Where to put ISATAP router in GSLB DA? RRS feed

  • Question

  • Hi,

    We are planning an external load balanced 2012 DA array with Manage Out capability.  One external load balancer will be placed outside the DA Gateways (internet facing), the other inside (corpnet facing).  Our internal network is IPv4 with no plans to upgrade to IPv6.  My question relates to where to place the ISATAP router role.  The choice is: on one DA Gateway, on all the DA Gateways, or on a separate dedicated server?

    Davies' Understanding IPv6 (3rd Ed) p.321 says:

    "A Windows Server 2012-based ISATAP router can now use virtual IP addresses (VIPs). This allows you to configure ISATAP router to use Windows Network Load Balancing (NLB) in a cluster."

    Does this mean we can make all DA Gateway servers ISATAP routers and add a VIP to the inner hardware load balancer and it will split ISATAP traffic to the multiple ISATAP routers?

    Many thanks

    • Edited by Calliper Wednesday, January 29, 2014 12:48 PM
    Sunday, January 19, 2014 7:07 PM

All replies

  • Hi,

    That's an interesting subject.

    Yes ISATAP can rely on NLB for high availability scenarios. But i'm not sure you can colocate DA Gateway with ISATAP routers.

    Moreover, the real challenge is how a client computer located on your LAN will be able to initiate IPv6 communication throught the DirectAccess Gateway to witch targeted DirectAccess client connected to (NLB does not have information about this). From a NLB point of view all nodes can provide IPv6 connectivity as they are up and running but witch DirectAccess Gateway is the good endpoint? That's a tricky question. 

    My two cents : For thoses scenarios I have another answer. Why do not initiate remote control from a DirectAccess client connected to Internel. We just need to secure communication between both clients with additional IPv6 tunnels. From a support point of view, if DirectAccess client used by the support team is able to operate in DirectAccess, DirectAccess Gateway may not be the root cause of user problems. That close many troubleshooting hypothesis.

    Hope my two cents can help.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, January 20, 2014 4:31 PM
  • Hi,

    Thanks for your response.  Yes this blog:


    says "In this scenario, there are two options: place an external load balancer that supports ISATAP on the internal network and enable ISATAP on either DirectAccess servers"

    So since we are using a load balancer on the internal network (as well as outside the DA servers), we should enable ISATAP on one ("either"), but not all DA servers?  Can someone confirm?

    According to F5, a record of the DA Gateway a DA Client is connected to can be stored in a table on the inner load balancer device through the use of iRules.  Are you saying that instead of using Manage Out, your support teams use a DirectAccess Client themselves and initiate a connection (eg RDP) DA Client --> DA Client?

    Many thanks.

    • Edited by Calliper Wednesday, January 29, 2014 12:48 PM
    Tuesday, January 21, 2014 10:53 PM
  • Hi,

    Yes that's another approach. The only point to consider is to create connection security rules to protect protocols (Windows remote Assistance, SCCM remote control, RDP). With this scenario you dont need to have ISATAP on your LAN.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, January 24, 2014 9:13 AM
  • Hi Benoit,

    "You don't need ISATAP on your LAN".  Indeed F5 are now saying they can only guarantee their iRules solution will work with a native IPv6 network, and a PoC is needed for Manage Out to work with ISATAP. 

    Many thanks.

    • Edited by Calliper Wednesday, January 29, 2014 1:56 PM
    Wednesday, January 29, 2014 12:52 PM
  • Hi,

    Even nowdays deploying IPv6 remain painfull. It's not because an equipment is "IPv6 ready" certified that it's manufacturer support all scenarios. ISATAP is tricky because it's an IPv6 flow in a Ipv4 wrap.

    Manage-out scenario requires an IPv6 or ISATAP network connectivity, that's right, Your DirectAccess client only understand IPv6 when connected on Internet. It does not means this only come from the internal LAN. With my approach a DirectAccess client connected on Internet is used to initiate remote control to another DirectAccess clients connected on Internet.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, January 29, 2014 2:24 PM