locked
Direct Access manage-out not working with IP-HTTPS connected clients RRS feed

  • Question

  • We have deployed a DirectAccess scenario allowing DirectAccess clients to connect internal resources and enabled remote management of DirectAccess clients. Server infrastructure consists of an UAG Array with 2 array members.

    DirectAccess clients are able to reach internal resources by all IPv6 transition methods (Teredo, 6to4 & IP-HTTPS).

    Problem

    DirectAccess clients which are connected by IP-HTTPS IPv6 transition method can't be managed from the intranet, we can only ping those clients from both UAG and MGMT servers (this because ICMP goes outside the IPsec tunnel) . When connected by Teredo or 6to4 DirectAccess clients can be managed successful from both UAG servers and designated MGMT servers. We're using ISATAP for manage-out as the internal network is native IPv4.

    At the client side we enabled the Windows Firewall logging and IPsec Audit eventlog but no drops/issues were found at client side.

    Any suggestions ?


    Ronny de Jong | inovativ.nl | Blog: donnystyle.wordpress.com | Twitter: twitter.com/ronnydejong


    Wednesday, May 9, 2012 1:52 PM

All replies

  • Sounds like a routing issue when trying to access the specific prefix used by IP-HTTPS clients. Do you see the packets reach the DA client?

    Can you see the management traffic in the TMG logs on the UAG servers?


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Wednesday, May 9, 2012 11:23 PM
  • Hi Jason,

    When using IP-HTTPS only ICMP packets reach the DA client nothing further. All management traffic to a DA client from both a management server (10.1.64.18) UAG seems to be dropped at UAG:

    Denied Connection <UAG Server 1> 5/10/2012 9:01:50 AM
    Log type: Firewall service
    Status: The policy rules do not allow the user request. 
    Rule: [System] Direct Access mode: Block non-virtual ISATAP addresses
    Source: External (fe80::5efe:10.1.64.18:34048) >> management server
    Destination: Local Host (fe80::5efe:10.1.145.30) >> DIP UAG server 1
    Protocol: ICMPv6 Router Solicitation

    I'm not sure if it's related to our issue but I see a lot of spoof entries in TMG logging.

    Denied Connection <UAG Server 1> 5/10/2012 10:10:01 AM
    Log type: Firewall service
    Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed. 
    Rule: None - see Result Code
    Source: Local Host (195.169.68.32) >> External VIP 1 UAG
    Destination: External (145.81.52.77) >> local IP adres DA client
    Protocol: IPv6 Over IPv4 Tunnel

    The routing table on the UAG looks as follow:

    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     14   1105 ::/0                     2002:c058:6301::c058:6301
      1    306 ::1/128                  On-link
     15     58 2001::/32                On-link
     14   1005 2002::/16                On-link
     14    261 2002:c3a9:441f::c3a9:441f/128
                                        On-link
     14    261 2002:c3a9:4420::/64      On-link
     14    261 2002:c3a9:4420::c3a9:4420/128
                                        On-link
     16    261 2002:c3a9:4420:8000::/49 On-link
     16    261 2002:c3a9:4420:8000::/64 On-link
     16    261 2002:c3a9:4420:8000::/128
                                        On-link
     16    261 2002:c3a9:4420:8000:0:5efe:10.1.145.31/128
                                        On-link
     16    261 2002:c3a9:4420:8001::/96 On-link
     18    306 2002:c3a9:4420:8101::/64 On-link
     18    306 2002:c3a9:4420:8101::/128
                                        On-link
     18    306 2002:c3a9:4420:8101:d927:2c84:7628:99d3/128
                                        On-link
     14    261 2002:c3a9:4421::/64      On-link
     14    261 2002:c3a9:4421::c3a9:4421/128
                                        On-link
     12    261 fe80::/64                On-link
     18    306 fe80::/64                On-link
     15    306 fe80::/64                On-link
     16    261 fe80::5efe:10.1.145.31/128
                                        On-link
     16    261 fe80::5efe:10.1.145.32/128
                                        On-link
     17    261 fe80::200:5efe:195.169.68.31/128
                                        On-link
     17    261 fe80::200:5efe:195.169.68.32/128
                                        On-link
     17    261 fe80::200:5efe:195.169.68.33/128
                                        On-link
     12    261 fe80::3d3a:3ba0:7cf5:676d/128
                                        On-link
     15    306 fe80::8000:f227:3c56:bbdf/128
                                        On-link
     18    306 fe80::d927:2c84:7628:99d3/128
                                        On-link
      1    306 ff00::/8                 On-link
     18    306 ff00::/8                 On-link
     15    306 ff00::/8                 On-link
     12    261 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
     If Metric Network Destination      Gateway
      0 4294967295 2002:c3a9:4420::/64      On-link
      0 4294967295 2002:c3a9:4421::/64      On-link
      0 4294967295 2002:c3a9:4420:8000::/64 On-link
      0 4294967295 2002:c3a9:4420:8001::/96 On-link
      0 4294967295 2002:c3a9:4420:8000::/49 On-link
      0 4294967295 2002:c3a9:4420:8101::/64 On-link
    ===========================================================================


    Ronny de Jong | inovativ.nl | Blog: donnystyle.wordpress.com | Twitter: twitter.com/ronnydejong

    Thursday, May 10, 2012 8:48 AM