Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Microsoft Forefront TechCenter >
Cannot resolve DirectAccess client from inside the company

Proposed Cannot resolve DirectAccess client from inside the company

  • Monday, November 19, 2012 5:47 PM
     
     
    Sign In to Vote
    0

    I have a UAG POC implemented and it is working perfectly from the DirectAccess client side. However, I cannot resolve the DirectAccess client in DNS from inside the company network. I see in DNS that the DA client has registered its Teredo IPV6 record but when I try to ping or RDP to the hostname of the DA Client it fails and it seems from a network trace from a computer inside of the company that it was unable to resolve the name.

    Addon, I did create the firewall rules via Group Policy for DA Clients to allow inbound ICMPv6 echo requests and RDP and also flipped the allow edge traversal.

     

All Replies

  • Monday, November 19, 2012 8:57 PM
     
     Proposed
    Sign In to Vote
    0

    Hi,

    It sounds like your client only have a IPv4 address and therefore only cares about that answer...

    Can you try to check that your client can query the DNS server and receive the IPv6 address as a response.
    Example syntax:
    nslookup<enter>
    set type=aaaa<enter>
    TheNameOfYourClient<enter>

    If this returns a correct answer, try enabling ISATAP on your client to make sure it has an IPv6 address and has a way to reach the IPv6 address the DA client has.

    Jonas Blom | Relevo AB | http://blog.nrpt.se

    • Proposed As Answer by Jonas Blom Tuesday, November 20, 2012 7:23 AM
    •  
     
  • Tuesday, November 20, 2012 12:40 AM
     
     
    Sign In to Vote
    0

    When I do that from my internal client I get a teredo address and a IPHTTPS address. I did change the isatap from default to enabled but it seems like it only got a link local ipv6 address and not an expected isatap address. 

    I did the isatap enable on the DA client and not the internal client.

    Edit:

    I did unblock ISATAP on two of my DCs which services clients and none of the two DCs have ISATAP addresses either, not sure if they should have. The UAG server does have an ISATAP address but that is not in DNS.

    • Edited by Pegoto Tuesday, November 20, 2012 12:56 AM
    •  
     
  • Tuesday, November 20, 2012 7:22 AM
     
     
    Sign In to Vote
    0

    Hi again,

    You should have enabled isatap on the internal client you want to perform manage-out from.
    But if your DCs doesnt receive isatap either I am guessing you have the ISATAP dnsrecord on the global blocklist in DNS.

    (You of course also need to have your UAG configured as an ISATAP router.)

    A suggestion, read the following article and use it to implement an ISATAP setup limited only to those clients that need to perform manage-out.

    http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html

    Jonas Blom | Relevo AB | http://blog.nrpt.se


    • Edited by Jonas Blom Tuesday, November 20, 2012 7:23 AM fixed typo
    •