locked
Installing DirectAccess on TMG 2010 Enterprise - Cannot Ping IPV6 Addresses from The DirectAccess/TMG Server RRS feed

  • Question

  • Hi All,

    I have an already existing TMG 2010 deployment and just deployed DirectAccess on the same server. Prior to this installation, I had to run the net stop fweng command to stop the TMG 2010 Services.

    After the installation, I had to do a restart of the box. I do not have IPV6 records created for the TMG 2010 box nor same for the Domain Controller.

    My guess is that the IPV6 functionality is not yet active on the TMG 2010 box since it denies all IPV6 ping request.

    Any help to get me to fix IPV6 issues on my box will be appreciated.

     

    Best Regards,

    Ifeatu


    Ifeatu Osegbo
    Thursday, January 12, 2012 10:33 PM

All replies

  • Also, I have opened the DA Management and I am getting this error:

    "None of the internal DNS servers <IPv6 address> that DirectAccess client computers use for name resolution is responding. This prevents DirectAccess clients from resolving names in the internal namespace and connecting to the internal network. Make sure the DNS servers are online and responding to name resolution requests."

    Also, I do not see any IPv6 enry on the DNS Server.

    Thanks.


    Ifeatu Osegbo
    Thursday, January 12, 2012 11:27 PM
  • Hi,

    I do not believe that what you are trying will ever succeed. The IPv6 support in TMG is very limited, the only support for IPv6 exists in order for UAG DirectAccess to work.

    Although the above is not listed as you describe on the unsupported configurations page for TMG, do note the following section:

    Forefront TMG does not support IPv6 traffic

    Issue: IPv6 traffic is not supported by Forefront TMG (except for DirectAccess).

    Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is blocked by default.

    Solution: It is recommended that you unbind IPv6 on the Forefront TMG computer network adapters. To do so, open each network adapter’s properties, and on the Networking tab, clear the checkbox for Internet Protocol Version 6 (TCP/IPv6).

    (from http://technet.microsoft.com/en-us/library/ee796231.aspx#bvdf45dsf45)

     

    You will be much better off using UAG for this. I know it is more expensive but the above just won't work.

    Note: the above about unbinding IPv6 only applies when using TMG as a standalone product, not when you install UAG where TMG is installed to protect UAG and provide basic functionality.


    Hth, Anders Janson Enfo Zipper
    Friday, January 13, 2012 9:28 AM
  • There is an article out there written by Marc Grote on configuring a TMG box as a DirectAccess server:

    http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-How-configure-Forefront-TMG-DirectAccess-Server.html

    However, like Anders I strongly recommend using UAG to publish your DirectAccess. UAG has so many benefits in the DirectAccess arena over native DA, which is what you would be using if you configure it on a TMG box.

    Also, if you set it up this way you would likely be the only person in the world doing it and if you run into trouble down the road support could prove to be difficult.

    Friday, January 13, 2012 4:55 PM