Encountered problems in migration from UAG 2010 to DA 2012 RRS feed

  • Question

  • All,

    I'm migrating our environment from UAG 2010 to DA 2012. I'm testing the configuration with a laptop that sits outside our perimeter on the same /24 as both the old and new DA servers. The old and new servers have their own two consecutive public addresses.

    This machine has a freshly installed OS (8.1) - but I encountered the same problem before I reinstalled.

    In both cases, I had the machine configured to us the UAG 2010 server via membership in the appropriate groups, verified that this worked, and then removed it from the UAG 2010 security groups for the clients, and added the machine to the designated security groups for DA 2012.

    Problem 1) The new GPO configured everything, except that the gateway address for the old UAG 2010 server remains in the routing table. I can manually change that using netsh, but that approach doesn't scale at all. Is there a way with a GPO to fix this?

    Problem 2) 6to4 isn't disabled on the client (because I'm testing, and using a public IP address on the client), but when I manually disable it with netsh, IP-HTTPS still shows as disabled. (IP-HTTPS isn't listed in ipconfig before disabling 6to4 either). How do I enable that?

    Any thoughts on how to fix these problems would be appreciated.


    Friday, April 8, 2016 9:18 PM

All replies

  • Hi,

    Did you try to restart the IpHlpSvc sevrice on the DirectAccess client to force a refresh of the configuration? For the second point. By default, 6to4 is always enabled. It's your choice to disable it with an additionnal GPO.

    Best regards.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Sunday, April 10, 2016 2:16 PM
  • Yes, I've tried restarting the IP Helper service, and even rebooting. The old address still lingers.

    Two things stand out to me regarding this problem:

    1) When I ping a machine over the new DA connection, I get a very different IP address (starts with fd5a:) than when I ping over the old DA connection (starts with 2002:) and

    2) Regardless of my inability to ping machines (or make other connections such a file browsing) when on the new DA connection, I can still do a gpupdate from the client, and get the update. I haven't broken out wireshark yet, but I'm guessing I'm getting the update over the old tunnel.

    Regarding my second problem - I'm afraid I didn't state it clearly. I wasn't asking about enabling/disabling 6to4, rather I was asking about IP-HTTPS, because I'm not seeing how to enable that on the client - the server says the protocol is active in its own config.

    Thanks for your quick reply over a weekend.


    Sunday, April 10, 2016 8:49 PM
  • Hi,

    For point 1, it's a change from UAG DirectAccess client GPo implementation and W2K12/2K12R2.

    If you are using your DirectAccess server behind a NAT device and consequently using private IPv4 addresses on the external network adapter, as opposed to public IPv4 addresses, the IPv6 prefix will be in the form of: FD##:####:####:7777::/96 as per RFC 6147. The DA client IPv6 prefixes for Teredo and IP-HTTPS will also follow a similar structure when using private IPv4 addresses. (source : http://blog.msedge.org.uk/2013/03/windows-server-2012-directaccess-manage.html)

    For point 2 : Not logic Is your computer account is no longer member of the UAG DirectAccess security group (ans you performed a GPUPDATE) you should not be able to use the old tunnel. It seems to be the case so your computer might be member of the legacy security group.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, April 13, 2016 8:29 PM
  • Benoit,

    Sorry for the late reply - things got weird at work last week. Here's what I know so far:

         o- Neither of my two DA servers is behind a NAT - and thank you for the pointer to that article, but it seems not to exist anymore.

    Here's what I discovered after much experimentation:

         o- I've used the same laptop, and installed Win7, Win8.1 and Win10, and get the same symptoms each time.

         o- When I'm at home with the test laptop, both DA tunnels work very well - I'm using an RFC1918 address and NAT at home. I get response to ping over both tunnels, and have access to all the required resources. I can switch back and forth between the tunnels at will by making the laptop a member of the required group (and removing the group for the other DA server), then doing a 'gpupdate /force' at least once, then rebooting.

         o- When the laptop has a public IP address (and I use the same one each time, for each OS) on the same external /24 subnet as the two DA servers, and have the machine in the group required for using the old DA server (UAG 2010 SP1), I am able to ping and get responses, and all resources are available.

         o- When the laptop is using the new DA server, I do seem to have access to resources, but I get no response to pings, although the name does resolve.

    I have to wonder what's so special about a public IP address that causes this - but I don't have another public IP address (that's not on the same /24 as the DA servers) easily available to do further testing, and I further have to wonder what the impact will be when I work on implementing manage out capability.


    Monday, April 18, 2016 8:19 PM
  • Hi,

    It would be interesting to enable IPSEC logging on the DA client : auditpol.exe /set /SubCategory:"IPsec Main Mode","IPsec Extended Mode" /success:enable /failure:enable

    I suspect that IPSEC tunnel does establish for a reason. have a look for event ID 4653, 4654, 4684 for detailed informations.

    Best regards. 

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, April 19, 2016 8:12 PM
  • Benoit,

    I've configured IPSec logging, and have rebooted.

    I'll check the logs and see what I can find, and report back.


    Tuesday, April 19, 2016 8:30 PM
  • Benoit,

    This is very weird.

    Last night I took the laptop home, and it connected to the new DA server, as expected, and everything worked.

    Today I placed the laptop on a public IP address, and it's getting responses to pings over DA just fine. And, as expected because of this behavior, I'm not seeing any events from the increased logging.

    I'm not sure what the problem was, but it seems to have disappeared.

    Cue the Twilight Zone theme, but I'm going to move forward with testing on real users.


    • Proposed as answer by BenoitSMVP Friday, April 29, 2016 7:45 AM
    Tuesday, April 19, 2016 11:38 PM