locked
Reach direct access clients from on premise servers RRS feed

  • Question

  • Hi we have a direct access setup which uses IPHTTPS (no isatap, 6to4 or teredo) with one internal interface, so it uses Natting. Everything is working fine but I'm trying to reach my Direct Access clients from a server which I can't get to work. I followed this guide http://blog.msedge.org.uk/2013/03/windows-server-2012-directaccess-manage.html. I'm able to ping:

    • from direct access server to ipv6 of internal server
    • from internal server to ipv6 prefix:3333::1 of direct access server
    • from direct access server to direct access client
    • from direct access client to ipv6 prefix:3333::1 of direct access server

    But still unable to ping a direct access client from the internal server or reverse. I guess the direct access server would be acting then as router with one leg as ethernet interface and one leg as iphttps interface.

    Does anyone know how to do this or has another solution for my setup?

    Thursday, January 29, 2015 3:35 PM

Answers

All replies

  • HI,

    It look like a forwarding / advertise not configured on your DirectAccess Gateway network interface. Can you provide the result of NETSH.EXE INTERFACE IPV6 SHOW INTERFACE <ID of DirectAccess Gateway network interface>. There are two parameters named forwarding and advertise. Forwarding manage the routing and advertise handle how route are advertised to Other hosts.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, January 30, 2015 7:37 AM
  • Hi thanks for your reply. Actually I tried that yesterday, I enabled advertising and routing on my LAN interface and IPHTTPS interface. This is the result of the netsh command of the LAN interface on the DA server:

    Interface Trusted Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_7
    IfIndex                            : 12
    State                              : connected
    Metric                             : 5
    Link MTU                           : 1500 bytes
    Reachable Time                     : 15000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : enabled
    Advertising                        : enabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : enabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    ECN capability                     : application

    Friday, January 30, 2015 8:22 AM
  • Hi

    Last point : Did you enable required firewall rules on the directAccess client. Because it's an incoming trafic that was not initiated by the client, you must neable the NAT-Transversal option. It's the edge-transversal option in the Advanced tab. It's only applicable to incoming protocols.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, January 30, 2015 12:29 PM
  • Hi, I tried this now, still no luck.
    Thursday, February 5, 2015 8:41 AM
  • Hello,

    With your configuration, the DirectAccess server should be used as an ISATAP router.
    Have you configured your internal servers to receive an IPv6 address using ISATAP?

    Gerald

    Thursday, February 5, 2015 9:00 AM
  • Hi Gerald,

    No I didn't, following the article (http://blog.msedge.org.uk/2013/03/windows-server-2012-directaccess-manage.html) it looked like it wasn't necessary.Anyway, I guess that will be my next step now. Thanks!

    Thursday, February 5, 2015 9:01 AM
  • Hi,

    What you want to do is a part of the Manage-Out configuration for DirectAccess.

    On the top of your article, there's a link you can use (http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html) because it's not recommended to deploy ISATAP addresses on all your infrastructure.

    As BenoitS said before, you'll also need to be sure that your clients are able to respond to ICMPv6 because it may be disabled in your client's firewall by default.

    If you want to use the Remote Assistance, you'll need to create extra rules in your client's firewall to allow an internal server/workstation to be able to contact a DirectAccess client connected from outside your corporate network.

    Gerald


    Thursday, February 5, 2015 9:30 AM
  • Jason Jones blog post was designed to be used in an IPv6 Network connectivity. If IPV6 is not yet deployed on your internal Network then you need ISATAP. Limiting ISATAP is a best practice because ISATAP enabled clients will register both IPv4 and IPv6 address in DNS. Most problematic, because all your ISATAP enabled clients are using a same DirectAccess router (DirectAccess gateway), they all share the same IPV- Prefix. From a AD Topology point of view, they are all on the same subnet.This could lead to major problem because when two hosts try to communicate, they will try to resolve IPv6 if possible then IPv4.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, February 5, 2015 12:33 PM
  • If you're looking for Remote assistance (MSRA), you have two choices :
    Offer remote assistance from LAN to DirectAccess clients (ISATAP/IPV6 approach) :
     http://danstoncloud.com/blogs/simplebydesign/archive/2014/03/12/directaccess-remote-management-from-padawan-to-jedi.aspx
     http://danstoncloud.com/blogs/simplebydesign/archive/2014/03/20/directaccess-remote-management-from-jedi-knight-to-master-seating-at-the-jedi-council.aspx

    Offer remote assistance to a DirectAccess client from another DirectAccess client :
     http://danstoncloud.com/blogs/simplebydesign/archive/2014/07/30/windows-remote-assistance-between-directaccess-clients-made-easy-and-simple.aspx

    The second approach it better because :
    Does not need to discuss about IPv6 with the network team
    Fully compatible with multisite / HLB / GSLB scenarios


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by DS_Kevin Thursday, February 5, 2015 12:44 PM
    Thursday, February 5, 2015 12:42 PM