locked
UAG DirectAccess initial setup RRS feed

  • Question

  • I'm setting up DirectAcess for the first time and it's my first exposure to IPv6 as well.  This opens the doors to a lot of questions, so I figured I would start with the most basic.

    I have a UAG server up and running and have started to configure DirectAccess.  I have two NICs, an internal one which has a couple static persistent routes configured so it can talk to all our Subnets and an External NIC which is connected to our DMZ with a public IP address and has the Default Gateway defined.  All networks have been added to TMG / UAG and I have started filling out the UAG DirectAccess Configuration wizard.

    On the Connectivity portion, I select the External Internet-facing IPv4 address, which is pretty straight forward, but the Internal side has me wondering.

    1) The IPv4 drop down list is grey'd out (disabled) for ISATAP.  Why?  Should I care?

    2) The IPv6 has two options.  One is a static address that someone else added (fe20::1:1, which was just plucked from the air and I am willing to change it if there's a reason to).  The other one that I am not sure where it came from (fe80::5efe:10.54.0.85, what is this?  I thought fe80 was reserved for the local loopback).

    2a) If I select the fe20 address, I get a warning saying "You selected a local-link ISATAP address as the internal IPv6 Address, but a native IPv6 address exists" and that I should remove the native IP and try again.

    2b) If I remove the fe20 address from the NIC and then return to the wizard and select the fe80 address, now I get a warning about "An external ISATAP router is already deployed" and that I would need to disable that to avoid "assymmetrical" routing (nice typo in there).  I don't think I want to do that...do I?

    3) So I leave the fe20::1:1 address on the Internal NIC and select it in the UAG Server wizard and click Next.  I leave both checks enabled for NAT64 and DNS64 and click Next.  Now I am asked for several IPv6 prefixes.  I have no idea what to enter here.  Can someone help me out?  I am sure I need to define some IPv4 network ranges, but I don't know what would be appropriate.  I'm wide open to suggestions.

    Friday, April 30, 2010 5:01 PM

Answers

  • I am assuming that you are not using IPv6 on your internal network?

    If so, the best option is to remove the configured IPv6 on the UAG internal interface and then allow UAG to automatically configure for ISATAP. This is usually the best way to get started unless you are familiar with IPv6.

    The following docs may help:

    http://technet.microsoft.com/en-us/library/ee406201.aspx

    http://technet.microsoft.com/en-us/library/ee861167.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Tuesday, May 4, 2010 12:12 AM
    • Unmarked as answer by MrShannon Friday, May 7, 2010 8:19 PM
    • Marked as answer by MrShannon Friday, May 7, 2010 8:19 PM
    Friday, April 30, 2010 9:49 PM
  • What I ended up doing was remove the IPv6 address and then I needed to remove ISATAP from the DNS block list on one of my DCs / DNS servers.  I also needed to create an A record for "ISATAP.mydomain.com" to point to the inside IPv4 address of my UAG server.

    To remove ISATAP from the DNS global query block list

    1.    Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

    2.    In the Command Prompt window, type dnscmd /config /globalqueryblocklist wpad, and then press ENTER.

    3.    Close the Command Prompt window.

    I found that in the Step-by-Step guide Jason and Thomas linked to earlier.
    • Marked as answer by MrShannon Friday, May 7, 2010 8:19 PM
    • Edited by MrShannon Friday, May 7, 2010 8:20 PM credit where it's due
    Friday, May 7, 2010 8:18 PM

All replies

  • I am assuming that you are not using IPv6 on your internal network?

    If so, the best option is to remove the configured IPv6 on the UAG internal interface and then allow UAG to automatically configure for ISATAP. This is usually the best way to get started unless you are familiar with IPv6.

    The following docs may help:

    http://technet.microsoft.com/en-us/library/ee406201.aspx

    http://technet.microsoft.com/en-us/library/ee861167.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Tuesday, May 4, 2010 12:12 AM
    • Unmarked as answer by MrShannon Friday, May 7, 2010 8:19 PM
    • Marked as answer by MrShannon Friday, May 7, 2010 8:19 PM
    Friday, April 30, 2010 9:49 PM
  • Jason is right.

     

    1) The IPv4 drop down list is grey'd out because you already have an IPv6 address configured on the internal side - so we can't create an ISATAP router in this scenario.

     

    2) the first one (fe20::1:1) is the native IPv6 address you configured on the internal leg.

    The second one (fe80::5efe:10.54.0.85) is there because we detected you have an ISATAP router in your organization. If this isn't true, check why the name ISATAP is registered in the DNS. We suppose you might want to use ISATAP to connect to that existing IPv6 subnet in your organization, so this fe80::... address is the link-local ISATAP IPv6 address you will have once the UAG machine will establish a connection with your organization's ISATAP router (this connection is blocked by TMG firewall until activation of DirectAccess).

    However, this scenario of having external ISATAP router and connecting the UAG server to that ISATAP cloud is not supported! (it works, but not recommended at all) this is why you see that warning. If you have an external ISATAP router, you must have the UAG box connected to that ISATAP router using native IPv6 and not using ISATAP. So in this case, only selecting the IPv6 address is the option.

    If you don't already have an ISATAP router in your organization, remove the ISATAP name from the DNS, and remove all IPv6 addresses from the internal interface. Then the IPv4 drop down list will be enabled, and UAG will configure itself as the ISATAP router of your organization.

    Thanks,

    Yaniv

     

     

    • Marked as answer by Erez Benari Tuesday, May 4, 2010 12:12 AM
    • Unmarked as answer by MrShannon Friday, May 7, 2010 8:19 PM
    Monday, May 3, 2010 8:39 AM
  • I'm setting up DirectAcess for the first time and it's my first exposure to IPv6 as well.  This opens the doors to a lot of questions, so I figured I would start with the most basic.

    I have a UAG server up and running and have started to configure DirectAccess.  I have two NICs, an internal one which has a couple static persistent routes configured so it can talk to all our Subnets and an External NIC which is connected to our DMZ with a public IP address and has the Default Gateway defined.  All networks have been added to TMG / UAG and I have started filling out the UAG DirectAccess Configuration wizard.

    On the Connectivity portion, I select the External Internet-facing IPv4 address, which is pretty straight forward, but the Internal side has me wondering.

    1) The IPv4 drop down list is grey'd out (disabled) for ISATAP.  Why?  Should I care?

    2) The IPv6 has two options.  One is a static address that someone else added (fe20::1:1, which was just plucked from the air and I am willing to change it if there's a reason to).  The other one that I am not sure where it came from (fe80::5efe:10.54.0.85, what is this?  I thought fe80 was reserved for the local loopback).

    2a) If I select the fe20 address, I get a warning saying "You selected a local-link ISATAP address as the internal IPv6 Address, but a native IPv6 address exists" and that I should remove the native IP and try again.

    2b) If I remove the fe20 address from the NIC and then return to the wizard and select the fe80 address, now I get a warning about "An external ISATAP router is already deployed" and that I would need to disable that to avoid "assymmetrical" routing (nice typo in there).  I don't think I want to do that...do I?

    3) So I leave the fe20::1:1 address on the Internal NIC and select it in the UAG Server wizard and click Next.  I leave both checks enabled for NAT64 and DNS64 and click Next.  Now I am asked for several IPv6 prefixes.  I have no idea what to enter here.  Can someone help me out?  I am sure I need to define some IPv4 network ranges, but I don't know what would be appropriate.  I'm wide open to suggestions.


    Hi Mr Shannon,

    As you can see, there are a number of moving parts in the DA solution. None of the parts is that difficult, but you need to get them all configured to work with each other.

    If you don't have a native IPv6 networ (where all your DNS, DHCP, routing and other infrastructure supports IPv6 - including all your applications), you might be best using ISATAP. The UAG DA server will support ISATAP right out of the box, and configure itself as an ISATAP router. However, I'd recommend that you remove the statically configured IPv6 address from the Internal interface. You'll also need to make sure that your internal hosts will be able to resolve the name ISATAP to the Ipv4 address on the internal interface of the UAG server.

    It would be well worth your time to go through the UAG DirectAccess Step by Step guide over at:

    http://technet.microsoft.com/en-us/library/ee861167.aspx

    It'll expose you to all the key components and concepts, so that when you're ready to deploy in a production network, you'll have a very good picture of how the pieces work together and the concepts that drive a working DA solution.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Tuesday, May 4, 2010 12:12 AM
    • Unmarked as answer by MrShannon Friday, May 7, 2010 8:18 PM
    Monday, May 3, 2010 2:22 PM
  • What I ended up doing was remove the IPv6 address and then I needed to remove ISATAP from the DNS block list on one of my DCs / DNS servers.  I also needed to create an A record for "ISATAP.mydomain.com" to point to the inside IPv4 address of my UAG server.

    To remove ISATAP from the DNS global query block list

    1.    Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

    2.    In the Command Prompt window, type dnscmd /config /globalqueryblocklist wpad, and then press ENTER.

    3.    Close the Command Prompt window.

    I found that in the Step-by-Step guide Jason and Thomas linked to earlier.
    • Marked as answer by MrShannon Friday, May 7, 2010 8:19 PM
    • Edited by MrShannon Friday, May 7, 2010 8:20 PM credit where it's due
    Friday, May 7, 2010 8:18 PM
  • Hi MrShannon,

    Great to hear you got it working and thanks for the follow up!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Saturday, May 8, 2010 12:47 PM
  • Hi Sir Thomas W Shinder,

    Thanks for the explanation regarding troubleshooting the warning message about this ISATAP thing. I have been having some setup issues during the DA Config wizard. After removing the ISATAP DNS record on the DNS servers, I finally can get it going on with the next step.

    I still having some diffulties but I hope to find the answers on the I-net.

     

    With kind regards,

    Franklyn

     

    Sunday, July 17, 2011 8:14 PM