locked
Manage Out Problem - UAG RRS feed

  • Question

  • I had come across an issue on my DA/UAG deployment that I just cant figure out. I had everything working correctly until I updated the GPO to include some additional management servers and ever since that time I have been unable to ping any ISATAP addresses from both inside my corpnet or from the DirectAccess client.

    I have a desktop that has an ISATAP address although I cant ping my directaccess client anymore and when I do a tracert it just stops at the inside interface on the UAG server. Likewise I am unable to ping my ISATAP enabled desktop from the DA client. This was working before and I am unsure what has changed.

    The DA client can connect to all internal resources apart from systems that are using ISATAP.

    I am controlling which systems are using ISATAP by using the host file to point to the internal IP address.

    I already had firewall rules set on the clients to allow ICMPv6 as well as all forms or remote connections and they were working correctly. The only thing that changed is related to the GPO and apart from that I am at a dead end as to what I should be looking at. I dont see anything obvious in the TMG Firewall logs.

    The other interesting thing is that I can ping and RDP the DA client from the UAG server itself.

    Any help would be appreciated.

     

    Friday, November 4, 2011 10:45 PM

All replies

  • Could you provide some more information on this? Are you using Physical machines or Virtual? Are you Using two UAG's and integrated NLB? in that case, what NLB mode? Is the ISATAP server located on the same subnet as the UAG?

    Tuesday, November 8, 2011 10:36 PM
  • Hi

    I have two physical machines running UAG that are setup as an array using integrated NLB. The NLB mode is unicast. The UAG servers are acting as the ISATAP router and I am controlling access via an entry in a host file rather that putting it into DNS.

    Everything was working before but after a GPO was applied incorrectly (Firewall was disabled), all connectivity using ISATAP is no longer working. DA clients can connect in with no issues and access corporate resources. However they are unable to ping a client with the HOST file entry for ISATAP, and these systems are also unable to manage out.

    The firewall settings on both clients are correct... it just seems that ISATAP is not routing anything.

    Monday, November 14, 2011 4:07 PM
  • I am still experiencing this issue even after rebuilding the environment and any ideas would be appreciated
    Friday, December 9, 2011 8:00 PM
  • When you say that a GPO was applied incorrectly - do you mean that a GPO got applied to the UAG servers that wasn't supposed to be applied to the UAG servers (so one of your own GPOs)?

    And what did you rebuild? The UAG servers? If so, did you confirm that this (or any other) GPO did absolutely not get applied to the UAG servers again after they were rebuilt?

    Sorry for all the questions, but one more - in the UAG Web Monitor when you look in the DirectAccess Monitor - Current Status section, does everything (particularly ISATAP) show as healthy?

    Friday, December 9, 2011 8:57 PM
  • Thanks for your response.

    There was a GPO applied that disabled the windows firewall on the UAG servers. This was causing issues with the IPSec tunnels not being able to establish. We put an exclusion on this policy for the UAG servers so that they no longer receive the policy.

    I rebuilt both the UAG servers starting with the OS and all relevant patches and then installed UAG. They did not apply the other policy at that time.

    The web monitor is showing that everything is functioning correctly on both array members.

    Monday, December 12, 2011 9:02 PM
  • Have you tried refreshing the ISATAP adapter on the internal machines that are making use of ISATAP? Command should be:

    sc control iphlpsvc paramchange

    Try that and see if refreshing the ISATAP adapter/settings makes that machine then work correctly. Also, Jason recently published an article on a great way to manage which machines use ISATAP without having to screw around with hosts files. You might want to check this out, it'll make things easier for you in the long run:

    http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html

    Tuesday, December 13, 2011 4:18 PM
  • Have you tried refreshing the ISATAP adapter on the internal machines that are making use of ISATAP? Command should be:

    sc control iphlpsvc paramchange

    Try that and see if refreshing the ISATAP adapter/settings makes that machine then work correctly. Also, Jason recently published an article on a great way to manage which machines use ISATAP without having to screw around with hosts files. You might want to check this out, it'll make things easier for you in the long run:

    http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html

    Why thank you! ;)

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, December 13, 2011 4:25 PM
  • Thanks for the response and the information.

     

    I tried refreshing the ISATAP adapter on the internal machine but that did not seem to make a difference.

    I am still able to ping the UAG server from my ISATAP client and get a IPv6 response. However when i try to ping the DA client I dont get a response. If I log onto the UAG server I am able to ping both the inside client on its ISATAP address and the DA client and get responses. When I try to ping the ISATAP client from the DA client again I am not getting any return.

    This leads me to believe that there is something on the UAG server itself that is causing the problem but I am unable to see anything in the logs that points to any particular issue

    Wednesday, December 14, 2011 4:30 PM