locked
6to4 or Teredo of DirectAccess RRS feed

  • Question

  • Hi,

     

    I have Sharepoint 2010 installed on Windows 2008.

    When I use 3G connection, I can direct browse http://sharepoint by DA connection.

    But if I back home, I use my home wifi and NAT to internet, I can't browse http://sharepoint.

    The difference between these 2 connection is 3G has real IP but wifi doesnot.

    Can anybody explain why?


    邁格行動 技術顧問 George 小顧 部落格: http://www.magg.com.tw/blog/
    Tuesday, August 24, 2010 12:38 PM

Answers

  • OK, good.

    Also do:

    netsh interface isatap show state

    and

    ping isatap

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Thursday, September 2, 2010 8:33 PM
    Wednesday, September 1, 2010 3:12 PM

All replies

  • Hi George,

    Assuming your 3G connection and WIFI while at home is using the same computer you should check the following:

    3G connection uses 6to4 technology. (this means your 6to4 has no problem so you need to troubleshoot this as a Teredo issue.)
    WIFI connection with a NAT ip uses Teredo technology.

    I recommend using the commands in the link below to make sure your computer has teredo enabled.

    Teredo also uses ports 3544 inbound and outbound, make sure your not blocking those ports.  I seen some wireless routers block UDP traffic all together, make sure your allowing it for 3544.

    Netsh commands for Teredo
    http://technet.microsoft.com/en-us/library/cc732065(WS.10).aspx

    Also, if these technologies didnt work, you should have fell back to IP-HTTPS.  This means I dont think you have IP-HTTPS configured
    correctly because it usually will work.

    Good Luck
    Dennis

    Wednesday, August 25, 2010 6:37 AM
  • Hi George,

    As Dennis said, if you're behind a NAT device your DirectAccess client computer should be using either Teredo or IP-HTTPS. Make sure your NAT router is configured to allow outbound UDP 3544 (for Teredo) and TCP 443 (for IP-HTTPS).

    Use the:

    ipconfig /all

    Command to see what interface is activated. If you see that both the Teredo and IP-HTTPS interfaces are activated, then you'll actually be using IP-HTTPS. Check out my blog post on this subject at:

    http://blogs.technet.com/b/tomshinder/archive/2010/08/24/why-are-both-the-teredo-and-ip-https-interfaces-active.aspx

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Wednesday, August 25, 2010 1:57 PM
  • Hi, Dennis and Thomas,

    Very strange thing...

    After I post this thread and see your reply. I test once again when I am behind NAT. But this time direct browse http://sharepoint works.

    But I still check what you are suggestion.

    I found this time, on DA client both Teredo and IPHTTPS active. And also I confirm that I use IPHTTPS by checking TMG session monitor and IPHTTPS client ip 2002 is there.

    Then I stop iphelper and restart it to reconnect DA. This time only Teredo and TMG session monitorhas one Teredo 2001 session there. Then direct browse http://sharepoint wont work again. So the question is why Teredo can't access my sharepoint direct browse http://sharepoint . Because IPHTTP and 6to4 are OK.

    Georgre


    邁格行動 技術顧問 George 小顧 部落格: http://www.magg.com.tw/blog/
    Wednesday, August 25, 2010 11:54 PM
  • If the problem is only teredo, I suggest you do the following:

    * Check the status of teredo on the client , whether it's qualified or not (netsh int ter show state)

    If it's not connected, then you might have a UDP 3544 problem, either on the Wifi router or ISP of the client, or maybe the internet firewall of the UAG server.

    If it is qualified, then check that you can ping resources on the corp network. Teredo works by pinging resources and finding out the best path (Teredo relay). You should have ICMPv6 enabled on all of your corp resources (or ICMPv4 in case NAT64 is used)

    see: http://technet.microsoft.com/en-us/library/ee809090.aspx

     

    Thursday, August 26, 2010 1:57 PM
  • Hi, Yaniv,

    I confirm that DA client is qualified on Teredo.

    When I test ping, Teredo client can't ping to sharepoint but can to management servers like DC.

    I try to read and understand from the document you provide. I got more knowledge from it but it also confuse me about what exactly setting I got to do? on DA client or my Sharepoint server?

    Can you give me more hint to try? TKs very much.

    And one more thing, is it possible relation to ISATAP? I use ipconfig on Sharepoint and see there is ISATAP adapter. I remember that once my another server can't access, I disable ISATAP on that server and it can be reached by DA client.

     

    George


    邁格行動 技術顧問 George 小顧 部落格: http://www.magg.com.tw/blog/
    Thursday, August 26, 2010 3:30 PM
  • Hi George,

    Is the machine using the UAG server as it's ISATAP router? Or is it assigning a link-local address to ISATAP?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, August 30, 2010 7:27 AM
  • Hi, Tom,

    May I know how to check? And the difference between these 2?

    George


    邁格行動 技術顧問 George 小顧 部落格: http://www.magg.com.tw/blog/
    Monday, August 30, 2010 7:32 AM
  • If you post the IPv6 address we could tell you.  Basically if it's a link-local address the IPv6 would start with "fe80:", otherwise it should be "2001:" to use teredo.


    MrShannon | TechNuggets Blog | Concurrency Blogs
    Tuesday, August 31, 2010 3:51 AM
  • Run the command:

    netsh interface isatap show router

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Tuesday, August 31, 2010 2:45 PM
  • Run the command netsh interface isatap show router on Sharepoint server, all results are "default"...

    So what it mean?

    George


    邁格行動 技術顧問 George 小顧 部落格: http://www.magg.com.tw/blog/
    Wednesday, September 1, 2010 12:28 PM
  • OK, good.

    Also do:

    netsh interface isatap show state

    and

    ping isatap

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Thursday, September 2, 2010 8:33 PM
    Wednesday, September 1, 2010 3:12 PM
  • Hi, Tom,

    The result of command "netsh interface isatap show state" on sharepoint server is "default".

    And ping isatap can resolve to correct internal nic ip of UAG. the reply of ping is timeout, I think it is deny by TMG on UAG.

    George


    邁格行動 技術顧問 George 小顧 部落格: http://www.magg.com.tw/blog/
    Friday, September 3, 2010 4:37 AM
  • OK, good. So that confirms that the client knows the address of the ISATAP router and is able to connect to it. You should be able to see an ISATAP adapter with a IPv6 address assigned to it beginning with 2002:

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Friday, September 3, 2010 1:25 PM
  • Thanks Tom.

    ipconfig shows the isatap ip is beginning with 2002.

     

    George


    邁格行動 技術顧問 George 小顧 部落格: http://www.magg.com.tw/blog/
    Friday, September 3, 2010 1:31 PM
  • Hi George,

    One difference between teredo and IP-HTTPS is that Teredo requires ICMP to detect the best route to the backend server (Sharepoint in our case).

    When you disabled ISATAP on the sharepoint server, NAT64 was used, so the traffic that reached the Sharepoint server was IPv4 ICMP Echo Requests. These are probably enabled and allowed by the firewall.

    When ISATAP is enabled on the Sharepoint server, a different protocol reaches the SharePoint server - ICMPv6.

    You must make sure that the sharepoint server and all other machines in the corporate network allow ICMPv6.

    Test this by creating an inbound allow rule on the Windows Firewall with adv. Security on the SP server.

    In the protocol section, choose ICMPv6, and select for all profiles. If this still doesn't work, try to edit the rule and in the advanced options select to allow edge traversal.

    Sunday, September 5, 2010 4:13 PM
  • Hi, Yaniv,

    Thanks for helping me. You are correct. After I add ICMPv6 allow rule, the Teredo DA client can access Sharepoint and Dynamic CRM directly.

    George


    邁格行動 技術顧問 George 小顧 部落格: http://www.magg.com.tw/blog/
    Sunday, September 5, 2010 11:29 PM
  • Great news.

    You can add this ICMPv6 allow rule to all of the corpnet machines by adding it to the Default Domain group policy (or any other GPO)

    Monday, September 6, 2010 9:47 PM