none
Unable to reach UAG server from Hotel Room and certain ISPs RRS feed

  • Question

  • I have DirectAccess and a portal published on UAG.  Everything seems to be working properly except for users trying to access from hotel rooms and certain ISPs.  I'm not to worried about the ISPs at this point, but the hotel rooms are a major concern for a traveling workforce.

    This is actually the first extended period I've had for troubleshooting since I'm in a hotel room for the next week or so.

    Thus far I've been able to note the following:

    When attempting to ping the UAG server I am able to resolve the IP Address, but pings fail according to DCA as follows:

    Probes List 
    FAIL - The server name resolved successfully, but failed to access PING: 2002:xxxx:xxxx::xxxx:d8e3
    FAIL - HTTP: http://myinternalsite

    DTE List
    FAIL - PING: 2002:xxxx:xxxx::xxxx:d8e3
    FAIL - PING: 2002:xxxx:xxxx::xxxx:d8e2

    When attempting to access the portal it fails as well.  If I choose "Use local DNS resolution" on DCA I am then able to access the portal.

    Any guidance for next steps is appreciated...

    • Edited by AmbersF Saturday, April 9, 2011 4:49 AM typo
    Saturday, April 9, 2011 4:42 AM

Answers

  • Try a "netsh interface 6to4 set state disabled" from a command prompt on the laptop. It is fairly common that ISPs (cell phone card providers are especially bad) will allow a 6to4 connection to take place, but then they will block the traffic from flowing over Protocol 41.

    If you diable your 6to4 adapter with the above command it should allow Teredo to manage the connection.

    • Marked as answer by AmbersF Friday, April 15, 2011 3:06 AM
    Monday, April 11, 2011 7:32 PM
  • I would use a GPO to set 6to4 in the disabled state for your DA clients. You could actually tweak the DA_Clients GPO itself, but that would be overwritten the next time you applied GPO settings from UAG, so a separate GPO is probably better.

    6to4 is hardly ever used, and a lot of the time that it is used there are problems with the traffic being blocked like you are experiencing. I say "Teredo all the way!" :)

    • Proposed as answer by RossJG Tuesday, April 12, 2011 6:28 PM
    • Marked as answer by AmbersF Friday, April 15, 2011 3:07 AM
    Tuesday, April 12, 2011 12:47 PM

All replies

  • Hi,

     

    As i understood your problem, the DCA is not able to reach the probles you use. Can you provide detailled logs generated by DCA. We need to be sure that DirectAccess tunnels are operationnals or not. We need these informations to start troubleshooting and help you.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Saturday, April 9, 2011 9:50 AM
  • Try a "netsh interface 6to4 set state disabled" from a command prompt on the laptop. It is fairly common that ISPs (cell phone card providers are especially bad) will allow a 6to4 connection to take place, but then they will block the traffic from flowing over Protocol 41.

    If you diable your 6to4 adapter with the above command it should allow Teredo to manage the connection.

    • Marked as answer by AmbersF Friday, April 15, 2011 3:06 AM
    Monday, April 11, 2011 7:32 PM
  • Try a "netsh interface 6to4 set state disabled" from a command prompt on the laptop. It is fairly common that ISPs (cell phone card providers are especially bad) will allow a 6to4 connection to take place, but then they will block the traffic from flowing over Protocol 41.

    If you diable your 6to4 adapter with the above command it should allow Teredo to manage the connection.


    Maybe we should start a name them and shame them telco list .. Had this with a large European carrier last week on 3G.. disabling 6to4 did the trick. It's a great party trick but a real pain for the user if UAC is disabled and they're a normal user :-)

    Regards,

    Mylo

    Monday, April 11, 2011 11:18 PM
  • I hope to mark your answer as correct Jordan.  The hotel I'm at had an option for using a public IP and choosing that option resolved my issue.  I need to wait for some period for that option to time out before continuing my testing.  I'll update soon.

    Just out of curiosity, if that does fix my problem Mylo brings up an interesting point.  How would I go about fixing this for my end-users without manual intervention from an administrator?

    Tuesday, April 12, 2011 5:10 AM
  • I would use a GPO to set 6to4 in the disabled state for your DA clients. You could actually tweak the DA_Clients GPO itself, but that would be overwritten the next time you applied GPO settings from UAG, so a separate GPO is probably better.

    6to4 is hardly ever used, and a lot of the time that it is used there are problems with the traffic being blocked like you are experiencing. I say "Teredo all the way!" :)

    • Proposed as answer by RossJG Tuesday, April 12, 2011 6:28 PM
    • Marked as answer by AmbersF Friday, April 15, 2011 3:07 AM
    Tuesday, April 12, 2011 12:47 PM
  • Jordan - Thanks!  This 6to4 problem is exactly what I'm experiencing in my testing.  My "temporary workaround" has actually been just what you suggested, disabling the 6to4 interface.  Sounds like I should just make it my permanent workaround.

    This is exactly why I wrote a discussion thread yesterday wondering aloud about the value of 6to4; I was wondering about risk/reward.  Sounds like the risk is often bigger than the reward, given that when 6to4 is enabled and this issue is experienced, failover to Teredo/IP-HTTPS doesn't occur and the end user is out of luck.

    Thanks,

    Ross

    Tuesday, April 12, 2011 6:40 PM
  • I tend to create a custom GPO duing my DA deployments for DA related settings that are not covered by the default UAG GPOs.

    I then tend to use this custom DA GPO to do the following:

    • Disable 6to4
    • Enable Teredo Enterprise Client state
    • Define Windows Firewall inbound rules to cater for DirectAccess remote management (manage out)
    • Enable certificate autoenrollment settings if the customer is not these settings in existing GPOs 
    • Pre-SP1 it also include DCA settings

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, April 13, 2011 12:20 PM
    Moderator
  • From memory, I believe MSIT do both of the first two items in the list above too...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, April 13, 2011 12:21 PM
    Moderator
  • Thanks to everyone.

    Friday, April 15, 2011 3:12 AM