KB: DirectAccess Manage Out fails for any non-ICMP traffic in Forefront Unified Access Gateway 2010
Here’s a new Knowledge Base article we published. This one describes an issue where DirectAccess Manage Out fails for any non-ICMP traffic in UAG 2010.
=====
Symptoms
DirectAccess Manage Out does not work for any non-ICMP traffic in Microsoft Forefront Unified Access Gateway 2010. Outbound connections to external DirectAccess client machines fail for any traffic except for ICMP. If IPsec auditing is enabled you may see the following error when attempting to access the DirectAccess client:
4984 "An IPSec extended mode negotiation failed"
Cause
This issue can be caused by custom security policies regarding the local security rights for DirectAccess Manage-Out server and clients (e.g. modifying the setting "Access this computer from the network").
Manage-out connections require the ability of the source computer account and user account to authenticate IPsec connections to the remote DirectAccess client. Even though the IPsec tunnel is established from the DirectAccess server to client, the authentication occurs based on the internal source machine/account (impersonation).
The security policy for “Access this computer from network” controls the ability to authenticate and access system services on remote computers. This source machine/account must have this right granted for the remote resources for the DirectAccess Manage-Out capability to function. If the DirectAccess server machine account and the machine account of the internal source server used in impersonation do not have permissions to access the DirectAccess client machine from the network then IPsec authentication failures will occur.
Changes had been made to the local security policy which altered the default permissions for this access right. Everyone and Users groups were removed from the local security setting “Access this computer from network”.
Resolution
Reset the Local Security Setting for "Access this computer from the network" to the default configuration. By default this includes the following groups: Administrators, Backup Operators, Everyone, Users. The default setting is the only configuration which has been tested and verified for DirectAccess Manage Out connectivity.
More Information
2663354 - Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments : https://support.microsoft.com/default.aspx?scid=kb;EN-US;823659
=====
For the most current version of this article please see the following:
J.C. Hornbeck | System Center & Security Knowledge Engineer
Get the latest System Center news on Facebook and Twitter :
App-V Team blog: https://blogs.technet.com/appv/
ConfigMgr Support Team blog: https://blogs.technet.com/configurationmgr/
DPM Team blog: https://blogs.technet.com/dpm/
MED-V Team blog: https://blogs.technet.com/medv/
Orchestrator Support Team blog: https://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: https://blogs.technet.com/momteam/
SCVMM Team blog: https://blogs.technet.com/scvmm
Server App-V Team blog: https://blogs.technet.com/b/serverappv
Service Manager Team blog: https://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: https://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: https://blogs.technet.com/sus/
The Forefront Server Protection blog: https://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : https://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : https://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: https://blogs.technet.com/b/isablog/
The Forefront UAG blog: https://blogs.technet.com/b/edgeaccessblog/