locked
Remote desktop sessions are going through UAG RRS feed

  • Question

  • Hi all,

    While opening Terminal service session to any machine(IPv6 only) it is taking too much time. After checking the tracert command, all the requests are going through the UAG server although both are in the same LAN, kindly anyone has some remedy to resolve this issue?

    Note:

    The command used to confirm this is tracert -d FileServ01. In the results, it returned the IPv6 of the UAG server as the first hop then returned the IPv6 of the server FileServ01.

    Thanks

    Wednesday, October 19, 2011 12:41 PM

All replies

  • Hi Ahmad,

    Are you talking about when your clients are locally in the office and tries to connect to a server on the local subnet or when connecting from a DirectAccess client that are outside the corporate network?

    Best wishes,
    Jonas Blom

    Wednesday, October 19, 2011 12:49 PM
  • Hi Jonas,

    I am talking about when our clients are locally in the office and tries to connect to a server on the local subnet; for example if one of our IT support personnel tries to login remotely to a server from his client machine in the same local subnet as the UAG he faces this issue.

    Thank you

    Wednesday, October 19, 2011 1:06 PM
  • Hi again,

    Verify that when the client machine considers itself to be on a "managed network".

    To do this, I often use "netsh namespace show effective" to see that no NRPT rules are active.
    Another way is to check that none of the IPHTTPS/Teredo/6to4 interfaces are active.

    The reason could be that the client is unable to verify connectivity to the NLS server and are unable to resolv the DNS record that is used as a backup.

    If no it considers itself to be in a managed network, can you please post the routingtable on the client?

    Best wishes,
    Jonas Blom

     

     

    Wednesday, October 19, 2011 1:26 PM
  • This is the routing table on the client:

    ===========================================================================
    Interface List
     23...00 24 d7 0e b1 1d ......Microsoft Virtual WiFi Miniport Adapter
     14...00 24 d7 0e b1 1c ......Intel(R) Centrino(R) Ultimate-N 6300 AGN
     13...00 26 2d fc be ec ......Intel(R) 82577LM Gigabit Network Connection
     12...78 dd 08 b2 9b a6 ......Bluetooth Device (Personal Area Network)
      1...........................Software Loopback Interface 1
     25...00 00 00 00 00 00 00 e0 iphttpsinterface
     26...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
     21...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
     27...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
     61...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
     62...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0       10.3.48.77      10.3.49.180    281
            10.3.48.0    255.255.240.0         On-link       10.3.49.180    281
          10.3.49.180  255.255.255.255         On-link       10.3.49.180    281
          10.3.63.255  255.255.255.255         On-link       10.3.49.180    281
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link       10.3.49.180    281
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link       10.3.49.180    281
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0       10.3.48.77  Default
    ===========================================================================

    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     27    286 ::/0                     fe80::5efe:10.3.16.78
      1    306 ::1/128                  On-link
     27   4126 2002::/16                fe80::5efe:10.3.16.78
     27    286 2002:3e95:46b4::/64      fe80::5efe:10.3.16.78
     27     38 2002:3e95:46b4:8000::/49 fe80::5efe:10.3.16.78
     27     38 2002:3e95:46b4:8000::/64 fe80::5efe:10.3.16.78
     27    286 2002:3e95:46b4:8000:0:5efe:10.3.49.180/128
                                        On-link
     27    286 2002:3e95:46b4:8100::/64 fe80::5efe:10.3.16.78
     27    286 2002:3e95:46b4:8101::/64 fe80::5efe:10.3.16.78
     27    286 2002:3e95:46b5::/64      fe80::5efe:10.3.16.78
     14    281 fe80::/64                On-link
     27    286 fe80::5efe:10.3.49.180/128
                                        On-link
     14    281 fe80::1144:68f:b1d6:3b85/128
                                        On-link
      1    306 ff00::/8                 On-link
     14    281 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None

    This is the NRPT:


    DNS Effective Name Resolution Policy Table Settings

    Note: DirectAccess settings would be turned off when computer is inside corporate network

     

    This is the IPConfig results:

     


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : LNS003-11303
       Primary Dns Suffix  . . . . . . . : altuwairqi.com.sa
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : altuwairqi.com.sa
       System Quarantine State . . . . . : Not Restricted


    Wireless LAN adapter Wireless Network Connection 2:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
       Physical Address. . . . . . . . . : 00-24-D7-0E-B1-1D
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Wireless Network Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) Centrino(R) Ultimate-N 6300 AGN
       Physical Address. . . . . . . . . : 00-24-D7-0E-B1-1C
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::1144:68f:b1d6:3b85%14(Preferred)
       IPv4 Address. . . . . . . . . . . : 10.3.49.180(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.240.0
       Default Gateway . . . . . . . . . : 10.3.48.77
       DHCPv6 IAID . . . . . . . . . . . : 335553751
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-77-B0-43-00-26-2D-FC-BE-EC
       DNS Servers . . . . . . . . . . . : 10.3.16.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Local Area Connection:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) 82577LM Gigabit Network Connection
       Physical Address. . . . . . . . . : 00-26-2D-FC-BE-EC
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Ethernet adapter Bluetooth Network Connection:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
       Physical Address. . . . . . . . . : 78-DD-08-B2-9B-A6
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter iphttpsinterface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{21D90EEA-5299-4657-B572-87F865CB3A10}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{3DC87501-FC5B-44EC-BD33-5DB9594B706D}:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:3e95:46b4:8000:0:5efe:10.3.49.180(Preferred)
       Link-local IPv6 Address . . . . . : fe80::5efe:10.3.49.180%27(Preferred)
       Default Gateway . . . . . . . . . : fe80::5efe:10.3.16.78%27
       DNS Servers . . . . . . . . . . . : 10.3.16.1
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.{0AE4A501-5F14-4ABF-932C-3A898180B584}:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.{CF4F26B7-E19B-4DE8-A99E-4C81B93ADF63}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

     

    This is the DNSSTate:


    Name Resolution Policy Table Options
    --------------------------------------------------------------------

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

    Network Location Behavior             : Let Network ID determine when Direct
                                            Access settings are to be used

    Machine Location                      : Inside corporate network

    Direct Access Settings                : Configured and Disabled

    DNSSEC Settings                       : Not Configured

     

    Note: I have a DNS A record I already created before I start UAG deployment, named "ISATAP" that resolved to the NLB IP of the internal legs of the UAG servers, should I keep it?

     

    Thanks

     

    Monday, October 24, 2011 1:38 PM
  • Hi again,

    Based on the information in your post it is not the DirectAccess tunnels that are active.
    Can you describe your internal setup a little bit more in detail?

    For example, what subnets do you have?

    Based on the information I asume your clients are in the network: 10.3.48.0/20 default gw: 10.3.49.180

    What IP ranges are on your server network?

    And can you check what IPv4/IPv6 addresses that are listed in DNS for your Fileserv01 and post them here also?

    //Jonas Blom

     

     

    Tuesday, October 25, 2011 8:19 AM
  • Hi,

    Jonas is right we need a bit more info on how your client get the IPv6.

    It seems to me you are using ISATAP on your LAN. If this is the case the clients will request and ISATAP address.

    By default the UAG server is working as an ISATAP router if you have the inside NIC of the UAG configured on IPv4.

    But if your servers and clients have an IPv6 address from the same ISATAP router they should be in the same subnet and be able to communicate directly with eachother. So to me it looks like they are going via you ISATAP router because they think they have to.

    We would need a furhter look into the IP ranges your client and server use to be able to determine this.

    Final note: I see your client has 5 ISATAP adapters... I would first use the Device Manager on this machine and remove the unneeded 4. Or remove all and reboot.

    Arjan

    Thursday, October 27, 2011 7:04 AM
  • Do you notice a speed difference when you try to RDP via IPv4 address instead of hostname? When you are on an ISATAP connected client machine (such as this one) and you are connecting to an ISATAP connected server then because IPv6 has priority over IPv4, your server name in the RDP client will resolve to the AAAA record in DNS and will therefore flow those packets over the ISATAP layer. Try using RDP to the same server by punching in its IPv4 address directly. If it is considerably faster accessing it this way, then you can try focusing on why the ISATAP IPv6 connection is slower than a direct IPv4 connection. Also important to note - when you receive an ISATAP address from a UAG server, it then turns your client's default IPv6 route to be the internal interface of the UAG server, that is why you see the traffic flowing through there, that is by design.

    ISATAP is an IPv6 to IPv4 to IPv6 tunneling protocol - when the traffic leaves your machine it is IPv6 packets being encapsulated into IPv4 headers, which then flow over your IPv4 network, but upon hitting the endpoint server those packets are once again extracted. Obviously this equates to overhead. It could be that overhead (and maybe overtaxed hardware on the UAG server?) are causing a slowness in this process.

    Thursday, October 27, 2011 12:30 PM