none
How to handle DirectAccess clients on a foreign network with an ISATAP router? RRS feed

  • Question

  • DirectAccess Teredo configured as "Enterprise Client".

    Most DirectAccess users work fine. Some are at home behind a DSL line, some work on customer sites (which drops them into a variety of scenarios!) and in general, DirectAccess just works, failing back to IPHTTPS where necessary. Marvellous. But, I have an odd situation where a some DirectAccess users just don't work. After investigation, it turns out that they are sitting on a customer network who also has DirectAccess and who also has therefore an ISATAP router. I noticed that the DirectAccess clients report as Teredo Host Specific Relays and IPHTTPS was deactivated. This particular customer indulged me by temporarily disabling their ISATAP router. Bingo! The DirectAccess clients (after a reboot) became Teredo Clients and it all worked. (We double checked this by switching the ISATAP router back on - clients stopped working after a reboot, switched it off and they started working again and so on.)

    If the client is configured as a Teredo "Client" instead of "Enterprise Client" then Teredo doesn't fire up, IP-HTTPS starts and it all also works fine in this situation.

    How best to handle this? Should I set all my clients back to "Client" using group policy? (I don't want a separate group policy and OU for these client because unsurprisingly, users won't know if they're going to a customer with an ISATAP router, so I need to keep all the clients the same.) Most blogs I read say to use Enterprise Client as a best practice, but unless I'm missing a simple setting elsewhere in the config, it seems that this scenario is Enterprise Client's Achilles Heel and it should never be used?

    Any idea / thoughts?

    • Changed type M.a.r.k.T. _ Saturday, September 15, 2012 9:27 AM Mistakenly selected Discussion!
    Thursday, September 13, 2012 6:41 PM

Answers

  • Hi

    Your DirectAccess clients are discovering the ISATAP router because this name is registred in the local DNS. One way to avoid this problem is to configure your  DirectAccess clients to look for a specific ISATAP router using another name. Jason Jones have an excellent blog article on this : http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html. With this configuration your clients will no longer try to use the ISATAP name.

    Best regards.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by M.a.r.k.T. _ Saturday, September 15, 2012 9:27 AM
    Friday, September 14, 2012 10:18 AM

All replies

  • Hi,

    Haven't come across the situation that you are describing myself so only post this as a suggestion on something to test to fix your problem.

    What happens if you disable ISATAP on your client(s)?
    (netsh interface isatap set state disabled)

    If disabling the ISATAP-router fixes your problem, disabling it on the client would be one of my first things to test.

    Best wishes,
    Jonas Blom


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Thursday, September 13, 2012 6:59 PM
  • Hi

    Your DirectAccess clients are discovering the ISATAP router because this name is registred in the local DNS. One way to avoid this problem is to configure your  DirectAccess clients to look for a specific ISATAP router using another name. Jason Jones have an excellent blog article on this : http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html. With this configuration your clients will no longer try to use the ISATAP name.

    Best regards.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by M.a.r.k.T. _ Saturday, September 15, 2012 9:27 AM
    Friday, September 14, 2012 10:18 AM
  • @Jonas Blom: Hmmm - interesting idea. I confess I haven't tried it (because of the next reply in the thread), but I'm curious: would that disable managed-out for those clients? (I know: I could try it, but it's easier if someone else already knows the answer!)

    @BenoitS: Awesome! I had totally forgotten that the hard coded "isatap" A record could be over-ridden. That's an excellent solution as it allows us to carry on using Teredo (and therefore of course Enterprise Client). As an aside, I'm not sure about disabling ISATAP internally for the servers as that means that all traffic will go via NAT64 instead of native IPv6, but I guess that's for admins that don't like IPv6. Anyway, job done - many thanks.

    Saturday, September 15, 2012 9:25 AM
  • Hi again,

    A comment to your question.
    Yes, if you disable the ISATAP interface on your Windows 7 clients, they would not be able to perform manage out.

    (Since the client won't have an IPv6 address when it's on your client LAN it would not have IPv6 connectivity)

    The important part is that you found a solution that fixes your problem :)

    Best wishes,
    Jonas Blom


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Saturday, September 15, 2012 10:46 AM