none
manage-out with native IPv6 client behind IPv6 Firewall RRS feed

  • Question

  • I have a client that is connected with DirectAccess via UAG over native IPv6 Internet. The Client has a native IPv6 address and is behind an IPv6 firewall, which blocks all incoming traffic.


    Now I noticed that I can't mange this client from the intranet. The Windows Firewall on the client is correctly configured and when the client is connected with teredo or ip-https I can mange it form the intranet.


    Are there any special configuration needed to make the mange-out feature working over native IPv6 connections with IPv6 firewalls between the client and the UAG Server?


    Thx in advance

    J0fe

    Thursday, December 23, 2010 12:56 PM

Answers

All replies

  • Hi J0fe,

    I didn't think this was a supported UAG DirectAccess scenario.

    Regardless, if you're using IPv6 from end-to-end, then all the devices in the request/response path are going to need to be able to support the connections you want in both directions.

    IP-HTTPS and Teredo aren't used in this scenario - since the DirectAccess client is using native IPv6.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Tuesday, January 4, 2011 2:39 PM
    Moderator
  • Thx for your answer.

    Maybe my explanation was a bit unclear.

    I now that Teredo and IP-HTTPS is not used when the client is using native IPv6.

    My scenario shows like that:

    W7 DA Client ----- IPv6 Firewall ------ IPv6 Internet ------ UAG ---- LAN

    The IPv6 firewall is blocking new incoming connections from the Internet. I think this is normal for a native IPv6 LAN. Otherwise the LAN would be fully reachable for everyone from the IPv6 Internet…

    So what I want actually to ask:
    Will manage-out functionality in this scenario only work if the IPv6 firewall has rules in place to allow traffic from the UAG to the DA Client?

    My thought was that the mange-out traffic will go through the IPSec Tunnel to the Client and therefore the Firewall shouldn’t block it because the IPSec connection is already established. Or is that wrong?

    Thx

    J0fe

     

     

    Wednesday, January 5, 2011 1:10 PM
  • Hi Jofe,

    When the intranet server in this scenario tries to connect to the DirectAccess client, it will need to initiate a new connection to the DirectAccess client. Since that client is assigned a globally routable IP address, I suspect that the connection might be made outside the IPsec tunnel.

    Or perhaps the problem is that since the native IPv6 DirectAccess clients are using globally routed addresses, you need to make sure the DirectAccess server is the default gateway to the IPv6 Internet for the management servers that want to manage out.

    HTH,
    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Wednesday, January 5, 2011 4:37 PM
    Moderator
  • Hi Tom


    The DirectAccess server is the default gateway to the IPv6 Internet for the management server.


    But after some testing I found that I have probably a DNS problem.


    The IP Config of the DA Client shows this:
    Wireless LAN adapter Wireless Network Connection:
       Connection-specific DNS Suffix  . : test.local
       IPv6 Address. . . . . . . . . . . : 2001:430:25:a2:cd0a:cb50:bff5:f884
       Temporary IPv6 Address. . . . . . : 2001:430:25:a2:e9e6:6bf:d56f:87cf
       Link-local IPv6 Address . . . . . : fe80::cd0a:cb50:bff5:f884%12
       Default Gateway . . . . . . . . . : fe80::20d:b9ff:fe18:652c%12

    The local address of the Security Associations is 2001:430:25:a2:e9e6:6bf:d56f:87cf
    So a connection from the management server to the IP 2001:430:25:a2:e9e6:6bf:d56f:87cf works fine.


    But in the DNS the client registers the IP 2001:430:25:a2:cd0a:cb50:bff5:f884 and when I connect to the computer name of the client form the management server it will fail.


    Is this DNS registration expected?


    Thx
    J0fe
     
     

     

     

     

    Thursday, January 6, 2011 5:41 PM
  • Looks like it is using the temporary IPv6 address for the tunnel endpoint...you can disable the temporary address mechanism using: netsh interface ipv6 set privacy state=disable

    Does this help?

    Cheers

    JJ

     


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, January 6, 2011 10:13 PM
    Moderator
  • Yes this does help! Thx

    Apparently the temporary address mechanism must be turned of for manage-out over native IPv6.

    I think this should be wirtten some where in the technet documentation so it is clear.

    Or maybe the behavior to using the temporary IPv6 address for the tunnel endpoint is wrong ?

     

    Thx

    J0fe

    Friday, January 7, 2011 7:16 PM
  • Cool, agreed, but think I have seen it recommended somewhere...I can never find info like that again once I have seen it, but my memory is normally pretty good ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, January 7, 2011 11:19 PM
    Moderator
  • Cool, agreed, but think I have seen it recommended somewhere...I can never find info like that again once I have seen it, but my memory is normally pretty good ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Hi Jason,

    Interesting. I don't think we have that documented anywhere.

    Do you want to blog it, or should I? I'll give you first crack at it and point people to your blog, but if you're too busy, I'd be happy to.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Friday, January 7, 2011 11:59 PM
    Moderator
  • I do not fully understand the temporary address mechanism so would want to research that first before blogging...feel free to go ahead if you need something quick ;)


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Saturday, January 8, 2011 1:02 AM
    Moderator
  • Sounds like a plan. I'm also going to run this by Ben and Yaniv,

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, January 10, 2011 3:47 PM
    Moderator