Direct Access - Teredo not working RRS feed

  • Question

  • Hi

    We have upgraded our DA server from Win 2008 R2 to Win 2012R2 and re-configured it from only IP-HTTPS (1NIC) to a 2 NIC with external IP's so we could enable Teredo.
    We have ran the command in powershell to enable Teredo and after a reboot Teredo shows green as the rest of the services is also green.

    Client's are not connecting using Teredo but instead use IP-HTTPS.
    Teredo port UDP 3544 is opened in/out in Firewall
    Also ICMPv4 is opened to the DA server and can ping internal resources from DA server.

    My account here is not verified so I am not able to paste any images from the DA client troubleshooter.

    I get everything green on DA troubleshooter and Teredo interface is up but it states no default gateway found for Teredo Tunneling Pseudo Interface, it also reports this for IP-HTTPS interface but this one works..
    Also the client DA troubleshooter reports Teredo interface status is online.

    I ran this from our client pc (Windows 10).

    netsh interface teredo show state

    Type : Enterpriseclient
    Servername : (Group Policy)
    Client Refresh Interval : 30 seconds
    Client Port : unspecified
    State : Qualified
    Client Type: teredo host-specific relay
    Network: managed
    NAT: restricted (port)
    NAT Special Behaviour: UPNP: No, PortPreserving: Yes

    Local Mapping : IPAddress: 52534
    External NAT Mapping : IPAddress: 52534

    I am lost on what to do next to get Teredo working.


    • Edited by Elefanten Monday, February 19, 2018 2:56 PM
    Monday, February 19, 2018 12:31 PM

All replies

  • When you say you "upgraded" from 2008R2 to 2012R2, do you mean you did an in-place upgrade? Or you prepped a new 2012R2 server and then configured DirectAccess fresh on it? There is no supported upgrade method from one to the other, you really do need to stand up a new server and then fully reconfigure DA.

    That being said, Teredo only comes fully online on the server side if your NIC settings are all square when running through the DA config wizards. As with any dual-NIC install of DA, you need to make sure there is only a Default Gateway on the External NIC (no Default Gateway on Internal NIC). This means you'll have to input static routes into the Windows routing table in order to communicate properly with the internal network, since it won't have a Default Gateway.

    Teredo requires two consecutive public IP addresses on the External NIC, this is also an important point - there have to be two and they have to be consecutive, or Teredo won't work.

    If all of the networking is done properly when running the DA config wizards, there is never anything special you need to do in order to enable Teredo. You never have to manually "enable Teredo" - it will be enabled by default when you follow the Edge deployment path with proper NIC settings, so if you had to take some manual steps in order for Teredo to show enabled, it is my guess that something was misconfigured with the networking on this server in the first place.

    Sorry to throw so much at you in one post, but networking is critical to making DA work properly. :) In the end, once the server is configured properly and Teredo is self-enabled on the server side, you will certainly still have some clients connect via IP-HTTPS. Anytime that a client computer is sitting in a network (home, coffee shop, wherever) where UDP is blocked, Teredo will be unable to connect and the client will fall back on using IP-HTTPS in those kinds of networks.

    Thursday, February 22, 2018 3:19 PM
  • You can try to disable https with client GPO, if you want specificly to use teredo. I believe https is most desired DA protocol though.

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Saturday, February 24, 2018 8:04 PM