locked
UAG DA - external ISATAP routing / Multi-site question RRS feed

  • Question

  • Hi all,

    I'm hoping to find some assistance on configuring an external ISATAP router for use with UAG DirectAccess. There's not much out there, and the stuff I have found has been difficult to understand given my relative inexperience with ipv6.

    Backstory:

    We have a functioning UAG/DA server. Works well. For various other reasons, we need to migrate to a new server. This is a production box, so unfortunately I can't just shut it down and build a new one - we need the new one to co-exist for a period to test and to migrate users onto. Once completed, the original box will be rebuilt, moved to our secondary DC, and configured for multi-site DA.

    I have built the new DA server, and converted a test laptop over to it, but ran into problems. The user-mode tunnel wouldn't come up, citing authentication errors, and referencing the ISATAP address of the original UAG server. From what I can tell, the internal ISATAP routing was (predictably) a mess, which is what was stopping the new platform from working.

    I'm hoping if I can set up the external ISATAP router now, we can build on it later for the multisite deployment.

    So far, I have read:

    http://www.windowsnetworking.com/articles_tutorials/Configuring-ISATAP-Router-Windows-Server-2008-R2-Part1.html

    http://www.windowsnetworking.com/articles_tutorials/configuring-isatap-router-windows-server-2008-r2-part2.html

    http://www.squarecontrol.com/index.php/infodex/17-networking/13-isatap-in-the-windows-operating-system

    http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html

    http://technet.microsoft.com/en-us/library/ff625682%28v=ws.10%29.aspx

    http://social.technet.microsoft.com/Forums/en/forefrontedgeiag/thread/8bfc76ef-7f4b-413a-9fcb-0b5504945eee

    I've noticed that most of the old The Edge Man multi-site and ISATAP articles have been removed, along with any reference to the multi-site TLG that was in development. I'm guessing that this functionality is getting rolled into Windows 8 (hence the appearance of the Win 8 Multi-site DA guide in the list above), and the focus is being taken off existing Server 2008 deployments.

    Progress so far:

    The second article (Configuring ISATAP Router Part 2) has been most helpful, and I've been following it along to configure my new dedicated ISATAP router. However my environment is not really mirroring what Deb has in her article. To start with, Deb's ISATAP adapter on her ISATAP router has been configured with an ISATAP-prefixed ipv6 address. Mine is stubbornly refusing to move from "Media State : Media Disconnected". I have an IPv6 ISATAP address configured on my LAN Adapter (mirroring Deb's configuration), but no dice.

    I have a dedicated Windows Server 2008 R2 vm - BNE-ISATAP-01. It is configured with a single NIC. The IPv4 addressing is all correct.

    I have decided to use the following prefix for the internal ISATAP address space: 2002:1234:5678:8000

    LAN Adapter = interface 12. ISATAP Adapter = interface 13.

    Have run:

    netsh int ipv6 set int 13 advertise=enabled

    netsh int ipv6 add route 2002:1234:5678:8000::/64 13 publish=yes

    netsh int ipv6 set int 12 forwarding=enabled

    netsh int ipv6 set int 13 forwarding=enabled

    netsh int ipv6 add route ::/0 12 nexthop=2002:1234:5678:8000::1 publish=yes

    It's my intention to set the ipv6 address on the new UAG server to the 2002:1234:5678:8000::1 address.

    I have not yet added in any routes for the Teredo or IP-HTTPS address spaces on either UAG server to the ISATAP cloud.

    Logically, I think I have it laid out in my mind, it's just the actual ipv6 routing and addressing that's confusing me. Unfortunately the diagram in the article above is a bit too small to be legible - I suspect that would answer most questions.

    Questions:

    • I'm not sure if I should be using the 2002:1234:5678:8000 prefix for the ipv6 addresses on the UAG server's internal interfaces, or if I should be generating a different internal ipv6 address for them?
    • Likewise, I don't know if I should be installing a second NIC in my ISATAP router vm, and assigning a non-ISATAP address to that.

    Any help that anyone can provide will be graciously accepted. My gut feeling tells me it should actually be quite simple to set up. However the fact that I'm running into so many problems suggests that maybe I'm being a bit too ambitious.

    Thoughts/suggestions/ideas?

    Cheers,

    Matto :)


    Matto Cairns, QLD, AUS

    Wednesday, April 18, 2012 7:59 AM

All replies

  • This is not the answer to your questions but just a comment.

    1. We disabled ISATAP Routing with our DirectAccess POC since we did not like how our IPV6 traffic was being routed.  It turns out that Microsoft is not recommending ISATAP going forward with Windows Server 2012 DA (Windows Server 8).

    http://technet.microsoft.com/en-us/library/hh831658.aspx


    ISATAP is not recommended for use as the IPv6 to IPv4 transition technology in DirectAccess in Windows Server “8” Beta. If Forefront UAG is configured to use ISATAP, it is recommended to disable it, and use NAT64 instead.

    With ISATAP disabled DirectAccess clients can initiate connections to computers on the internal network, and the computers on the internal network are able to respond. However, computers on the internal network will not be able to initiate connections to DirectAccess for purposes of remote client management. If you want to be able to remote client management, consider deploying native IPv6 for management servers that will connect to DirectAccess client computers.

    Wednesday, April 18, 2012 12:19 PM
  • Your initial configuration for external ISATAP router deployment seems not healthy.

    Make sure you have two IPv6 prefixes in your environment.

    one is for native IPv6 connectivity between UAG server and external ISATAP router.

    Second is for virtual ISATAP prefix for your intranet which use for virtual automatic IP assignment for ISATAP adapters of your intranet resources.

    As I understood you haven't assign native IPv6 IP prefix for your LAN NIC of UAG and ISATAP router. instead you applied ISATAP IP (2002:1234:5678:8000::1) manually on UAG server's LAN NIC. that may causing route conflict in your routing table

    Refer below article for Multi site deployment with external ISATAP router-

    http://blogs.technet.com/b/edgeaccessblog/archive/2010/12/01/supporting-business-continuity-disaster-recovery-and-multi-site-scenarios-with-uag-2010-rtm-and-uag-2010-service-pack-1.aspx

    Vafran

    Wednesday, April 18, 2012 2:18 PM
  • Kent:

    That's very interesting. I may follow your leadfor this test server. There's only a few servers that we really need Manage-Out for. One thing that will trip us up with that plan however is that we need to manage-out from different locations, which will mean we ned proper internal ipv6 routing (which is not an option for us at this stage).

    How did you disable ISATAP on your DA server? Just disabled the ISATAP adapter?

    Vafran:

    That makes a lot of sense - thanks for your help. I thought I might need to use a seperate ipv6 prefix, it's nice to have confirmation of that. I'll set it up now and see how it goes. Thanks again for your help.

    Unfortunately that link doesn't work any more, along with most of Tom's EdgeMan blogs posts. Which is a shame - they were very good.

    Thanks to you both for your help - it's much appreciated.

    Cheers!

    Matto :)


    Matto Cairns, QLD, AUS

    Wednesday, April 18, 2012 11:00 PM