none
ManageOut stopped working after ELB was activated RRS feed

  • Question

  • Hi, I have a challange With ManageOut.

    At first, I had a single DA server (single nic, no native IPv6) which was working and I then enabled Limited Isatap for a few internal Clients (Win2012 R2).

    That worked perfectly, the Win2012 R2 servers (ManageOut Clients) picked up an IPv6 address on the isatap tunnel Interface.

    However, after I activated External Load Balancing on the first node, and made it work With a the same server as a member of a BIG-IP VIP, the internal Win2012 R2 ManageOut Clients stopped to recieve an IPv6 address on the isatap Interface. Now it only shows a link-local IPv6, which is of course not very useful.

    I have of course changed the IP of my custom ISATAP hostname in DNS, so now the hostname is made of 3 IP addresses (1 of the VIP on BIG-IP, 1 IP of each DA server). And that is according to this: http://blogs.technet.com/b/jasonjones/archive/2013/04/19/limiting-isatap-services-to-directaccess-manage-out-clients.aspx

    Not sure if ISATAP is really supported on Win2012R2, but I have not found other Method of deploying ManageOut for only a small number of internal Clients. But it used to work with a single server.

    Thanks for your help!


    Wednesday, March 4, 2015 9:46 AM

Answers

  • Yes, Override the Block ISATAP ICMPv6-In (Router Solicitation) setting using another GPO will work.
    I was thinking that the Block rule will always win but just tested it and it's not.

    Better idea from Benoit because it's not recommended to edit the default DirectAccess GPO :D

    Gerald

    • Proposed as answer by BenoitSMVP Thursday, March 5, 2015 1:54 PM
    • Marked as answer by SteveSteve2014 Wednesday, March 11, 2015 8:21 AM
    Thursday, March 5, 2015 1:53 PM

All replies

  • Hi,

    Check this: https://technet.microsoft.com/en-us/library/dn464274.aspx?f=255&MSPPError=-2147217396#bkmk_isa

    ISATAP is only supported without NLB.

    When you activate a NLB Cluster, the DirectAccess wizard automatically creates specific rules in your server's firewall to block ISATAP.

    Manage-Out in a NLB environment is only supported when using native IPv6 configuration.

    Gerald


    Wednesday, March 4, 2015 10:26 AM
  • Thanks, I understand now that it is not supported. But as far I as I am Reading the last comment on http://blogs.technet.com/b/jasonjones/archive/2013/04/19/limiting-isatap-services-to-directaccess-manage-out-clients.aspx, it is possible to make it work in an unsupported matter.

    What happens if I allow ISATAP traffic into the DA servers?

    Wednesday, March 4, 2015 11:59 AM
  • Each DirectAccess server is an ISATAP router so your manage-out computers will only be able to contact the clients connected through the server you are using for your ISATAP configuration.

    Gerald


    Wednesday, March 4, 2015 1:14 PM
  • Hi,

    Having multiple ISATAP router will be complicated and Painfull. Id you only need remote management of a limited subset of computers (helpdesk for example) you don't need ISATAP. A DirectAccess client connected on Internet have an IPv6 Address, so it can communicate with another DirectAccess client on Internet. I wrote an article on the subject last year : http://danstoncloud.com/blogs/simplebydesign/archive/2014/07/30/windows-remote-assistance-between-directaccess-clients-made-easy-and-simple.aspx

    If you really need that some internal server initiate communication to DirectAccess clients connected on Internet, choices will be limited. Configure an NLB/HLB dedicated to your ISATAP router. Do you really have internal servers that initiate communications to DirectAccess clients? 


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Proposed as answer by BenoitSMVP Wednesday, March 4, 2015 9:27 PM
    Wednesday, March 4, 2015 9:27 PM
  • Hi Benoit,

    Three's no way to comment your article on your website and I have a question.
    What you've found is really good but this rely on Link-Local addresses that can't be resolved to "friendly names".

    Did you find something for that because asking an end-user to find his LLA then dictate something like fe80::add8:34dd:b0be:e97c is sometimes not easy.

    Gerald

    Thursday, March 5, 2015 10:31 AM
  • Hi,

    That's why i use Windows remote assistance. It include all IP addresses in the invitation file. Yes My approach does not fit with SCCM remote control or RDP. Using Global addresses is possible but how long would it takes to replicate in your internal AD?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, March 5, 2015 11:28 AM
  • Hi, and thanks for you answer BenoitS.

    It is a requirement from the customer that ManageOut should work, for Helpdesk users to RDP into DA clients on the outside.

    In worst case, Helpdesk users have to use the DA servers themself for RDP to DA clients. Of course not a good solution, but all Helpdesk users have domain admin rights anyway (not my recommendation). But it would be nice if I can make it work directly from the hosts on the inside, without deploying native IPv6. 

    So you think I am stuck with this?

    Thursday, March 5, 2015 11:32 AM
  • Thanks for the info Benoit.
    I suppose you're using msra from the client to send an assistance request instead of offering assistance from the Manage-Out computer, which relies on DNS Name.
    Will test that :D

    For Steve,

    A solution you can try but that will be unsupported:

    -In the DirectAccess server GPO, disable the rule that block ISATAP (Inbound Rule named Block ISATAP ICMPv6-In (Router Solicitation)) then refresh the GPO on your servers.

    - Implement multiple ISATAP records in your DNS pointing to each DirectAccess Server's Internal IP (like ISATAPSRV1 <Server1 IP>, ISATAPSRV2 <SERVER2 IP>)

    - Implement Multiple GPOs to deploy the new ISATAP records on Manage-Out computers.

    Each Manage-Out computer will then be able to contact clients connected through a specific DirectAccess server but you will need at least 1 Manage-Out computer per DirectAccess server and Manage-Out1 will not be able to contact clients for Server2.

    Also, you need to check if the change made in the DirectAccess Server GPO is not reverted back when you change something in the Remote Access console.

    Gerald




    Thursday, March 5, 2015 12:19 PM
  • Hi,

    If we consider that ISATAP router does not have to be highly reliable it can be configured after DirectAccess configuration or some GPO that will overide DirectAccess configuration. We do not change DirectAccess configuration, we overide it. So we can have ISATAP router on a single DirectAccess Gateway.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Proposed as answer by BenoitSMVP Thursday, March 5, 2015 1:54 PM
    Thursday, March 5, 2015 12:59 PM
  • Hi and thanks for all response.

    @Gerald: I was thinking about doing step 1 as you mention, but I have not tried it yet, since it is always a risk.
    Step 2: Already implemented, the problem is the firewall rules you mention in step 1, that prevents ManageOut hosts to get an IPv6 address on the ISATAP interface.
    Step 3: I guess it could be possible, but not until I have a working ISATAP interface on the ManageOut hosts.

    @BenoitS: That is acceptable, that the ISATAP router is not setup with HA/Cluster. I only have high availability requirement on the incoming DA traffic, which is in place now with BIG-IP.

    So you guys think I can just create a new GPO that overrides the DA server GPO, regarding the firewall rules blocking ISATAP traffic?

    Thursday, March 5, 2015 1:29 PM
  • Yes, Override the Block ISATAP ICMPv6-In (Router Solicitation) setting using another GPO will work.
    I was thinking that the Block rule will always win but just tested it and it's not.

    Better idea from Benoit because it's not recommended to edit the default DirectAccess GPO :D

    Gerald

    • Proposed as answer by BenoitSMVP Thursday, March 5, 2015 1:54 PM
    • Marked as answer by SteveSteve2014 Wednesday, March 11, 2015 8:21 AM
    Thursday, March 5, 2015 1:53 PM
  • Hi Gerald, how did you test the override?

    According to this (https://technet.microsoft.com/en-us/library/cc755191%28v=ws.10%29.aspx), block takes precedence over allow rules, since block rules are proccessed first.

    I tried to create a new GPO that allows ICMPv6-In (Router Solicitation), but it does not apply. The winning GPO setting is always the automatic Block rule created by the DA server.

    Sunday, March 8, 2015 3:42 PM
  • Hi,

    When using GPO, Block will only win against a setting in the same GPO or a GPO with a higher number in the link order (or if the GPO is Enforced to always win against all GPOs).
    If your DIrectAccess Server GPO is not enforced, just place the override gpo before the official DirectAccess Server GPO using the Link Order in GPMC.

    Gerald





    Sunday, March 8, 2015 9:00 PM
  • Thanks, I managed to make it work!

    Due to a creative AD configuration, it took almost 2 hours (!) before the GPO was replicated and applied, so I started to think that I did something wrong.

    One thing I noted, is that both IPv6 Client prefixes are equal on both DA servers, shouldn't it be different prefixes / IP pool? I haven't done anything to the IPv6 range, all the IPv6 config was setup automatic from DA itself.

    Wednesday, March 11, 2015 8:25 AM
  • Hi,

    Seems strange. Are you sure of that?
    The difference may be just a number like this:

    DA1 HTTPS Prefix: fdff:9647:a271:1000::/64
    DA2 HTTPS Prefix: fdff:9647:a271:1001::/64


    Gerald

    Thursday, March 12, 2015 2:05 PM