locked
Manage Out Server Cannot connect to DA Client via ISATAP router RRS feed

  • Question

  •  
    • 2 server UAG DA Array
    • IPv6 is not routed across our network at all.
    • We require manage out capabilities
    • There is a Cisco ASA in between the manage out servers and the DA servers with an ANY-ANY ACL connecting the two
    • Our DA servers, on all interfaces are assigned IPv4 addresses
    • The UAG installation configured the Windows NLB for the array
    • We want ISATAP deployed only to the servers who require manage out capabilities
    • ISATAP has never worked in our array environment

    Work History:

    1. Followed the directions provided by Jason Jones (http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html) to use AD and group membership to limit ISATAP deployment to the manage out servers
      1. As per the article, we made for DNS records for somethingisatap (ours is hcgisatap) that point to the internal DIPs and internal VIP
      2. Result:

                                                                   i.      Manage out servers can ping and resolve hcgisatap, and ping the internal IPv4 DIPs and VIP

                                                                 ii.      Manage out servers resolve the DA client name to the DA client Teredo and/or IP-HTTPS address

                                                                iii.      DA Clients can ping the manage out server

                                                               iv.      Ping from manage out server to DA client times out

    1. On the manage out server, tried to force it to use hcgisatap with the netsh command
      1. Result: Same as above, but now the manage out server has no ISATAP IPv6 address, also the ISATAP adapter name is still named isatap.domain.com
      2. Netsh confirmed the manage out server is using hcgisatap from group policy
    2. Because the adapter name was still isatap, I added host entries for isatap, pointing to the internal DIPs and VIP, in the manage out server’s hosts file
      1. Results the same as step 1
    3. Opened a ticket with Microsoft
      1. Day 1 – added the manage out server to the Management Servers in the Direct Access configuration, deployed the policy and activated

                                                                   i.      Results: sames as 1 and still no ISATAP address

    1. Day 2 –

                                                                   i.      Followed Deb Shinder’s article on how to set up and publish an ISATAP Router (http://www.windowsnetworking.com/articles_tutorials/configuring-isatap-router-windows-server-2008-r2-part2.html)

                                                                 ii.      Followed Tom Shinder’s article on changes to the DA Client firewall to allow the manage out server connect to the client (http://blogs.technet.com/b/tomshinder/archive/2010/12/01/uag-directaccess-and-the-windows-firewall-with-advanced-security-things-you-should-know.aspx)

                                                                iii.      Results – Same as step 1 and still no ISATAP address on the manage out server

    1. Day 3 – we now have an ISATAP address on the manage out server and the same result set. Microsoft and I do some packet captures on the internal DIPs and verify that a connection to a client goes to the UAGDA server. We did a packet capture on the firewall and confirmed it got there. But still no client connection. Microsoft stated that with the ISATAP router, inbound is ISATAP and outbound is native IPv6 with no encapsulation. If that is the case, our networking devices are dropping the IPv6 traffic.

    Next, the plan is to figure out how to capture all traffic on the two subnets and determine the drop point and state of the packet. We cannot have it be non-encapsulated IPv6 – if it is, I guess we go back to Microsoft and ask for a fix.

    Any ideas and suggestions are welcomed and greatly appreciated. My team is under a lot of pressure to get manage out working in our environment.

    Thanks in advance


    • Edited by tgilsdorf Thursday, February 16, 2012 1:10 AM
    Thursday, February 16, 2012 1:08 AM

Answers

  •  

    Ultimately, two client side settings fixed my situation:

    1. Windows Firewall inbound rule allowing all traffic from my IPv6 prefix with “Allow edge traversal” set
    2. Enable RDP

    Moderator - please close the thread and split the credit for the solution to Jason Jones, Deb Shinder and Tom Shinder. They didn't weigh in on this thread, but their articles gave me the guidance I needed to ultimately find the solution.

    Friday, February 24, 2012 12:07 AM

All replies

  • Hi

    Adding an additional ISATAP router to a UAG Array is not required. Normally, UAG is already acting as an ISATAP router. You takled abour array, how did you configure NLB : Unicast or Multicast?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, February 16, 2012 7:58 PM
  •  

    Ultimately, two client side settings fixed my situation:

    1. Windows Firewall inbound rule allowing all traffic from my IPv6 prefix with “Allow edge traversal” set
    2. Enable RDP

    Moderator - please close the thread and split the credit for the solution to Jason Jones, Deb Shinder and Tom Shinder. They didn't weigh in on this thread, but their articles gave me the guidance I needed to ultimately find the solution.

    Friday, February 24, 2012 12:07 AM
  •  

    Moderator - please close the thread and split the credit for the solution to Jason Jones, Deb Shinder and Tom Shinder. They didn't weigh in on this thread, but their articles gave me the guidance I needed to ultimately find the solution.


    Hard to do if they didn't reply to the thread ;)

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Friday, February 24, 2012 12:50 PM
  • P.S. Tom also kindly confirmed that my Limiting ISATAP Services to UAG DirectAccess Manage Out Clients article worked well for him ;)

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Friday, February 24, 2012 12:53 PM