locked
UAG Direct Access - DA Client can ping all internal IPv6 resources but cannot resolve DNS RRS feed

  • Question

  • Hey,

    I have been trying to get UAG DA working for quite some time now but am not getting anywhere and would appreciate some help.

    All internal IPv6 resoures can be reached by ping from the DA client. I assume this is because not IPSec is involved for ICMP. If I try to web/file browse to one of these pingable IP addresses it fails. Also DNS resolution fails. I think this may be because of an IPSec negotiation failure.

    Here is what the Connectivity reports (maybe someone can see what the problem is):

    RED: Corporate connectivity is not working.
    Windows cannot contact the DirectAccess server. Please contact your administrator if this problem persists.
    9/2/2011 5:31:57 (UTC)


    Probes List
    RESOLVED NAME PING: 2002:ca24:e7d1::ca24:e7d1
    FAIL  HTTP: http://sp.onzdom1.domain.co.nz/

    DTE List
    RESOLVED NAME PING: 2002:ca24:e7d1::ca24:e7d1
    RESOLVED NAME PING: 2002:ca24:e7d0::ca24:e7d0

    C:\Windows\system32\LogSpace\{5ACF202A-2A1F-481D-B613-4D55CD0F2666}>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : W2555
       Primary Dns Suffix  . . . . . . . : onzdom1.domain.co.nz
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : onzdom1.domain.co.nz
                                           guest.domain.co.nz
                                           domain.co.nz

    Wireless LAN adapter Wireless Network Connection:

       Connection-specific DNS Suffix  . : guest.domain.co.nz
       Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG Network Connection
       Physical Address. . . . . . . . . : 00-18-DE-31-98-19
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::bc71:fd4f:b02a:54eb%14(Preferred)
       IPv4 Address. . . . . . . . . . . : 10.10.90.178(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Wednesday, 9 February 2011 6:28:45 p.m.
       Lease Expires . . . . . . . . . . : Thursday, 10 February 2011 6:28:45 p.m.
       Default Gateway . . . . . . . . . : 10.10.90.254
       DHCP Server . . . . . . . . . . . : 1.1.1.1
       DHCPv6 IAID . . . . . . . . . . . : 318773470
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-E2-61-01-00-16-D4-9F-7B-AE
       DNS Servers . . . . . . . . . . . : 203.97.78.43
                                           203.97.78.44
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Local Area Connection:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
       Physical Address. . . . . . . . . : 00-16-D4-9F-7B-AE
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.onzdom1.domain.co.nz:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.guest.domain.co.nz:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : guest.domain.co.nz
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter iphttpsinterface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft IP-HTTPS Platform Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:df0:b0:900:480a:3474:5938:a39e(Preferred)
       Temporary IPv6 Address. . . . . . : 2001:df0:b0:900:79f1:437c:2da9:eea9(Preferred)
       Link-local IPv6 Address . . . . . : fe80::480a:3474:5938:a39e%25(Preferred)
       Default Gateway . . . . . . . . . : fe80::c04a:7edc:cd7c:afb5%25
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:0:ca24:e7d0:3839:1e30:349e:301a(Preferred)
       Link-local IPv6 Address . . . . . : fe80::3839:1e30:349e:301a%26(Preferred)
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled

    C:\Windows\system32\LogSpace\{5ACF202A-2A1F-481D-B613-4D55CD0F2666}>netsh int teredo show state
    Teredo Parameters
    ---------------------------------------------
    Type                    : client
    Server Name             : 202.36.231.208 (Group Policy)
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : qualified
    Client Type             : teredo host-specific relay
    Network                 : unmanaged
    NAT                     : restricted
    NAT Special Behaviour   : UPNP: No, PortPreserving: Yes
    Local Mapping           : 10.10.90.178:57807
    External NAT Mapping    : 203.97.207.229:57807


    C:\Windows\system32\LogSpace\{5ACF202A-2A1F-481D-B613-4D55CD0F2666}>netsh int httpstunnel show interfaces

    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        : https://remote.domain.co.nz:443/IPHTTPS
    Last Error Code            : 0x0
    Interface Status           : IPHTTPS interface active


    C:\Windows\system32\LogSpace\{5ACF202A-2A1F-481D-B613-4D55CD0F2666}>netsh dns show state

    Name Resolution Policy Table Options
    --------------------------------------------------------------------

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

    Network Location Behavior             : Let Network ID determine when Direct
                                            Access settings are to be used

    Machine Location                      : Outside corporate network

    Direct Access Settings                : Configured and Enabled

    DNSSEC Settings                       : Not Configured


    C:\Windows\system32\LogSpace\{5ACF202A-2A1F-481D-B613-4D55CD0F2666}>netsh name show policy

    DNS Name Resolution Policy Table Settings

    Settings for onzweb.onzdom1.domain.co.nz
    ----------------------------------------------------------------------
    Certification authority                 : E=da@domain.co.nz, C=NZ, L=Auckland, O=xxxxx, OU=xxxxx, CN=xxxxx Enterprise CA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings

     

    Settings for .onzdom1.domain.co.nz
    ----------------------------------------------------------------------
    Certification authority                 : E=da@domain.co.nz, C=NZ, L=Auckland, O=xxxx, OU=xxxx, CN=xxxxx Enterprise CA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 2001:df0:b0:100::13
                                              2001:df0:b0:100::14
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy

     


    C:\Windows\system32\LogSpace\{5ACF202A-2A1F-481D-B613-4D55CD0F2666}>netsh name show effective

    DNS Effective Name Resolution Policy Table Settings


    Settings for onzweb.onzdom1.domain.co.nz
    ----------------------------------------------------------------------
    Certification authority                 : E=da@domain.co.nz, C=NZ, L=Auckland, O=domain Software NZ Ltd, OU=domain Software, CN=domain Software Enterprise CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (Proxy Settings)           : Use default browser settings

     

    Settings for .onzdom1.domain.co.nz
    ----------------------------------------------------------------------
    Certification authority                 : E=da@domain.co.nz, C=NZ, L=Auckland, O=domain Software NZ Ltd, OU=domain Software, CN=domain Software Enterprise CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 2001:df0:b0:100::13
                                              2001:df0:b0:100::14
    DirectAccess (Proxy Settings)           : Bypass proxy

     


    C:\Windows\system32\LogSpace\{5ACF202A-2A1F-481D-B613-4D55CD0F2666}>netsh int ipv6 show int level=verbose 

    Interface Loopback Pseudo-Interface 1 Parameters
    ----------------------------------------------
    IfLuid                             : loopback_0
    IfIndex                            : 1
    State                              : connected
    Metric                             : 50
    Link MTU                           : 4294967295 bytes
    Reachable Time                     : 43500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface Wireless Network Connection Parameters
    ----------------------------------------------
    IfLuid                             : wireless_0
    IfIndex                            : 14
    State                              : connected
    Metric                             : 25
    Link MTU                           : 1500 bytes
    Reachable Time                     : 42000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface isatap.onzdom1.domain.co.nz Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_4
    IfIndex                            : 13
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 34500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface isatap.guest.domain.co.nz Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_5
    IfIndex                            : 16
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 22500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface Local Area Connection Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_6
    IfIndex                            : 11
    State                              : disconnected
    Metric                             : 10
    Link MTU                           : 1500 bytes
    Reachable Time                     : 15500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface iphttpsinterface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_6
    IfIndex                            : 25
    State                              : connected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 28500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface Teredo Tunneling Pseudo-Interface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_7
    IfIndex                            : 26
    State                              : connected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 18500 ms
    Base Reachable Time                : 15000 ms
    Retransmission Interval            : 2000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : enabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled


    C:\Windows\system32\LogSpace\{5ACF202A-2A1F-481D-B613-4D55CD0F2666}>netsh advf show currentprofile

    Public Profile Settings:
    ----------------------------------------------------------------------
    State                                 ON
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Enable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable

    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Disable
    FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    MaxFileSize                           4096

    Ok.


    C:\Windows\system32\LogSpace\{5ACF202A-2A1F-481D-B613-4D55CD0F2666}>netsh advfirewall monitor show consec

    Global Settings:
    ----------------------------------------------------------------------
    IPsec:
    StrongCRLCheck                        0:Disabled
    SAIdleTimeMin                         5min
    DefaultExemptions                     ICMP
    IPsecThroughNAT                       Never
    AuthzUserGrp                          None
    AuthzComputerGrp                      None

    StatefulFTP                           Enable
    StatefulPPTP                          Enable

    Main Mode:
    KeyLifetime                           60min,0sess
    SecMethods                            DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    ForceDH                               No

    Categories:
    BootTimeRuleCategory                  Windows Firewall
    FirewallRuleCategory                  Windows Firewall
    StealthRuleCategory                   Windows Firewall
    ConSecRuleRuleCategory                Windows Firewall


    Quick Mode:
    QuickModeSecMethods                   ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
    QuickModePFS                          None

    Security Associations:

    Main Mode SA at 02/09/2011 18:31:59                     
    ----------------------------------------------------------------------
    Local IP Address:                     2001:df0:b0:900:79f1:437c:2da9:eea9
    Remote IP Address:                    2002:ca24:e7d0::ca24:e7d0
    Auth1:                                ComputerCert
    Auth2:                                None
    MM Offer:                             DHGroup2-3DES-SHA1
    Cookie Pair:                          f785513fd313ad19:6cf35546d9505e3d
    Health Cert:                          No

    Main Mode SA at 02/09/2011 18:31:59                     
    ----------------------------------------------------------------------
    Local IP Address:                     2001:df0:b0:900:79f1:437c:2da9:eea9
    Remote IP Address:                    2002:ca24:e7d1::ca24:e7d1
    Auth1:                                ComputerCert
    Auth2:                                None
    MM Offer:                             DHGroup2-3DES-SHA1
    Cookie Pair:                          7d10fbbe0a5f95ae:2c2a03ef02a59dbb
    Health Cert:                          No

    Quick Mode SA at 02/09/2011 18:31:59                    
    ----------------------------------------------------------------------
    Local IP Address:                     2001:df0:b0:900:79f1:437c:2da9:eea9
    Remote IP Address:                    2002:ca24:e7d1::ca24:e7d1
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             AH:SHA1+ESP:SHA1-3DES+60min+100000kb
    PFS:                                  None

    Quick Mode SA at 02/09/2011 18:31:59                    
    ----------------------------------------------------------------------
    Local IP Address:                     2001:df0:b0:900:79f1:437c:2da9:eea9
    Remote IP Address:                    2002:ca24:e7d0::ca24:e7d0
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             AH:SHA1+ESP:SHA1-3DES+60min+100000kb
    PFS:                                  None


    IPsec Statistics
    ----------------

    Active Assoc                : 2
    Offload SAs                 : 0
    Pending Key                 : 8
    Key Adds                    : 2
    Key Deletes                 : 152
    ReKeys                      : 0
    Active Tunnels              : 0
    Bad SPI Pkts                : 0
    Pkts not Decrypted          : 0
    Pkts not Authenticated      : 0
    Pkts with Replay Detection  : 0
    Confidential Bytes Sent     : 608
    Confidential Bytes Received : 64
    Authenticated Bytes Sent    : 5,320
    Authenticated Bytes Received: 280
    Transport Bytes Sent        : 4,104
    Transport Bytes Received    : 64
    Bytes Sent In Tunnels       : 0
    Bytes Received In Tunnels   : 0
    Offloaded Bytes Sent        : 0
    Offloaded Bytes Received    : 0

    Wednesday, February 9, 2011 5:48 AM

Answers

  • Hey,

    Everything working now. I was trying to get this to work using IPv6 only on the internal network. Soon as I turned on DNS64 everything started working. The reason that IPv6 didn't work is because the IPv6 default route was not advertised. We do not want to do this until we upgrade our routers and switches to support IPv6. I understand that Server 2008 can advertise the default route but this is not suitable in our network. We use virtual IP's for our default gateway so traffic can be routed to various parts of our network.

    So its DNS64 until we have full support for IPv6. It is working really well so no hurry on that.

    Thanks for everyones help on this. Hope this helps someone.

     

    Cheers,

    Andrew

    Wednesday, February 16, 2011 12:10 AM

All replies

  • Also, in order to get security associations to show up I had to manually add an IPSec policy to the local security policy on the UAG ans client machine.

    Is this normal or should it work without doing this?

    Thanks,

    Andrew

    Wednesday, February 9, 2011 5:50 AM
  • Hi Andrew,

    Have you been through the troubleshooting guides here:

    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=D2E460C8-B4BF-4FDA-9F86-ECC4B7ADD5D1&amp%3Bdisplaylang=en

    http://technet.microsoft.com/en-us/library/ee624056(WS.10).aspx

    Yes, ICMP does not use the IPsec tunnels, so is not a good test tool for DA connectivity...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, February 9, 2011 8:38 AM
  • Yeah I have gone through these guides. I am going to do it again and make sure I haven't missed something. Do you know how IPsec should be configured? Soley through DA or do I need an IPsec policy?

    Thanks,

    Andrew

    Wednesday, February 9, 2011 8:58 AM
  • The UAG config wizard and associated GPOs should do all the work, nothing should need to be created manually unless you need to do local Windows Firewall policies for remote management.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, February 9, 2011 9:23 AM
  • The IPsec tunnels are created based on the settings in the Connection Security Rules that are created in Group Policy after you run the UAG DirectAccess wizard. You should never need to create these yourself or edit the policy for creating the intranet and infrastructure tunnels.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Wednesday, February 9, 2011 11:58 AM
  • Are you using certificate auto-enrollment?

    Does your UAG server and DA client both have computer certs issued from a mutually trusted CA (perferrably the same insternal CA)?

    Is the "DA Server" group policy being applied to your UAG server (is it in an OU that blocks inheritance)?


    MrShannon | TechNuggets Blog | Concurrency Blogs
    Friday, February 11, 2011 3:43 AM
  • Hey,

     

    1. We have an Internal CA which issues computer certificates to all domain members.

    2. Certificates are issued by our internal CA for the Clients and the DA Server.

    3. Group policy is being applied on the DA Server and Clients. I have checked this using gpresult.

     

    I have logged a call with MS so I will see what they come up with and post back.

    Thanks for your help.

    Andrew

     

    Sunday, February 13, 2011 8:41 PM
  • Hi Andrew,

    Thanks! Let us know what they come up with.

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, February 14, 2011 1:30 PM
  • Hey,

    Everything working now. I was trying to get this to work using IPv6 only on the internal network. Soon as I turned on DNS64 everything started working. The reason that IPv6 didn't work is because the IPv6 default route was not advertised. We do not want to do this until we upgrade our routers and switches to support IPv6. I understand that Server 2008 can advertise the default route but this is not suitable in our network. We use virtual IP's for our default gateway so traffic can be routed to various parts of our network.

    So its DNS64 until we have full support for IPv6. It is working really well so no hurry on that.

    Thanks for everyones help on this. Hope this helps someone.

     

    Cheers,

    Andrew

    Wednesday, February 16, 2011 12:10 AM
  • Hi Andrew,

    Aha! Very good!

    Good to hear you got it working and thanks for the follow up!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Wednesday, February 16, 2011 4:22 PM
  • Hi guys,

    I have the same problem i guess. I can ping my internal servers from internet clinets using ipv6, but when I use the name it fails. If this was the problem with Andrew, how do u turn on dns64 and where, I m using directacess not UAG though.

     

    Thanks.

    Saturday, October 1, 2011 12:25 PM
  • DNS64 and NAT64 does not exist in Windows 2008 R2 DirectAccess, you must use UAG 2010 to get those features.


    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide
    Sunday, October 2, 2011 1:33 AM
  • Hey,

    If your internal resources are not IPv6 enabled (in particular your Domain Controllers/DNS servers), as mentioned above you will need to use UAG. Direct access is a IPv6 technology end to end. UAG allows you to access IPv4 resources by address translation. 

    Thanks,

    Andrew

    Sunday, October 2, 2011 7:38 PM
  • Hi,

    We have an IPv6 infrastructure internally all working great but are having the same issue, how do you turn on DNS64 in UAG 2010?? I have done some digging but not found any results.

    Weird thing is we are publishing our default route but when we activate DA we get an informational warning in UAG "the UAG DirectAccess server does not have internal routes configured for the entire organisation IPv6 range" and then quotes our entire IPv6 block!

    We are running in dual stack although internally all our servers and clients are speaking IPv6 to each other we are using IPv4 now predominantly to access the Internet, the DA server has a static IPv6 address and can ping and access all the servers in the network the clients are unable to ping, pinging from a client resolves to an internal IPv6 address which responds you just can't get any real traffic to it.

    Has anybody got any ideas? sounds like the DNS64 trick will sort it but as above I can't find where to activate it.

    Any help would be appreciated

    Thanks

    James

    Tuesday, November 1, 2011 9:34 AM
  • Hey James,

    If you support IPv6 end to end then you shouldn't need to use DNS64, however it may be worth trying if it gets things working while you figure out why IPv6 isn't working.

    There is an option in the "UAG DirectAccess Server Configuration" under "Manage DirectAccess Services" where you can enable DNS64 and NAT64.

    You then need to apply DNS64 to a DNS suffix in the "Infrastructure Server Configuration":

     

    Helpful Links - 

    http://www.youtube.com/watch?v=8noN9nAtg58 (This will help most)

    http://blogs.technet.com/b/edgeaccessblog/archive/2009/09/08/deep-dive-into-directaccess-nat64-and-dns64-in-action.aspx

     

    Also be aware that when a DA client establishes a connection there are 2 steps:

    1. Infrastructure tunnel is established first which gives the client access to infrastructure servers - E.G Domain Controllers, DNS servers. If this is successfull you should be able to ping the IPv6 addresses of those servers and get a reply.

    2. Intranet Tunnel which gives the user access to internal resources. If this is working you should be able to ping the IPv6 resources as well as the IPv4 resources if you are using DNS64.

    http://social.technet.microsoft.com/wiki/contents/articles/directaccess-and-ipsec-tunnel-establishment.aspx

     

    Hope this helps :)

    Andrew

    Tuesday, November 1, 2011 9:15 PM
  • Not being funny, but never rely on PING for DA testing and troubleshooting: http://blogs.technet.com/b/tomshinder/archive/2010/07/14/considerations-when-using-ping-to-troubleshoot-directaccess-connectivity-issues.aspx

    You are better to use another protocol like RDP or CIFS (accessing a file share).

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, November 1, 2011 10:46 PM