locked
Direct Access Windows Server 2012 - ISATAP and Internet connectivity problem RRS feed

  • Question

  • Hello,

    i'm currently installing Direct Access on Windows Server 2012, and experiencing some trouble with accessing internet from Client in intranet that have ISATAP configured.

    I need to manage out my clients (Windows 7) that is connected with direct access with SCCM 2012. So ISATAP is needed, because native IPv6 is not an option for now :) .

    Indeed, here is my configuration :

    - my ISP is IPv4 , my Firewall at the entries of DMZ is IPv4 only too.

    - One Server DA on Windows server 2012 acting as ISATAP router, and NAT64/DNS64. (in DMZ)

    - One PKI.

    All is configured, and my Windows 7 laptop DA clients access intranet infrastructure with DA, via IP-HTTPS without problem. working fine.

    Since i need to manage out this clients, i enabled ISATAP on Windows 7 DA clients. (isatap routeur is the DA serveur), working fine too, since if i do an ipconfig /all , i get ISATAP adatper with an isatap ipv6 (fde2:38c7:a88e:.....)

    I checked my Internal Enterprise DNS, and all clients recorded an AAAA records with their ISATAP IPv6. all good.

    I tried to manage out a DA clients connected via IP-HTTPS to DA server, and accessing to my internal infrastructure, With SCCM 2012, is working well.

    So DIrect Acces and Isatap working well.

    but,

    Here is my probleme ;) : when the DA Clients are connected to the enterprise network, they try to access to internet with their ISATAP IPv6 in priority, indeed, if i go to Google (Google is now in native IPv6) , my clients, try to access google with his IPv6 (2a00:...), since my ISP and firewall is IPv4, i got timeout, and it switch after 1minute or more to IPv4 and accessing Google in IPv4..Because since Windows Vista IPV4 is used in priority.

    That is the same probleme for all website that is IPv6 native..i get timeout.

    I get no problem with IPv4 website.

    If i disabled ISATAP , all working again, and my DA Clients request internet with IPv4 only.

    Looks this is a big Problem, DA client request DA Server (ISATAP routeur) and DA request internet in IPv6 (is that i see in my BigIP F5 traces). working as ipv6 a gateway..

    How can i prevent this trouble ? this really i big problem, since i can't actually use ISATAP in my Enterprise Infrstructure.

    Best Regards,

    Marc.

    Wednesday, October 17, 2012 8:50 AM

Answers

  • I would only enable ISATAP on your manage out clients, not your DA clients.

    If you are not using a proxy server and consequently resolve Internet DNS names to their IPv6 address, then I would expect this behaviour may occur. If you are using ISATAP from DA Server then I would also imagine your IPv6 default gateway is the DA server? This probably won't help either!


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Wednesday, October 17, 2012 1:29 PM
  • Yes, just enable ISATAP for the servers that need to initiate outbound IPv6 connections.

    Having a standalone ISATAP router is often recommended, yes.

    In fact, I have read that DirectAccess 2012 isn't officially support with ISATAP as MS now recommends native IPv6 when doing manage out (have to find the document)...


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    • Marked as answer by Marc Berger Wednesday, October 17, 2012 7:48 PM
    Wednesday, October 17, 2012 4:53 PM
  • Hi All, i found a workaround to request IPv4 before ipv6 :

    http://support.microsoft.com/kb/929852/en-us

    in my scenario, 0x20 to prefer IPv4 over IPv6 by changing entries in the prefix policy table.

    Precedence  Label  Prefix
    ----------  -----  --------------------------------
            50      0  ::1/128
            40      1  ::/0
            30      2  2002::/16
            20      3  ::/96
            10      4  ::ffff:0:0/96
             5      5  2001::/32

    this is move : ::ffff:0:0/96 , to precedence 50. So in fact, it request internet with IPV4 in priority of default ipv6 !

    Regards,

    Marc.


    • Marked as answer by Marc Berger Monday, October 22, 2012 9:24 AM
    • Edited by Marc Berger Monday, October 22, 2012 9:27 AM
    Monday, October 22, 2012 9:24 AM

All replies

  • Have you enabled ISATAP globally internally then?

    If you limit ISATAP to specific manage out clients, the problem would then only exist for those clients - would that help?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Wednesday, October 17, 2012 12:34 PM
  • Hi Jason,

    Indeed, if isatap is enabled globaly, all windows 7 computer is impacted, and it's a big problem for me, so it's not enabled.

    i enabled ISATAP via GPO, only in DA laptop clients to prevent troubles. (i still have isatap in the Global query block list in internal DNS).

    But when the DA clients are connected to the enterprise network, they can't use ipv6 website...i need to force to use ipv4 with isatap enabled or sometinhg like that.

    my question is, is it a normal behaviour ?

    Regards,

    Marc

    Wednesday, October 17, 2012 12:56 PM
  • I would only enable ISATAP on your manage out clients, not your DA clients.

    If you are not using a proxy server and consequently resolve Internet DNS names to their IPv6 address, then I would expect this behaviour may occur. If you are using ISATAP from DA Server then I would also imagine your IPv6 default gateway is the DA server? This probably won't help either!


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Wednesday, October 17, 2012 1:29 PM
  • Hi,

    Jason is right, and you will find the solution to your problem on his blog : http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html. With DirectAccess ISATAP, is only required for manage-out scenario. There is no need to move all your network to ISATAP unless this is your IPv6 migration strategy.

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, October 17, 2012 2:31 PM
  • Hum, interesting Jason.

    Indeed we don't have any proxy server for web access. And in fact, DA server is the gatway, since it's the ISATAP router!

    that the problem actually. so it resolving internet with ipv6.

    Well, you say to enabled ISATAP on manage out server, so in my scenario, i need to enabled ISATAP in SCCM servers only, it's will be OK for you?

    is it better to have an isatap router in a standalone server, instead on the DA server ?

    Thx for your help,

    Wednesday, October 17, 2012 2:41 PM
  • Yes, just enable ISATAP for the servers that need to initiate outbound IPv6 connections.

    Having a standalone ISATAP router is often recommended, yes.

    In fact, I have read that DirectAccess 2012 isn't officially support with ISATAP as MS now recommends native IPv6 when doing manage out (have to find the document)...


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    • Marked as answer by Marc Berger Wednesday, October 17, 2012 7:48 PM
    Wednesday, October 17, 2012 4:53 PM
  • Hi

    if you find back the document providing recommandations about DirectAccess support policy with Windows Server 2012 I'm sure that we all appreciate.

    Cheers.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, October 17, 2012 6:44 PM
  • Spooky, just found it :)

    ISATAP is not recommended for use as the IPv6 to IPv4 transition technology in DirectAccess in Windows Server 2012. If Forefront UAG is configured to use ISATAP, it is recommended to disable it, and use NAT64 instead.

    With ISATAP disabled DirectAccess clients can initiate connections to computers on the internal network, and the computers on the internal network are able to respond. However, computers on the internal network will not be able to initiate connections to DirectAccess  for purposes of remote client management. If you want to be able to remote client management, consider deploying native IPv6 for management servers that will connect to DirectAccess client computers.

    Source: http://technet.microsoft.com/en-us/library/hh831658.aspx

    ...but there is also this:

    Manage-out support requires ISATAP deployment or management servers with v6 addresses.

    Source: http://technet.microsoft.com/en-us/library/hh831416.aspx

    So, not really sure what is the official line...I would think that the first comment was more likely, and the second has been left over from old text...

    Cheers

    JJ


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk



    Wednesday, October 17, 2012 6:56 PM
  • ...and this:

    It is recommended that you do not use ISATAP in a Windows Server 2012 DirectAccess deployment. You should disable ISATAP and use NAT64 instead.

    If manage out capability is also required for Windows Server 2012, we recommend that you enable native IPv6 in your network, at least for those hosts that need to manage DirectAccess clients. If deploying native IPv6 is not an option and managing DirectAccess clients from within the internal network is required, perform the following procedure:

    Source: http://technet.microsoft.com/en-us/library/hh831643.aspx

    Cheers

    JJ


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk



    Wednesday, October 17, 2012 6:59 PM
  • Yeah, indeed, i saw that information about ISATAP and WS 2012 Direct Access. But no choice when native IPv6 is not possible.

    Well, thanks for the help Jason, i will try to limit ISATAP for SCCM servers, and disabling it on DA clients.

    i will maybe install an ISATAP standalone server :)

    Best Regards,

    Marc



    • Edited by Marc Berger Wednesday, October 17, 2012 7:57 PM
    Wednesday, October 17, 2012 7:48 PM
  • Hi All, i found a workaround to request IPv4 before ipv6 :

    http://support.microsoft.com/kb/929852/en-us

    in my scenario, 0x20 to prefer IPv4 over IPv6 by changing entries in the prefix policy table.

    Precedence  Label  Prefix
    ----------  -----  --------------------------------
            50      0  ::1/128
            40      1  ::/0
            30      2  2002::/16
            20      3  ::/96
            10      4  ::ffff:0:0/96
             5      5  2001::/32

    this is move : ::ffff:0:0/96 , to precedence 50. So in fact, it request internet with IPV4 in priority of default ipv6 !

    Regards,

    Marc.


    • Marked as answer by Marc Berger Monday, October 22, 2012 9:24 AM
    • Edited by Marc Berger Monday, October 22, 2012 9:27 AM
    Monday, October 22, 2012 9:24 AM
  • Hi Marc,

    Will that affect manage out clients that need to use IPv6?

    Or are you going to apply it selectively?

    Cheers

    JJ


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Tuesday, October 23, 2012 11:31 AM
  • Hi Jason,

    yeah i enable this setting only on client that need ISATAP connectivity :, SCCM server and Workstation that have SCCM console for now. this is permit to have IASTAP working, and request internet with IPv4 before ipv6 ! that fine !

    Cheers :)

    Tuesday, October 23, 2012 9:43 PM
  • To complete the loop for other people searching, this may also be of use: http://blog.msedge.org.uk/2013/03/windows-server-2012-directaccess-manage.html

    Cheers

    JJ


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Wednesday, April 10, 2013 10:41 AM