I have implemented DA 2012 "by the book", first disabled ISATAP, IPv6 address is added to Application server and also added IPv6 address of my DA 2012 server as default gateway, installed Remote Management (DA only), certificates issued to server and clients, two consecutive IPv4 address-es for Teredo, etc...Not using ISATAP as recommended.
Clients connect successfully via IP-HTTPS, Teredo or 6to4, I can ping/access servers on Internal network and after adding firewall rule regarding ICMPv6 Echo Request “http://blogs.technet.com/b/edgeaccessblog/archive/2010/09/14/how-to-enable-remote-desktop-sharing-rds-rdp-from-corporate-machines-to-directaccess-connected-machines.aspx” I can ping DA clients, but I have problem with Manage Out clients.
We added firewall rule regarding RDP. Also, we configured it by this article “http://blogs.technet.com/b/edgeaccessblog/archive/2010/09/14/how-to-enable-remote-desktop-sharing-rds-rdp-from-corporate-machines-to-directaccess-connected-machines.aspx”, but we cannot access them from Internal network.
Have you identified how far you can get?
Does the clients computername resolve to an IPv6 address in DNS? (assuming 'yes' as you can ping the client)
If you enable firewall logging on the clients, can you see the request actually reaching the client?
Have you limited the remote IP addresses on the client firewall rule?
Hth, Anders Janson Enfo Zipper
I'm having the same issue. Everything works fine from the DA client back into the intranet. But I can't RDP from my sccm server to the DA client. When attempting to tracert from the sccm server TO the DA Client, it hits the DA Server but that is as far as it gets. Can you possibly explain how you manually created that infrastructure tunnel between the DA Server and SCCM?
Brian D. Davis MCP
The most likely answer is that the SCCM server had to be added to the Management Servers list in the DirectAccess wizards (inside Step 3). Only the servers identified here in the wizard will be available over the Infrastructure tunnel.
You of course also need to confirm that your SCCM server is IPv6 connected, either via native IPv6 or ISATAP.
I'm having the same issue. I can ping my clients from the Direct Access Server but not from the SCCM Server. The SCCM Server is in the Management Servers list in Direct Access, IPv6 is enabled on the Network Adapter, but it has no IPv6 address configured right now.
@Jordan you said that the SCCM of course Needs to be connected to IPv6. To be honest i am not very familiar with IPv6... what is the easiest way to get it IPv6 connected? Just give it any IPv6 Address? (Really need to get some more info on IPv6...)
If you don't have native IPv6 already running inside your network (which it sounds like you don't, the DirectAccess server would need to have a native IPv6 address as well if that were the case), then the easiest way to get IPv6 working in the network is by using ISATAP. This is a tunneling technology that sort of creates a virtual IPv6 network that runs on top of your IPv4 network. Assuming your DA server only has an IPv4 address, then it's already running as an ISATAP router and you just need to point your SCCM server at it to "grab" an ISATAP address and routing information. At that point your SCCM server will get an ISATAP IPv6 address.
The issue now is that since your SCCM server only knows how to talk IPv4 on your network, you try to contact "LAPTOP1" for example, the server asks DNS - "How do I get to LAPTOP1?", and DNS replies with the DirectAccess IPv6 address, which the SCCM server doesn't know what to do with. Once you get an IPv6 address on that SCCM server it should then be able to route that traffic successfully to the DA server, outbound to the DA clients.
Here is an excellent article by Jason Jones on how to establish limited ISATAP functionality inside your network. Please do not follow any of the Test Lab documentation to simply create an "ISATAP record in DNS, that can cause havoc in some network. Follow this guide and you should be all set: http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html
Thanks for the replies. I have everything setup as in the article above. My SCCM server was added to the management servers list in the DA 2012 config (both the fqdn and the IPv4 and IPv6 addresses. SCCM is successfully getting an IPv6 address and doing a tracert from the sccm server to one of my DA Connected Clients, it gets to the DA server but stops. Any other suggestions?
Brian D. Davis MCP
Have you created the GPO for your DA client computers that contains the WFAS rules to allow RDP connectivity (and any other ports that SCCM might need access to)? Even once you have taken the internal steps for ISATAP and created IPv6 routability to your DA clients, the clients themselves will deny any packets coming in by default. You must create Firewall rules on the clients to allow any protocols through that you want.
I would focus first on doing a regular RDP connection from inside your network to an external DA client, make sure you can get that working before trying anything from inside SCCM. This will simplify the traffic and confirm routing outbound. So include an internal Windows 7 computer or something like that into your ISATAP infrastructure so that it gets an ISATAP IPv6 address, then from that machine try to do a straight RDP out to a DA client. Once we get that working, then we can go over and start testing from SCCM.