locked
ISATAP and Client DNS registration RRS feed

  • Question

  • I've got UAG/DirectAcess working in a lab environment and need help wraping my head around ISATAP and why we would need it. I am using NAT64/DNS64 because everything is IPv4 on the intranet. Without ISATAP the clients can connect and get to intranet resources, however they never seem to register in DNS so managing out is a problem. I got ISATAP going as a test and now the clients register an ISATAP address in DNS, as do the 2008 servers.

    Is it possible for DA clients to register in DNS without ISATAP while using NAT64/DNS64?

    Friday, July 23, 2010 4:18 PM

Answers

  • Hi Jake,

    The DA clients should be registering their IPv6 address based on the IPv6 transition technology that they're using. So if they are using 6to4, then the 6to4 address is registered. If they are using Teredo, then the Teredo address should register and if they're using IP-HTTPS, then the IP-HTTPS address should be registered.

    Is your DNS server configured to enable dynamic updates?

    Are your intranet clients registering their ISATAP addresses?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Monday, July 26, 2010 11:04 PM
    Monday, July 26, 2010 12:41 PM
  • Hi Jake,

    The DirectAccess clients are registering their IPv6 addresses anyway.

    However, when ISATAP is disabled and only NAT64/DNS64 is used, your backend servers have only IPv4 addresses, this means that even though they can resolve the IPv6 addresses of the DA clients, they cannot communicate with them. (If you ping a client, you won't see any IP address. but if you run nslookup, you'll see there is an IPv6 address registered)

    Once ISATAP is enabled, your backend servers will have IPv6 addresses and they'll be able to contact the DirectAccess clients.

    The only way to "manage out" is if you have IPv6 in your organization (using ISATAP or native IPv6)

    • Marked as answer by ZorkFan Tuesday, July 27, 2010 1:39 PM
    Tuesday, July 27, 2010 8:05 AM

All replies

  • Hi Jake,

    The DA clients should be registering their IPv6 address based on the IPv6 transition technology that they're using. So if they are using 6to4, then the 6to4 address is registered. If they are using Teredo, then the Teredo address should register and if they're using IP-HTTPS, then the IP-HTTPS address should be registered.

    Is your DNS server configured to enable dynamic updates?

    Are your intranet clients registering their ISATAP addresses?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Monday, July 26, 2010 11:04 PM
    Monday, July 26, 2010 12:41 PM
  • Hi Jake,

    The DirectAccess clients are registering their IPv6 addresses anyway.

    However, when ISATAP is disabled and only NAT64/DNS64 is used, your backend servers have only IPv4 addresses, this means that even though they can resolve the IPv6 addresses of the DA clients, they cannot communicate with them. (If you ping a client, you won't see any IP address. but if you run nslookup, you'll see there is an IPv6 address registered)

    Once ISATAP is enabled, your backend servers will have IPv6 addresses and they'll be able to contact the DirectAccess clients.

    The only way to "manage out" is if you have IPv6 in your organization (using ISATAP or native IPv6)

    • Marked as answer by ZorkFan Tuesday, July 27, 2010 1:39 PM
    Tuesday, July 27, 2010 8:05 AM
  • Thanks guys, that helps clear it up for me quite a bit.
    Tuesday, July 27, 2010 1:40 PM
  • Hi Jake,

    That's one of the limitations of using NAT64 - there is no manage out capability in terms of an intranet management server being able to initiate a connection to a DA client. The DA client's management agents can still call management servers on the intranet, but intranet management servers cannot initiate connections with the external DA client.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Thursday, July 29, 2010 12:51 AM