locked
ISATAP DNS record on DIP(s) VIP or All in UAG array? RRS feed

  • Question

  • Is the ISTAP record in DNS supposed to be on the LAN side VIP, DIP's or both (VIP and DIP's) in a UAG array/cluster? Documentation in one place says to enter it as a single DNS record with multiple HOST IP's (there is no way to do that by the way) and another simply refers to a single server install where it is on the one and only LAN DIP non array.  It is possible to create multiple ISATAP records in DNS one for each DIP and for the VIP as seperate DNS records.  It that the way it is supposed to be?  How does the ISATAP router work?  Would seam a little confusing to have it on the VIP and DIP becouse if routing out in an array how would a single session know what DIP router to go to versus having the load ballacing VIP act as the single ISATAP gateway. 

    Am still trying to configure a basic manage-out process for remote cleints.  I have gone though every lab in the technet and I am convinced this is a routing issue relative to the UAG deployment bieng wrong somewhere.

     

     

    Saturday, February 26, 2011 2:59 AM

Answers

All replies

  • Hi,

    Here's some answers

    Is the ISTAP record in DNS supposed to be on the LAN side VIP, DIP's or both (VIP and DIP's) in a UAG array/cluster?  

    As says on the Connectivity windows on the UAG DirectAccess Server Configuration wizard  the record must be associated with: LAN VIP and all the LAN DIPs.

    Documentation in one place says to enter it as a single DNS record with multiple HOST IP's (there is no way to do that by the way) and another simply refers to a single server install where it is on the one and only LAN DIP non array.  It is possible to create multiple ISATAP records in DNS one for each DIP and for the VIP as seperate DNS records.  It that the way it is supposed to be? 

    Yes you could do it without any problems on a DNS server: add several ISATAP A records with the different IP addresses.

    How does the ISATAP router work?  Would seam a little confusing to have it on the VIP and DIP becouse if routing out in an array how would a single session know what DIP router to go to versus having the load ballacing VIP act as the single ISATAP gateway. 

    It encapsulate the IPv6 packet on a IPv4 packet. On the header the DIP is provided and when a client try to contact for the first time the ISATAP router it will use the VIP.

    I hope my answers help you.


    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
    Saturday, February 26, 2011 6:09 PM
  •  

    It creates more acutally.

    "When the client trys to contact for the first time it will use the VIP"? 

    Thats impressive becouse the host records would be returned round robin.  How does the first client contact know to dicern between a DIP ISATAP router and a VIP ISATAP router. I have tested now and discovered that this ISATAP configuration on the LAN is at least partly to blame for my issues and some bugs in the UAG web monitor reporting health statuses.

    1) When I remove the DIP's as ISATAP host records from DNS two things happen.  A) I can "manage out" from SCCM and reach my remote cleints with remote tools, WMI, RDP ect  and B) when I look in the UAG web monitor each client is associated with one infrastructure and one intranet tunnel.  

    2) When the ISATAPS are on the DIP's and VIP's the manage out does not work and a single client will show 30 or more intranet tunnels in a row.  Seams odd!

    3) When the ISATAPS are on the DIPS only and not the VIP the UAG webmonitor shows "healthy" on all protocals under status.  Any other combinations causesrandom "not healthy" messages to appear on different points on different arrary members at different times.

    Saturday, February 26, 2011 9:00 PM
  • I usually create multiple ISATAP records; one for each array member internal DIP and one for the array internal VIP.

    Not seen the issue you describe with that setup...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Wednesday, May 11, 2011 9:21 PM
    Sunday, February 27, 2011 3:14 AM