none
Does DirectAccess 2012 allow clients to use IPv4

    Question

  • Hi,

    We have an app that when using DirectAccess 2008 with UAG from home tries to connect to a license server before it initiates, say it is called License01. It works in the office, but not at home, I can ping License01 and get a reply and there are no firewall restrictions.

    I did a Wireshark trace and can see the application trying to do a NBNS for License01. I believe this is a NetBIOS broadcast and is a IPv4 only protocol. I believe this is the problem, if it were to use DNS for name resolution then we would not have a problem, the application is very old and we are lucky to have it working on Windows 7 in the first place.

    1) Can anyone verify that what I think is happening is actually happening?

    2) Will DirectAccess 2012 allow the clients to use IPv4 over the VPN tunnel, or is the IPv4 communication that is being introduced only for backend communication from the DirectAccess server to servers that cannot use IPv6 previously?

    Any clarification would very much be appreciated as it has been suggested upgrading to DirectAccess 2012 will solve our problem, but if the answer to question 2 is that IPv4 will still not be available over the tunnel from the client then this will not solve our problem.

    Many thanks,

    Michael

    Friday, July 05, 2013 11:28 PM

All replies

  • hi,

    Only IPv6 trafgic will pass throught the IPSEC tunnels. If you cant resolve you name using DNS names you wont have an IPv6 address. Does your application rely on TCP or UDP traffic to contact your licence server?

    Best regards.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Saturday, July 06, 2013 6:18 AM
  • Thanks for writing back Benoit,

    TCP on a specific port, 3830 I think.

    I can telnet to License01 on port 3830 perfectly fine.

    There is a DNS entry for License01, so if I ping it it works fine, and replies back on an IPv6 address, however the application doesn't look like it is using DNS to resolve the name, instead doing a NetBIOS broadcast.

    I suppose if server 2012 still forces the tunnel to be IPv6, then the NetBIOS broadcast will never be able to go down the tunnel and find the IP address?

    If I had a WINS server, would DirectAccess be able to use the WINS server instead, or will WINS only ever return a IPv4 address anyway, therefore leaving me in the same position?

    Regards,

    Michael 

    Monday, July 08, 2013 8:47 AM
  • If this is server 2012 open port 3830 in and out as a test, try with the ip address instead of hostname, ive currently got some similar issues im working to resolve with DA on server 2012.

    Thanks

    Friday, July 19, 2013 8:38 AM
  • You do not have to open ports with Server 2012 DirectAccess. As long as the subnet that you are trying to contact is in the routing table of the DirectAccess server, the clients have access to route any port into that subnet. There are no port restrictions out of the box.

    Contacting resources via IPv4 address will never work over DirectAccess. All traffic from the DA client to the DA server is always IPv6, that is what Benoit was saying. When you contact a resource over DirectAccess, you must do so by name. Or by IPv6 address, but who's going to do that?

    Some applications just are not capable of IPv6. Sometimes it's only certain portions of applications that can't do it. Depends on the developers and how they coded it. I don't know about your NetBIOS broadcast, I've never done any extensive testing in this area, but if you suspect this app may not be fully IPv6 capable (it sounds to me like this may be the case), I have a utility that can intercept IPv4 packets from these kinds of applications and flip them into IPv6 packets to make their way successfully across the DA tunnels. I don't know for sure that it will resolve your issue because of the broadcast that you see happening, but it may be worth testing if you run out of options. Feel free to reach out if you want to talk more about that: Jordan.Krause@ivonetworks.com

    Friday, July 19, 2013 1:11 PM
  • Hi

    NETBIOS does not exists in DNS. Maybe your application is "hardcoded" to use IPv4. Let try this "trick"

    http://danstoncloud.com/blogs/simplebydesign/archive/2012/02/11/tcpv4-based-applications-with-directaccess.aspx

    It only work with TCP protocols.

    Cheers


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, July 19, 2013 4:25 PM
  • Thanks, I'll try this out and report back!

    Regards,

    Michael

    Monday, July 22, 2013 4:37 PM