DirectAccess Manage Out fails for any non-ICMP traffic in Forefront Unified Access Gateway 2010


DirectAccess Manage Out does not work for any non-ICMP traffic in Microsoft Forefront Unified Access Gateway 2010.  Outbound connections to external DirectAccess client machines fail for any traffic except for ICMP.  If IPsec auditing is enabled you may see the following error when attempting to access the DirectAccess client:

4984 "An IPSec extended mode negotiation failed"


This issue can be caused by custom security policies regarding the local security rights for DirectAccess Manage-Out server and clients (e.g. modifying the setting "Access this computer from the network").

Manage-out connections require the ability of the source computer account and user account to authenticate IPsec connections to the remote DirectAccess client. Even though the IPsec tunnel is established from the DirectAccess server to client, the authentication occurs based on the internal source machine/account (impersonation).

The security policy for “Access this computer from network” controls the ability to authenticate and access system services on remote computers. This source machine/account must have this right granted for the remote resources for the DirectAccess Manage-Out capability to function. If the DirectAccess server machine account and the machine account of the internal source server used in impersonation do not have permissions to access the DirectAccess client machine from the network then IPsec authentication failures will occur.

Changes had been made to the local security policy which altered the default permissions for this access right. Everyone and Users groups were removed from the local security setting “Access this computer from network”.


Reset the Local Security Setting for "Access this computer from the network" to the default configuration.  By default this includes the following groups:  Administrators, Backup Operators, Everyone, Users.  The default setting is the only configuration which has been tested and verified for DirectAccess Manage Out connectivity.

More Information

823659 - Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments :;EN-US;823659