locked
RDP to Remote DA client RRS feed

Answers

  • Reinstalled UAG, verified ISATAP router with above, and I am able to RDP to Direct Access clients.
    Tuesday, March 15, 2011 1:46 PM

All replies

  • From the UAG server, I can RDP to the Direct Access cleint when it is outside of the corporate network.  This leads me to believe I might have something wrong with my ISATAP setup?  Am I headed in the correct direction?

    My ISATAP router is the inside interface of the UAG server, and it is in DNS.

    Chris

    Monday, March 7, 2011 8:04 PM
  • In order for your internal machines to connect to DirectAcces clients, they must be able to talk IPv6.  Are you trying to connect from a machine that is running Vista or newer?  Have you deployed ISATAP in your environment?

    Unless you are using native IPv6, you will likely want ISATAP to automatically assign IPv6 addresses.  If you can RDP to the DA client from the UAG server then you can skip troubleshooting from the DirectAccess side of things and focus on the inside pieces.

    This post covers some of getting ISATAP to work

    Also, make sure that your DA clients are registering their IPv6 address in DNS.  It's not required but it makes your life easier.  If your DA clients are using dial-up connections (cellular modems) then you have to manually turn on self-registration.

    I hope that helps!

    MrShannon | TechNuggets Blog | Concurrency Blogs
    Monday, March 7, 2011 8:07 PM
  • Shannon -

    I have gone through the ISATAP link you provided, and double checked my work.  I did notice that the create ptr record was not checked, I went ahead and checked the box to create the ptr record.

    While on the Domain Controller, I attempted to RDP to my DA client and I was successful.  When I am on a Windows 7 (with IPv6 configured), I still cannot RDP to the DA cleint.  I can now PING the DA cleint when I PING -6 and get replies from IPv6 address (before I just typed PING, DUH!). The DA client is registering its IPv6 address in DNS.

    So now I am really confused as to why I can RDP from the Domain Controller, but not my Windows 7 IPv6.  The WIN7 machine is a virtual (VMware), just in case that may make a difference.  The DA client is a laptop connected to our external internet.

    With being able to connect from the Domain Controller (which is also a DNS server), that would indicate that ISATAP is setup correctly (along with my firewall rule)? And I may have some crazy issue with my Windows 7 machine?  We don't have other WIN7 machines around right now.  They are waiting on my to get UAG tested and working before the rollout begins.

    Chris

     

     

    Monday, March 7, 2011 8:59 PM
  • Yes, I think you are absolutely on the right track!

    Run "ipconfig" on the computer you are trying to RDP from.  If you do not see an ISATAP adapter then your computer does not have an ISATAP assigned IPv6 address and it won't know how to use the ISATAP Router (UAG) to contact the DirectAccess client.  Do na NSLOOKUP for "isatap" and see if it responds with the IPv4 address of the UAG servers internal adapter.  If not, you may need to remove ISATAP from the dns block list on your DNS servers.

    If you do have an ISATAP IPv6 address, then do an NSLOOKUP of the DirectAccess client and see if it finds an IPv6 address.  If not, then you may need to ensure that the DA client is set to register itself with DNS.


    MrShannon | TechNuggets Blog | Concurrency Blogs
    Monday, March 7, 2011 9:38 PM
  • Shannon - Sorry this reply got long.....

    I think I may have found the problem, but unsure of how to fix it.

    On my WIN7 computer I am trying to RDP from ipconfig shows my isatap router as:

    Tunnel adapter isatap.mydomain: (I have two ISATAP IPv6 addresses?)

       Connection-specific DNS Suffix  . : mydomain.com
       IPv6 Address. . . . . . . . . . . : 2002:c6ea:2cec:1:0:5efe:10.81.12.90
       IPv6 Address. . . . . . . . . . . : 2002:c6ea:2cec:8000:0:5efe:10.81.12.90
       Link-local IPv6 Address . . . . . : fe80::5efe:10.81.12.90%12
       Default Gateway . . . . . . . . . : fe80::5efe:10.81.12.84%12

    I run a tracert -6 to testdalaptop (Direct Access client)

    Tracing route to testdalaptop.mydomain.com [2001:0:c6ea:2cec:5e:1c50:b489:5740]
    over a maximum of 30 hops:

      1    <1 ms    <1 ms    <1 ms  2002:c6ea:2cec:1:0:5efe:10.81.12.84
      2     *        *        *     Request timed out.
      3 

    This is the ipconfig from my domain controller (DC is a DNS server) that I CAN successully RDP from to testdalaptop

    Tunnel adapter isatap.dnr.state.oh.us:

       Connection-specific DNS Suffix  . : mydomain.com
       IPv6 Address. . . . . . . . . . . : 2002:c6ea:2cec:1:200:5efe:156.63.80.139
       IPv6 Address. . . . . . . . . . . : 2002:c6ea:2cec:8000:200:5efe:156.63.80.139
       Link-local IPv6 Address . . . . . : fe80::200:5efe:156.63.80.139%12
       Default Gateway . . . . . . . . . : fe80::5efe:10.81.12.84%12

    The tracert from the domain controller:

    Tracing route to testdalaptop.mydomain [2001:0:c6ea:2cec:5e:1c50:b489:5740]
    over a maximum of 30 hops:

      1     1 ms    <1 ms    <1 ms  2002:c6ea:2cec:8000:0:5efe:10.81.12.84
      2    63 ms    72 ms    79 ms  2001:0:c6ea:2cec:5e:1c50:b489:5740

    Trace complete.

    The domain controller is going to address of 2002:c6ea:2cec:8000:0:5efe:10.81.12.84, but the WIN7 computer is hitting 2002:c6ea:2cec:1:0:5efe:10.81.12.84.

    My firewall rule is pointing to the isatap address of:

    Name Description
    Direct Access - Remote Desktop Services Enabled 
    This rule may contain some elements that cannot be interpreted by current version of GPMC reporting module 
    Enabled True
    Program Any
    Action Allow
    Security Require authentication
    Authorized computers 
    Authorized users 
    Protocol 6
    Local port 3389
    Remote port Any
    ICMP settings Any
    Local scope Any
    Remote scope 2002:c6ea:2cec:8000:200:5efe:0.0.0.0/96
    Profile Private, Public
    Network interface type All
    Service All programs and services
    Allow edge traversal True
    Group

    I did change the Remote Scope to the other ISATAP address of 2002:c6ea:2cec:1:200:5efe:0.0.0.0/96, with the same results when using RDP, but I can now do a successfull tracert -6 testdalaptop.  Domain Controller can RDP, WIN7 cannot.  I can RDP from my WIN7 computer to the DC, so RDP is working on the WIN7 computer.

    Which ISATAP address should I use?  And more importantly, I am stumped on why this isn't working.  Is there another firewall rule I am missing or need to adjust? 

    The DA client is set to register itself with DNS.  I do not have a IPv6 ISATAP address on my DA client.

    Chris

    Tuesday, March 8, 2011 2:52 PM
  • Can you try testing with a remote scope of your /49 prefix? e.g. 2002:c6ea:2cec::8000/49

    Does this make any difference?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, March 8, 2011 4:48 PM
  • Jason -

    It did not work by itself.  I added my WIN7 computer to the Infrastructure Server Config\User Defined Server Groups\Client Management in UAG.  That plus your /49 mask is the only way I can RDP from the WIN7 computer to the DA client.

    From the document I started with above, I didnt see any reference to having to add the WIN7 computer to the Client Management or any other group.

    Chris

    Tuesday, March 8, 2011 8:50 PM
  • No, you shouldn't need to do this for the 'manage out' scenario you describe.

    The group should be used for client management servers (third party systems management server perhaps) and allows access to remote clients using the infrastructure tunnel - this allows management of machines when they do not have an intranet tunnel connection.

    Assuming the client has a valid DA connection (both tunnels active) you should be able to access it from any client machine that is IPv6 capable (native or ISATAP). So, if you cannot do this by default, then something is wrong with your configuration.

    Have a look at this to compare your setup/config: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=385a3144-8e84-4335-896b-a2927e4d46cd

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, March 8, 2011 11:58 PM
  • I thought I had updated this yesterday, but must have forgot before I left.

    I took my Windows 7 computer out of Client Management in UAG.  I also disabled the GPO for RDP as referenced in my first post.

    I configured a firewall rule as described in the test lab, still without luck.

    I am back to where I started.  I can RDP to Domain Controller, and my Windows 7 computer from the Direct Access client.  I am able to RDP to the Direct Access computer from the DC, but not from my Windows 7 computer.

    I am still confused why on my Windows 7 computer I have two ISATAP addresses:

    Tunnel adapter isatap.mydomain: (I have two ISATAP IPv6 addresses?)

       Connection-specific DNS Suffix  . : mydomain.com
       IPv6 Address. . . . . . . . . . . : 2002:c6ea:2cec:1:0:5efe:10.81.12.90
       IPv6 Address. . . . . . . . . . . : 2002:c6ea:2cec:8000:0:5efe:10.81.12.90
       Link-local IPv6 Address . . . . . : fe80::5efe:10.81.12.90%12
       Default Gateway . . . . . . . . . : fe80::5efe:10.81.12.84%12

    And why when I tracert from the Windows 7 computer it goes thru the 2002:c6ea:2cec:1 as opposed to the ~:8000.  When I tracert from the Domain Controller is uses the ~:8000 ISATAP address

    Tracing route to testdalaptop.mydomain.com [2001:0:c6ea:2cec:104a:3ae4:b489:5740]
    over a maximum of 30 hops:

      1     1 ms    <1 ms    <1 ms  2002:c6ea:2cec:1:0:5efe:10.81.12.84
      2   192 ms    97 ms    72 ms  2001:0:c6ea:2cec:104a:3ae4:b489:5740

    Trace complete.

     

    I have added to FW RDP Scope - 2002:c6ea:2cec:1:0:5efe:10.81.12.84 without luck either.

    I really don't know what to try next.....

    Chris

    Thursday, March 10, 2011 3:03 PM
  • Short of not figuring out why I have two seperate ISATAP addresses, I am going to delete everything and start with fresh UAG install tomorrow. 

    My last desperate act was to delete the ipv6 isatap address 2002:c6ea:2cec:1:0:5efe using netsh interface ipv6 route delete. Which did not work either........

    Thursday, March 10, 2011 9:04 PM
  • Can you come back and tell us how it goes?
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, March 11, 2011 1:18 PM
  • Jason,

    I was checking the DNS servers trying to figure out where my two ISATAP IPv6 addresses came from, and I noticed that all of my IPv6 hosts have a total of three records.  They each have a - A Host Record for the IPv4 address, and they each have two IPv6 Host (AAAA) records. One with the 2002:c6ea:2cec:8000:0000:5efe:0a51:1032 and 2002:c6ea:2cec:0001:0000:5efe:0a51:1032

    I deleted the DNS record for ISATAP last night from DNS, I have restarted several Windows 7 IPv6 machines and they are getting ISATAP media disconnected as I would expect without a ISATAP DNS.  I also shutdown my UAG server last night, until I figured out why I was getting two ISATAP addresses.

    So far I haven't read anything that would indicate why I have two IPv6 host records.  I could delete the records with 2002:c6ea:2cec:0001:0000:5efe:0a51:1032, but I would rather find out why this occurred.

     

    I will do some more digging today.

    Chris

    Friday, March 11, 2011 2:38 PM
  • OK, after reading and digging. I may have come up with a "fix".  Since this is a pilot, I uninstalled UAG.  Deleted isatap from DNS.  Deleted a few of my "extra" DNS settings from WIN7 computer I used for testing.

    After the resetup of my NIC's - I used the Test Lab Guides from Tom Shindler and Shanon's Blog on installing UAG as I did before.  But I also found the following commands that I ran on the UAG server.  After running the commands below, I checked my Win7 computers and they are now getting only one ISATAP address as expected and I have only two DNS records for WIN7 hosts (A record and AAAA record).  So far so good.  Going to proceed on with UAG install after checking DNS globalqueryblocklist.

    I wish I knew these commands before I blew away the UAG so I could have verified the settings!  Oh well, practice makes perfect.  Hopefully next week, I won't have same issues as above and be able to proceed pass RDP to work on Management Servers and NAP

    I made sure isatap was enabled-

    netsh interface isatap set state enabled

    Set the ISATAP router on the internal network interface:

    netsh interface isatap set router 10.81.12.84

    Enabled router advertisements on the ISATAP interface: run netsh interface ipv6 show interfaces  to get interface # for isatap

    netsh interface ipv6 set interface 15 forwarding=enabled advertising=enabled

    To advertise ISATAP prefix to the ISATAP hosts

    netsh interface ipv6 add route 2002~~~:8000::/64 15 publish=yes

    Friday, March 11, 2011 8:30 PM
  • Reinstalled UAG, verified ISATAP router with above, and I am able to RDP to Direct Access clients.
    Tuesday, March 15, 2011 1:46 PM
  • Hard to solve that one remotely then ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, March 15, 2011 2:01 PM
  • If you do not see an ISATAP adapter then your computer does not have an ISATAP assigned IPv6 address and it won't know how to use the ISATAP Router (UAG) to contact the DirectAccess client.


    MrShannon | TechNuggets Blog | Concurrency Blogs


    Hi all,

    We have DA setup and a Win 7 client establishes a DA connection to the network fine.  The DA client can also ping and RDP to our SCCM server.

    Problem is that nothing is happening the other way.  MrShannon's quote above says that having an ISATAP adapter is critical.  We don't have one listed on our SCCM server and I don't know why or how to get it on there.  Should I add it manually (the Microsoft ISATAP Adapter) via the hdwwiz.exe tool?

    I found this hotfix which relates however the article says it's for 2008 R2 server core - we are running the full 2008 R2 install.  The symptoms (not ISATAP adapter when you do ipconfig /all) do relate though: http://support.microsoft.com/kb/978309 - however we do have the tunnel.sys file in c:\windows\system32\drivers so I guess this can't be the issue!

    IPv6 is not enabled on our SCCM server - but I gather it doesn't have to be.

    Can anyone help please? 

    Let me know if you need any more information...

    Thanks,
    Rob.



    • Edited by MSIPackager Monday, September 26, 2011 11:50 AM
    Monday, September 26, 2011 11:32 AM
  • Hi all,

    Just wanted to post an update in case it helps others in the future...

    We tried adding the ISATAP adapter via device manager onto the SCCM server as outlined here: http://blogs.technet.com/b/ben/archive/2011/07/20/reinstalling-the-da-interfaces.aspx

    However it came up with an exclamation mark with a "This device cannot start. (Code 10)" error.

    Turns out someone had set a registry key to disable all IPv6 components (don't know why) but changing the value back from ffffffff to 0 allowed us to install the ISATAP adapter and after a reboot it comes up on ipconfig /all

    More info on this registry setting here: http://support.microsoft.com/kb/929852

    Note: We didn't need to enable the IPv6 protocol on the adaptor to do the above.

    Hope this helps!
    Rob.

    Tuesday, September 27, 2011 11:15 AM