand why my internal network machines are unable to RDP into my DirectAccess clients.. My internal network is on IPv6, so there is no ISATAP going on.. Just direct routes to and from the clients.. I am able to ping the DA clients from my management devices on the internal network without issue.. But when I try to RDP directly into one of the DA clients, I am unable to connect. The clients are accepting RDP connections.
To rule out windows firewall, I set blanket allow rules on the management pc, the DA server and the remote client I am testing.
I used wireshark to do some investigation and found that the DA server receives the RDP connection request on 3389 with the correct IPV6 source of the management computer, and the correct IP-HTTPS IPV6 tunnel address of the DA client.
I can't read the traffic beyond that as it becomes encrypted in the IP-HTTPS tunnel, but I am not seeing any connection attempts getting logged in windows firewall on the remote client.
I am able to establish an RDP connection directly from the DA server itself.
I'm at a loss of where to go from here and would appreciate if anyone can provide assistance.
If you need more information let me know what you need and I'll get it to you.
I found an old Forefront UAG article that addressed this very issue. The computers initiating the outgoing connection to the remote clients require "Access this computer from the network" security policy permissions on the remote client computer in order to pass the security check on the IPsec tunnel. The default windows permissions for this work fine, but we had recently gone through a security audit where one of the recommendations was to limit "Access this computer from the network" to specific groups that need this access only. Loosening this up to allow all of our internal machine and user accounts to 'access this computer from the network' fixed this problem for me.