none
Manage Out not working with Teredo RRS feed

  • General discussion

  • Hi All,

    I have weird problem with Direct Access Manage out. We have enable manage out capability and few of helpdesk PCs will do RDP to the DA clients in the internet. We are using hosts file for ISATAP in the helpdesk PCs.

    when the client is connected with IP-HTTPS, Helpdesk can do RDP without any issue.

    when the client connected with Teredo , RDP does not work. but ping works perfectly from helpdesk pc to DA client

    I have allowed edge traversal for RDP in inbound Firewall rule in the client firewall and ICMPv6 echo request.   Followed Tom Shinder’s article on changes to the DA Client firewall to allow the manage out server connect to the client (http://blogs.technet.com/b/tomshinder/archive/2010/12/01/uag-directaccess-and-the-windows-firewall-with-advanced-security-things-you-should-know.aspx)

    But no luck..

    please someone help me.

    Tuesday, October 30, 2012 4:31 PM

All replies

  • If you look in the TMG logs, do you see the RDP traffic actually getting to UAG?

    Is this a single server UAG setup or an array?


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Wednesday, October 31, 2012 11:01 AM
    Moderator
  • Hi Jason,

    Thank you for the reply.

    I dont see RDP traffic on the TMG logs. Filtered it with the 3389 port and I didn't see any logs. I have checked for IP-HTTPS connectivity also for the logs but didnt find any logs related to RDP. but via IP-HTTPS cooperate servers can RDP to DA clients.

    This is a single server.

    Any thoughts?

    P.S.:- I did an activity by doing RDP from UAG server it self to the DA client.

    client with IP-HTTPS IP successfully connected. Client with Teredo IP RDP failed.

    • Edited by TecHHecT Wednesday, October 31, 2012 11:09 AM
    Wednesday, October 31, 2012 11:06 AM
  • Ok, can you see IPv6 traffic from internal management clients going to the IPv6 address of DA clients? (when using IP-HTTPS)

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Wednesday, October 31, 2012 11:09 AM
    Moderator
  • Hi Jonas,

    Yes, I can. internal management clients can ping to the DA clients when the client is using IP-HTTPS and Teredo. Internal management clients are running ISATAP as Its IPv6.


    • Edited by TecHHecT Wednesday, October 31, 2012 11:23 AM
    Wednesday, October 31, 2012 11:22 AM
  • So, you can see this traffic in the TMG real time logs?

    Do you see the same when trying to manage Teredo clients?


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Wednesday, October 31, 2012 11:49 AM
    Moderator
  • I am trying to determine if routing is working for the IP-HTTPS prefix, but not the Teredo prefix...

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Wednesday, October 31, 2012 11:50 AM
    Moderator
  • Hi Jonas,

    Yes, I can. internal management clients can ping to the DA clients when the client is using IP-HTTPS and Teredo. Internal management clients are running ISATAP as Its IPv6.



    P.S. Who is Jonas??? :P

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Wednesday, October 31, 2012 12:32 PM
    Moderator
  • I am trying to determine if routing is working for the IP-HTTPS prefix, but not the Teredo prefix...

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    I assume Routing is fine for both teredo and IP-HTTPS. Because I can ping from cooperate network to outside DA client over the internet. I could see IPSec tunnels also established for both Teredo and IP-HTTPS connection.

    I'll check the route print once more time with both teredo and IP-HTTPS for any problem.would be able to share the logs here.

    Thanks again

     
    Wednesday, October 31, 2012 1:45 PM
  • Hi Jonas,

    Yes, I can. internal management clients can ping to the DA clients when the client is using IP-HTTPS and Teredo. Internal management clients are running ISATAP as Its IPv6.



    P.S. Who is Jonas??? :P

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Ohh.. E and A changed.. :D excuse typos
    Wednesday, October 31, 2012 1:47 PM
  • I asume you have configured everything as it should. But let's check things to make sure they are correct.

    • First of all, you have configured an inbound firewall rule on the DirectAccess Client, that allow certain protocol from an IPv6 prefix as source (that matches Teredo as well) for both private and public profiles, and enabled "allow edge traversler", right?
    • Are you sure the IPv6 prefix is correct? (e.g. 2002:****:****:8000::/49
    • Could it be that the DirectAccess Clients got the question wheter the netwerk they connected to should be considered domain, private or public, and selected domain?
    • Do you have multiple array members? If so, have you configured a DNS record for ISATAP functionallity with multiple IP Addresses? (e.g. all physical IP Addresses and one virtual IP Address)

    Just an example of an inbound firewall rule:

    Enabled True
    Program Any
    Action Allow
    Security Require authentication
    Authorized computers -
    Authorized users -
    Protocol Any
    Local port Any
    Remote port Any
    ICMP settings Any
    Local scope Any
    Remote scope 2002:****:****:8000::/49
    Profile Private, Public
    Network interface type All
    Service All programs and services
    Allow edge traversal True

    Boudewijn Plomp, BPMi Infrastructure & Security

    Wednesday, October 31, 2012 3:48 PM
  • Hi Boudewijn,

    Thank you for the head in :)

    Your first point - I have created 2 inbound rules. 1is for ICMPv6 and RDP (TCP-in) . as a time being I have allowed any any for local and remote scope (because selected IPv6 prefix also not worked)

    point #2  - yes , IPv6 prefix is correct. and now I'm testing it without defining the IPv6 prefix.

    Point #3 - DA client's active profile shows as Public. and in my rules I have ticked private and public

    Point #4 - No this is a single server.

    inbound rule settings exactly the same as above except remote scope is any in my rule.

    Wednesday, October 31, 2012 4:30 PM
  • So, you can see this traffic in the TMG real time logs?

    Do you see the same when trying to manage Teredo clients?


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    I dont find any specific RDP traffic in TMG live logs even for the IP-HTTPS and Teredo. I can see IPv6 over IPv4 tunneling traffic (Source and destination shows the IPv4 address of  UAG external IP and DAclient's IP) when the client is in IP-HTTPS and management servers RDP to DA client. I think since RDP traffic is passing through the tunnels TMG not capture the RDP traffic (I'm not sure though).Does Wireshark or Netmon help to cpature the traffic of RDP on client and the management server?  
    Friday, November 2, 2012 3:22 AM
  • And you enabled "Allow edge traversler" as well, right?


    Boudewijn Plomp, BPMi Infrastructure & Security

    Friday, November 2, 2012 1:50 PM
  • Yes, Allow Edge traversal has been enabled for private and public profile.
    Friday, November 2, 2012 2:08 PM
  • I would try enabling Windows Firewall logging on the client-side to ensure the rules are being applied correctly. I had a similar issue with a customer that ended up being down to corrupted Windows Firewall policies on DA clients...

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Monday, November 5, 2012 12:11 PM
    Moderator
  • As I joined this discussion, I already had a few configurations running correctly. I have implemented UAG arrays, with ISATAP enabled for specific DirectAccess Manage-Out Clients. And configured the proper inbound firewall rules on the DirectAccess Clients.

    To my suprise, yesterday I noticed two of them are not working correctly anymore. Probably the same issue. I am investigating it right now.

    • At our office Manage-Out does not work anymore. And the DirectAccess Clients cannot access the DirectAccess Manage-out Clients.
    • At another customer Manage-Out works for services such as RDP, SCCM Remote and etc. But... not for Remote Management and File and Print Services. It looks like where RPC gets involved it does not seem to work.

    Hmmm...


    Boudewijn Plomp, BPMi Infrastructure & Security

    Tuesday, November 6, 2012 8:28 AM
  • Hi Jason,

    It was a good idea and I will run it today in my client to get the logs. and I would try running NetMon to capture traffic on UAG server whether the traffic going out in the correct root.

    Hi Boudewijin,

    In your case manage-out not working when client using teredo or Manage-out does not work at all with any of the transition technology (IP-HTTPS)?

    This is a weird issue. I still not able to figure out where is the problem.Is this can be a result of any patch update? (I don't think so).

    Tuesday, November 6, 2012 1:29 PM
  • Just did some investigation. At our office, it seems to work flawlessly with IP-HTTPS. I can even see it matches the inbound firewall rules that I have created (by temporary enabling the local logging). If I disable the rules one by one (GPO based) the Manage-Out traffic is blocked. So, the rules are in there, even with "Allow edge traversler" and they match. But... when Teredo comes into the picture Manage-Out does not work properly. But... again but. I am now 4 hours later at home, having a look at it. And suddenly it works with Teredo! Hmmm..... that is weird.

    At our customer it does work except for RPC traffic. But I think I may found the issue. As far as I had the time for it I could see they seem to have some deny rules that might overlap for public and private profiles. I cannot check it right now, will do that tomorrow.

    Bottomline. I think I got min working again, although I can't trust on Teredo at all times.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Tuesday, November 6, 2012 7:53 PM
  • All my problems are solved.

    TecHHecT allow me to help you. Let's check some things, ok?

    • Can you enable logging for the private and public profiles in the Windows Firewall with Advanced Security. Just go to the properties of WFwAS, select the profile and click Logging. When you want to open the logging first open notepad or another program with administrative previliges. Then try Manage-Out from a Manage-Out Client to your DirectAccess Client. Check the logging. Do you see a block?
    • Second, can you check your GPOs for settings Computer Configuration > Administrative Templates \ Network \ Network Connections \ Windows Firewall \ Standard Profile. Have you configured some properties there?

    Boudewijn Plomp, BPMi Infrastructure & Security

    Wednesday, November 7, 2012 9:15 AM
  • Great to hear that you solved the issue :)

    • I have enabled logging for Public profile ( Active profile is PUBLIC) in the DAclient. I have done the activity with

                            1) when DAclient is using IP-HTTPS

                            2) When DAclient is using Teredo

     

    With IP-HTTPS I'm seeing logs for allowed traffic from Manage-Out client to DAclient (I tested RDP, telnet and ICMP )

    Results are: captured log is attached FYR

     

    Ping – Success

    2012-11-06 16:27:10 ALLOW ICMP 2002:c03:2197:8000: ****:****:10.226.70.176 2002:c03:2197:8100:81eb:2e76: ****:**** - - 0 - - - - 128 0 - RECEIVE

    RDP-Success

    2012-11-06 16:29:36 ALLOW TCP 2002:c03:2197:8000: ****:****:10.226.70.176 2002:c03:2197:8100:81eb:2e76: ****:**** 49744 3389 0 - 0 0 0 - - - RECEIVE

    Telnet -Success

    2012-11-06 16:28:15 ALLOW TCP 2002:c03:2197:8000: ****:****:10.226.70.176 2002:c03:2197:8100:81eb:2e76:****:**** 49740 23 0 - 0 0 0 - - - RECEIVE

     

    With Teredo I’m seeing traffic for ICMP only. Telnet and RDP I don’t see the logs

    Ping – Success

    2012-11-06 16:15:53 ALLOW ICMP 2002:c03:2197:8000:****:****:10.226.70.176 2001:0:c03:2197:10c7:9fac: ****:**** - - 0 - - - - 128

    RDP- Failed (No logs)

    Telnet – Failed (no logs)

    IP addresses

    2002:c03:2197:8000: ****:****:10.226.70.176 – ISATAP ip of Managr-Out client

    2002:c03:2197:8100:81eb:2e76: ****:**** - IP-HTTPS ip of DA client

    2002:c03:2197:8100:81eb:2e76:****:**** - Teredo IP of DA client

     

    • No, all parameters shows not configured under Slandered  Profile
    I would like to share logs here, But it is too large.

    Thanks again for your assistance.. :)

    Regards,

    Wednesday, November 7, 2012 1:41 PM
  • Hi Boudewijn

    Additionally I see lots of TCP traffic were dropped for the port 443... could this help?

    2012-11-06 16:03:53 DROP TCP 192.XX.XX.239 12. XX.XX.151 61108 443 162 AP 1044794517 461070054 16560 - - - RECEIVE

    2012-11-06 16:03:53 DROP TCP 192.XX.XX.239 12. XX.XX.151 61108 443 162 AP 1044794517 461070054 16560 - - - RECEIVE

    2012-11-06 16:03:53 DROP TCP 12. XX.XX.151 192.XX.XX.239 443 61108 1420 A 461070054 1044794639 258 - - - RECEIVE

    2012-11-06 16:03:53 DROP TCP 12. XX.XX.151 192.XX.XX.239 443 61108 1420 A 461070054 1044794639 258 - - - RECEIVE

    2012-11-06 16:03:53 DROP TCP 192.XX.XX.239 12. XX.XX.151 61108 443 40 A 1044794639 461072814 16560 - - - RECEIVE

    2012-11-06 16:03:53 DROP TCP 192.XX.XX.239 12. XX.XX.151 61108 443 40 A 1044794639 461072814 16560 - - - RECEIVE

    IP Addresses

    192.XX.XX.239 – DAclient IPv4 IP

    12. XX.XX.151 – UAG server external IP



    Wednesday, November 7, 2012 1:54 PM
  • So, it would appear that it does look like a local DA client Windows Firewall issue then (like I have seen before too). You can use the following guidance to try and determine why permitted traffic is failing: http://msdn.microsoft.com/en-gb/library/windows/desktop/bb736284(v=vs.85).aspx

    I would guess it is either some form of policy corruption or multiple policies conflicting somehow...

    Cheers

    JJ


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Wednesday, November 7, 2012 1:56 PM
    Moderator
  • Not sure if this helps, but extract from a similar issue:

    "...further analysis of the trace data did however expose conflicting RDS rules in WFAS so GP isolation was requested. At which point we noticed that the observed rules were not being removed, despite the removal of GPOs. I engaged the core domain team who confirmed GP tattooing was taking place..."

    May be a similar issue, may be different, but it sure looks like a WF problem somehow. so the WFP tracing should at least help narrow it down...

    Cheers

    JJ


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Wednesday, November 7, 2012 2:14 PM
    Moderator
  • Could  Windows Firewall policy corruption only for teredo? Since IP-HTTPS working good with the same.

    I think I forget to mention here that I have not configured firewall policy from GPO. It is configured locally and allowed RDP rule locally only. (for testing teredo in the testing PC before jumping to GPO)

    If this is a local DA client Windows Firewall issue, What if I use a fresh PC for DAclient and test the RDP with teredo connection? that would help to recognize the problem is in the local policy or else other...

    Wednesday, November 7, 2012 2:23 PM
  • I must admit, this is hard to troubleshoot. What I wonder; when you are connected with IP-HTTPS, which rules match your Manage-Out traffic. You have enabled specific inbound firewall rules wiht the IPv6 (ISATAP) prefix as a source, right? If so, can you temporary disable that or those rules. And check wether you are still able to communicatie while using IP-HTTPS. The rulebase can be confusing, I don't know your configuration, but it might be that it matches other inbound rules that don't have "Allow edge traversler" enabled for private/public profiles.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Wednesday, November 7, 2012 3:02 PM
  • I'm running mad out of this ;(

    For the troubleshooting purpose I have removed all source prefixes and the all rules are now with any any selected.

    Specially I should say I did not change/modified or enable/disable any inbound rules except the RDP(TCP-in) and ICMPv6 echo request rules. All other rules are as it is with the default parameters in Windows Firewall. I'm trying to use fresh DA client to test because as Per Jason this could be a firewall corruption in the current DA client.

    Wednesday, November 7, 2012 3:51 PM
  • I'm running mad out of this ;(

    For the troubleshooting purpose I have removed all source prefixes and the all rules are now with any any selected.

    Specially I should say I did not change/modified or enable/disable any inbound rules except the RDP(TCP-in) and ICMPv6 echo request rules. All other rules are as it is with the default parameters in Windows Firewall. I'm trying to use fresh DA client to test because as Per Jason this could be a firewall corruption in the current DA client.

    Personally I would leave all existing WFAS rules as is and create new specific rules for DA manage out as per the articles you originally likned to. I would also create them in GPO format rather than locally configured; if you are worried about the impact, just security filter them to the DA clients groups like the DA policies.

    I know IP-HTTPS and Teredo traffic should be similar, but ultimately they are handled differently by WFAS; hence the specific need to define edge traversal settings for Teredo. It sounds like WFAS is not aware you have enabled that setting and is therefore impacting inbound connections when using Teredo.

    Cheers

    JJ


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Wednesday, November 7, 2012 4:12 PM
    Moderator