Changing public IPs - DirectAccess ramifications RRS feed

  • Question

  • We are going to be changing to a different ISP, so different public IPs.  What are the ramifications of doing that when I change them on the UAG?  Does each directaccess client need to update its group policy again?  Will the clients even notice? 
    Friday, November 18, 2011 1:48 PM


  • Yes, unfortunately the client machines will need a way to get their group policy refresh before they will connect over DA again. The reason for this is a combination of things:

    1. Teredo points directly to an IP address, so until it gets the new settings it will not connect.

    2. IP-HTTPS is DNS driven, so when you swing the public DNS record, the IP-HTTPS tunnel should reestablish automatically. However, that is not enough for a successful DA tunnel. There are two pieces of the puzzle when establishing IPsec tunnel - the transition tunnel (IP-HTTPS which should connect) and the IPsec tunnel connection rules, which like Teredo point to a particular IP address. So even though IP-HTTPS will likely connect, the IPsec tunnels will not be able to form themselves over that transition tunnel.

    An ISP change like this has been successfully accomplished by a number of folks, and the most common way of dealing with the clients who are not coming into the office to get their gpupdate is to use UAG to publish SSTP VPN as an application on a UAG portal. That way when the DA stops working because they need their new Group Policy settings, you can instruct the users to simply log into the UAG portal which launches the SSTP VPN connection, which then gives them access to do a gpupdate /force, and then you're all set.

    • Marked as answer by MarkBrand Friday, November 18, 2011 3:07 PM
    Friday, November 18, 2011 2:27 PM