none
disable teredo/isatap gateway creation RRS feed

  • Question

  • hello,

    how do I instruct the Direct Access configuration wizard to NOT enable the teredo/isatap interfaces on the DA server? I would like to let it configure just the IP-HTTPS interface. Certainly, I can just later disable the interface manually with NETSH, but this is not a permanent solution, when someone later re-runs the wizard, the interfaces would be created again. So how to make the wizard configure just the IP-HTTPS interface?

     

    o.

     

    Wednesday, September 28, 2011 10:01 AM

All replies

  • Instead of trying to manipulate the Microsoft wizards, I think your purposes would be better served at the client side. To "disable" ISATAP, simply do not create a DNS record for ISATAP and then no machines inside your network will make use of ISATAP. And for Teredo, you can create a simple GPO that sets Teredo and 6to4 to "Disabled" status and filter this new GPO to your DA client computers. That way they would make use only of IP-HTTPS when they connect.

    Is there a particular reason you are wanting to disable Teredo? It is more efficient (and therefore faster) than IP-HTTPS...

    Wednesday, September 28, 2011 12:28 PM
  • hello,

    how do I instruct the Direct Access configuration wizard to NOT enable the teredo/isatap interfaces on the DA server? I would like to let it configure just the IP-HTTPS interface. Certainly, I can just later disable the interface manually with NETSH, but this is not a permanent solution, when someone later re-runs the wizard, the interfaces would be created again. So how to make the wizard configure just the IP-HTTPS interface?

     

    o.

     


    You could also use Group Policy on the server side to override any future changes made by the wizard...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, September 28, 2011 2:16 PM
    Moderator
  • Disabling 6to4 on DA clients is sometimes a good idea anyhow...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, September 28, 2011 2:17 PM
    Moderator
  • One of the problems is that the DNS64 is bound only to the IP address configured for the 6to4 adapter. When I disable the adapters on the server side, the DNS64 stops listening and no name translation is done.

    What GP settings do you mean please actually?

     

    ondrej.

     

    Thursday, September 29, 2011 6:35 AM
  • I just don't want to have the clutter of several adapters and their IP addresses without being used so that is the reason to disable that on the server.

    o.

     

    Thursday, September 29, 2011 6:51 AM
  • I have tried to disable Teredo, 6to4 and ISATAP through the policy, but the DA console tells me that the prerequisities are not met and I should enable the transition technologies in policy.

    o.

     

    Thursday, September 29, 2011 7:27 AM
  • I have tried to disable Teredo, 6to4 and ISATAP through the policy, but the DA console tells me that the prerequisities are not met and I should enable the transition technologies in policy.

    o.

     


    Ah ok, sorry, not something I have actually tried to do...most people want the flexibility of multiple transition technologies enabled, not disabled.
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, September 29, 2011 8:43 AM
    Moderator
  • Yeah, I wouldn't recommend disabling those things on the server side, all that will do is generate errors and logs all the time. Actually, I wouldn't recommend disabling Teredo at all, client or server side. If you have for some reason decided on Force Tunneling, then you don't have a choice and the clients are set to use IP-HTTPS all the time anyway, but as long as you are going with the standard Split Tunneling config, then disabling Teredo is actually going to unnecessarily make the UAG server work harder and it will consume more resources than if you left Teredo enabled. This again is because IP-HTTPS takes more work than Teredo does, every packet requires extra overhead - if IP-HTTPS were as efficient as Teredo then I suspect Teredo and 6to4 would not even exist on a UAGDA server.
    Thursday, September 29, 2011 12:42 PM
  • I have also had the need to disable 6to4 on DA clients for some customers. This avoids potential problems when using DA clients in remote location that are using public IP address, but the environment blocks 6to4 traffic.


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, September 29, 2011 2:18 PM
    Moderator
  • Very true, I usually disable 6to4 as a "best practice" (disable it on the client side, via GPO) - it's hardly ever used and it's not worth the potential trouble that can be caused, especially by cell phone cards doing exactly what Jason described.

    Also, many companies are moving to multi-site DirectAccess and for that you have to disable 6to4 anyway.

    Thursday, September 29, 2011 2:39 PM