none
Allow Ping? RRS feed

  • Question

  • This site

    http://blog.concurrency.com/infrastructure/uag-sp1-directaccess-firewalls-and-tmg-settings/

    states that,

    If you cannot ping the external interface of the UAG server then DirectAccess will not work, so let’s start there. To add a custom rule, open the Forefront TMG console (not UAG) and select “Firewall Policy” on the left.  Scroll down to the bottom and highlight the “Last” rule.  Now right click “Firewall Policy” from the left side and select “New” > “Access Rule”.

    I haven't seen any info from Microsoft stating that DirectAccess will not work if ping isn't allowed on the external nic. Could somebody please verify if this is indeed a requirement and is true.

    Thanks,

    Todd

    Thursday, February 17, 2011 10:12 PM

Answers

  • Ping is required on intranet hosts to support Teredo.

    If you're using ISATAP, or native IPv6 on the intranet, then you need to allow IPv6 ping.

    If you're using NAT64/DNS64, then you need to allow IPv4 ping.

    You don't have to enable it for the entire intranet. You can enable it only for the machines that you want the DirectAccess clients to connect to. In addition, if you're using Force Tunneling, then you don't need to enable ping at all, since Teredo will never be used - with Force Tunneling, you only use IP-HTTPS.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Tuesday, May 17, 2011 10:57 PM
    Friday, February 18, 2011 4:52 PM
    Moderator
  • Thanks for the clarification Tom!  I've updated the guide.

    http://blog.concurrency.com/infrastructure/uag-sp1-directaccess-firewalls-and-tmg-settings/

    Anyone else?  I'm open to further criticism.  I just want it to be accurate so let me know your opinion.


    MrShannon | TechNuggets Blog | Concurrency Blogs
    • Marked as answer by Erez Benari Tuesday, May 17, 2011 10:57 PM
    Saturday, February 19, 2011 12:13 AM

All replies

  • Hi Todd,

    You should be able to PING the IPv6 address, but not the IPv4 address I believe... http://technet.microsoft.com/en-us/library/ee809062.aspx

    Adding PING access rules in TMG is an unnecessary step IMHO, unless you are testing/troubleshooting pure IPv4 connectivity issues...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, February 18, 2011 12:45 AM
    Moderator
  • Thanks.
    Friday, February 18, 2011 7:01 AM
  • Jason is right and I need to update the guide to refelct that. You should not need to modify the TMG rules to allow ping unless you want to be able to ping it. The statement that "DirectAccess will not work" without ping is just wrong. Thanks for point it out!
    MrShannon | TechNuggets Blog | Concurrency Blogs
    Friday, February 18, 2011 4:29 PM
  • Ping is required on intranet hosts to support Teredo.

    If you're using ISATAP, or native IPv6 on the intranet, then you need to allow IPv6 ping.

    If you're using NAT64/DNS64, then you need to allow IPv4 ping.

    You don't have to enable it for the entire intranet. You can enable it only for the machines that you want the DirectAccess clients to connect to. In addition, if you're using Force Tunneling, then you don't need to enable ping at all, since Teredo will never be used - with Force Tunneling, you only use IP-HTTPS.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Tuesday, May 17, 2011 10:57 PM
    Friday, February 18, 2011 4:52 PM
    Moderator
  • Thanks for the clarification Tom!  I've updated the guide.

    http://blog.concurrency.com/infrastructure/uag-sp1-directaccess-firewalls-and-tmg-settings/

    Anyone else?  I'm open to further criticism.  I just want it to be accurate so let me know your opinion.


    MrShannon | TechNuggets Blog | Concurrency Blogs
    • Marked as answer by Erez Benari Tuesday, May 17, 2011 10:57 PM
    Saturday, February 19, 2011 12:13 AM
  • Hi Shannon,

    Great! Looks good to me so far.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, February 21, 2011 2:27 PM
    Moderator
  • When using UAG with DNS64/NAT64, DirectAccess clients trying to connect to the UAG Server with Teredo will fail since they are not able to ping the UAG address (Its needed to determine the NAT type) and they will fall back automatically to IP-HTTPS. I believe you need to enable ping to the UAG external IP address to connect using Teredo.
    Monday, November 28, 2011 10:49 AM
    Moderator
  • Avery nice article for Troubleshooting Direct Access and Teredo connectivity.

    http://technet.microsoft.com/en-us/library/ee844188(WS.10).aspx

    Monday, December 5, 2011 6:40 AM
    Moderator