locked
Need help getting teredo working for Direct Access RRS feed

  • Question

  • Anyone mind letting me know where we're going wrong on getting teredo working?  It's currently working with IPHTTPS

    Server 2012
    Two consecutive public ips with NAT to two consecutive dmz ips.   Shows public on direct access server's firewall
    one internal nic
    3544 udp inbound/outbound on main firewall

    I try to enable teredo on the DA server and get:  Teredo cannot be enabled when the Remote Access Server is located behind a NAT device.

    Any ideas appreciated.

    Thank you


    Friday, May 9, 2014 3:14 PM

All replies

  • Hi

    Teredo requires two consecutive DMZ ipv4 addresses to be configured on the DirectAccess server itself, not the edge device. If you want to try, let's have a look at this RFC : http://www.rfc-editor.org/rfc/rfc6598.txt. It describe a public IPv4 address range that is not routable on Internet. Might be usefull in your case. As this range is not one of those documented in RFC 1918, the DirectAccess Server will recognize public IPv4 addresses.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Saturday, May 10, 2014 7:49 AM
  • The message you are getting is accurate, the fact that you are doing NAT on the public addresses means that Teredo cannot work. You can either setup a publicly-addressed DMZ, or you can bypass your firewall and put your DirectAccess server in parallel to your firewall. (Plug the external NIC right into the internet.) This may not be totally desirable for a regular DirectAccess server, but I do it all the time with hardened DA appliances.

    The key point is that your DirectAccess server must have two consecutive public IP addresses on the External NIC - they have to be the actual public addresses.

    • Proposed as answer by BenoitSMVP Thursday, May 22, 2014 8:28 PM
    Thursday, May 22, 2014 8:25 PM
  • Hi,

    Jordan is right (I really need some rest these days).

    My proposal would only work if no translation mechanism was configured. but it worked multiple times during UAG DirectAccess projects where customers wanted HLB/NLB but did not want to pay for Ipv4 public addresses used as DIP on UAG boxes when they were not connected to Internet. so No Teredo for you :)


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, May 22, 2014 8:32 PM
  • I have seen this topology working (over Teredo) when the perimeter firewall is configured in transparent mode. 
    Monday, July 14, 2014 4:28 PM