ISATAP Router connectivity for INTRANET resources...they still show fe80 addresses. RRS feed

  • Question

  • So, in following various troubleshooting documents, it has led me to this point.

    I worked through the article DirectAccess Client Cannot Access Intranet Resources, which led me to the section To troubleshoot why an intranet ISATAP host does not configure an ISATAP address because the intranet resources I've allowed both show a fe80 ipv6 address (meaning they are not getting configured via the ISATAP router).

    I was able to walk through all of its steps without errors.  I did have to alter it slightly as I'm not using ISATAP fully, but limited mode with a custom ISATAP DNS name that is pointing to the DA server internal IP address.

    The next section in the article To troubleshoot an ISATAP router is where I run into issues.  I go through the process, using my customized ISATAP name, which pings, etc.  I get to step 8 and this is where it goes off the rails.

    I do a netsh interface ipv6 show interfaces.  I have TWO interfaces with the name isatap.longstringoflettersandnumbers which each represent one of the two NICs in the server (One public one internal).  The document states it should be the intranetDNSSuffix.  So, I added the DNS Suffix to both NICs, rebooted the DA Server.

    Question, should these be listed as isatap.something or should they be my custom isatapname.something?  

    My understanding is ISATAP.DOMAINsuffix is blocked globally by default unless I unblock it (which I haven't).  I'm using a custom ISATAP name, lets say customISATAP.DOMAINSuffix.  I have a GPO setup to enable ISATAP and point them to my custom ISATAP entry for restricted systems.  I can verify they get those settings because their isatap state is enabled and they have the custom isatap as their router.

    But...they are not getting routable ipv6 addresses.

    My configuration is as follows:

    NLS - 2012 R2 Server

    DA - 2012 R2 Server with Win 7 access turned on.  Dual NIC, one internal and one external.  External points to a F5 then out to the wild.  Dashboard shows all green for status in my DA.

    PKI - Setup and configured.  Certs assigned (I believe, but I don't think Certs will stop ISATAP from assigning the correct ipv6 IP)

    Win 7 Enterprise Test DA client - Can connect, shows as connected, but only resources I can get to is the domain controller, I can access the sysvol and netlogon folders.  I cannot access other intranet resources.

    Thanks for any assistance.

    Tuesday, July 22, 2014 5:13 PM

All replies

  • I had the same issue with a very similar configuration - DA Win2012 R2 server behind a F5 load balancer. My ISATAP clients would only receive a fe80 address.

    In the end I gave up on ISATAP as its not supported in load balanced environments. See http://technet.microsoft.com/en-au/library/dn464274.aspx

    " If ISATAP is deployed in a multisite, load balancing, or multidomain environment, you must remove it or move it to a native IPv6 deployment before you configure DirectAccess."

    I'm still looking for solutions. I'm thinking about standing up a Windows server to be a IPv6 router to provide native IPv6 for the servers that need it.

    Wednesday, July 23, 2014 12:08 PM
  • Hi there - it is a recommended route to not use ISATAP as Matt suggested. The option / process I use which always works is to use a management server with a static ipv6 address (read native ipv6 as recommended). The easiest way is as follows. Go to your configured DirectAccess Server and note the IPv6 address ending in 3333::1 . Now go to your management server and open up your LAN connection. Let's assume your management server is on Open the ip6 tcp properties and add a static ip6 address. Paste the ipv6 address from the DA Server in and change the last digit (3333::1) to 3333::10 to match the ipv4 digit. Set the mask to /64 /96 or /128 as per the DA Server. Paste the ipv6 address of the DA Server as the default gateway . Leave DNS Alone. Then go back to the DA Server choose infrastructure and remove your management server. Apply the settings to write the GPO. Re-Add the management server and apply the GPO. Then reboot the management server, check DNS for an ipv6 address and you are good to go.

    john davies

    • Proposed as answer by Icon8000 Friday, July 25, 2014 9:27 PM
    Friday, July 25, 2014 9:27 PM
  • That will work if you have 1 DirectAccess server. But what if you have several in a load balanced farm? 
    Friday, July 25, 2014 10:18 PM
  • The question was raised about a singular DirectAccess Server and the answer given accordingly. However, in the case of a load balanced cluster the same principle / principles apply. The best way of achieving this is to stand up a Dedicated Server for ISATAP Router using the /59 prefix or instructing the management clients to use the VIP of the Internal Load Balanced Leg.



    john davies

    Saturday, July 26, 2014 5:35 AM