none
ISATAP now an unsupported option? RRS feed

  • Question

  • Initial intent was to implement IBCM for Config Mgr.  Research and contributing members of this forum assert that the DA route is the better option with both functionality and user experience in mind.

    Initial scoping call with Microsoft PFE resulted in proposing the DA scenario with ISATAP...mainly to support management tasks initiated CM server side.  He noted that he has set this type of thing up many times and was the route for clients in our situation (Lack of IPv6 support).

    As a caveat, he mentioned that it was no longer a supported configuration and would receive no support if troubleshooting resulted in support call to MS...

    I'd love to confirm the following to aid management in making a decision on how to move forward.  Essentially, we've got some managed mobile devices which are not communicating with CM and falling out of patch compliance the longer they remain away from intranet...

    1.)  Need to confirm that ISATAP is really ONLY required if we need to remotely initiate connections for assistance (remote control/client push).  If the client & security teams are happy that client initiated requests for updates/software are functional and systems are getting managed.  The lack of instant remote connectivity shouldn't be a deal breaker.

    2.) What are peoples experience with this scenario (DA & ISATAP).  Should we be concerned that MS is no longer endorsing it?

    3.) WHY is Microsoft no longer endorsing it?  The MS PFE couldn't explain why, yet was still selling the idea to us...

    Thank you in advance.


    Jay D

    Monday, October 28, 2013 7:47 PM

Answers

  • Thanks for the response and info...

    IPv6 is basically our issue... we are not there yet.  This would be the reason for the ISATAP config, but the servers would still need the IPv6 addresses, but would be provisioned from ISATAP server...  Specifically for the "manage out" capabilities.

    From what I understand, a direct access implementation WITHOUT ISATAP, would allow for clients with config manager client agent to continue to be managed... in the sense that all client initiated request are functional... 

    So, what your suggesting is that if the servers (CM12 and Domain Controllers) had IPv6 addresses, in a Direct Access setup, the client should be able to communicate... or that the "manage out" capabilities exist without ISATAP?


    Jay D

    • Marked as answer by Jason Deary Wednesday, March 26, 2014 5:44 PM
    Friday, November 1, 2013 5:05 PM

All replies

  • I believe I've been able to get closer...   Any feel free to correct me.

    1.)  ISATAP is required for what I've described, now known to be referred to as "manage out" scenario.  Outbound initiated connections require the ISATAP to translate the request due to the lack of reverse NAT functionality.

    3.) I'm beginning to understand that it was never intended for more than a transition technology as environments implement native ipv6 solutions.

    Fantastic article by Tom Shinder:  He basically describes how it still has its place in the DA "manage out" scenario...

    http://blogs.technet.com/b/tomshinder/archive/2010/10/01/is-isatap-required-for-uag-directaccess.aspx


    Jay D

    Monday, October 28, 2013 9:02 PM
  • Hi,

    This is not a supported scenario for Microsoft.

    But I can give you some information.

    1.     Please confirm all the resources involved in DA have IPv6 addresses and can be accessed from DC.
    2.     Then, install the Configuration Manager Client manually on the remote client to see whether the client could get the right site code by itself. If so, I think most of the components and features might work.

    Best Regards,

    Joyce Li


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Thursday, October 31, 2013 1:22 AM
    Moderator
  • Thanks for the response and info...

    IPv6 is basically our issue... we are not there yet.  This would be the reason for the ISATAP config, but the servers would still need the IPv6 addresses, but would be provisioned from ISATAP server...  Specifically for the "manage out" capabilities.

    From what I understand, a direct access implementation WITHOUT ISATAP, would allow for clients with config manager client agent to continue to be managed... in the sense that all client initiated request are functional... 

    So, what your suggesting is that if the servers (CM12 and Domain Controllers) had IPv6 addresses, in a Direct Access setup, the client should be able to communicate... or that the "manage out" capabilities exist without ISATAP?


    Jay D

    • Marked as answer by Jason Deary Wednesday, March 26, 2014 5:44 PM
    Friday, November 1, 2013 5:05 PM