locked
DA IPHTTPS always activated RRS feed

  • Question

  • Hi All. During a deployment of DA we realized that IPHTTPS remained active even when connected to the internal network (IPv4 only network). Teredo was disabled, the corporate connectivty reported ok, the name resolution policy reported ok...everything seemed to be ok except for the httpstunnel interface. The only -visible- difference with others deployments was that we hadn't registered the isatap record in DNS, but remote management was not a requirement so -in my understanding- it didn't seem to be mandatory. After some tests we decided to register the isatap record and then the IPHTTPS deactivated. And after some other tests we found out that only the DA client needed the isatap record (it is working with local HOSTS file) and that ISATAP it is only used to get an address for the isatap interface. In that moment the IPHTTPS interface deactivates.

    Am I missing anything? Is ISATAP mandatory in every case?

    Thanks and regards

     


    // Raúl - I love this game
    Wednesday, June 15, 2011 8:33 AM

Answers

  • Hi Amig@. My issue is solved when the client configures the ISATAP adapter. In fact, I think that any valid IPv6 address does the same job except for link local addresses. I have registered isatap in DNS pointing to internal IP of UAG server and it works fine.

    Have you checked if the client is getting an isatap address (ipconfig)

    Regards


    // Raúl - I love this game
    • Marked as answer by Erez Benari Friday, August 26, 2011 10:45 PM
    Wednesday, August 3, 2011 10:54 AM

All replies

  • Hi Raul,

    No, not at all; as you say, ISATAP is normally only needed if you have an IPv4 intranet and want to use manage out.

    IPHTTPS should only become active if the DA client thinks it is "outside"...I have sometimes seen the Tererdo interface active for DA clients on the LAN if the firewall allows clients to loopback to the UAG external interface from the LAN. Maybe you have something similar?

    Can you provide some outputs from these commands: http://blog.msedge.org.uk/2011/04/uag-directaccess-useful-netsh-commands.html

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, June 15, 2011 8:58 AM
  • Hi Jason and thanks for your response. The traffic to the external interface is blocked (well, actually there is no DNS resolution). The output of the commands show that the client is inside the corporate network. This is the summary with the relevant messages:

    netsh dns show state

    Machine Location                      : Inside corporate network

    netsh namespace show effectivepolicy

    [Empty]

    netsh interface teredo show state

    Error                   : client is in a managed network

    netsh interface httpstunnel show interfaces

    Interface Status           : failed to connect to the IPHTTPS server. Waiting to reconnect (Note: there is no path from the client to the external interface)

    netsh advfirewall show currentprofile

    Domain Profile Settings:
    ----------------------------------------------------------------------
    State                                 ON


    // Raúl - I love this game
    Wednesday, June 15, 2011 10:48 AM
  • Hi, We are seeing the same issue.

    Clients still have the iphttps adapter active while the machine is on the inside.

    netsh dns show state reports Inside and Disabled.

    I have removed the isatap block on the local DNS so it now resolves on the client but no luck.

    I can reach the nls website and the isatap also replies on pings.

    reloading the client is no help the http adapters stays up.

    Any pointers where to look?

    Thanks!

    Arjan

    Wednesday, August 3, 2011 10:51 AM
  • Hi Amig@. My issue is solved when the client configures the ISATAP adapter. In fact, I think that any valid IPv6 address does the same job except for link local addresses. I have registered isatap in DNS pointing to internal IP of UAG server and it works fine.

    Have you checked if the client is getting an isatap address (ipconfig)

    Regards


    // Raúl - I love this game
    • Marked as answer by Erez Benari Friday, August 26, 2011 10:45 PM
    Wednesday, August 3, 2011 10:54 AM