we are having problems with using IPHTTPS with Direct Access. Teredo works fine.
In order to troubleshoot the problem I tried to disable the Teredo adapter on my Windows 7 via the netsh command:
netsh interface teredo set state disabled
As I understand this should stop the Teredo interface immediately and the system should the fall back on IPHTTPS, which would make troubleshooting possible.
And this doesn't work, even when I disable the Teredo adapter it stays "online" and Direct Access continues working. When I do ipconfig /all I can see that the Teredo adapter is still the one in use.
thanks in advance, Marcus
This is what it says (in German)
C:\Windows\system32>NETSH.EXE INTERFACE HTTPSTUNNEL SHOW INTERFACE
Parameter für die Schnittstelle IPHTTPSInterface (Group Policy)
Rolle : client
URL : https://da.visatec.net:443/IPHTTPS
Letzter Fehlercode : 0x0
Schnittstellenstatus : Die IP-HTTPS-Schnittstelle ist deaktiviert.
which means it is disabled, but I never did that.
When I check this registry entry HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface!IPHTTPS_ClientState is on 0.
There is one case in which Teredo does not disable,it's when enterprise client mode was enabled. Please use NETSH.EXE INTERFACE
TEREDO SHOW STATE to check the Teredo Type value. If it's ENTERPRISE CLIENT, teredo never disables itself. Reconfigure your client with the following command "NETSH INTERFACE TEREDO SET STATE CLIENT" if it's not enforcer through GPO. Otherwise, just create an outgoing firewall rule that block UDP3544 protocol on your DirectAccess client. This will completely block Teredo and force your client to use IPHTTPS. Teredo and force your client to use IPHTTPS.
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
The Teredo settings come from the DirectAccess GPO, and sometimes running the manual command takes a few tries before it will "stick". And even then, it may revert itself back after it receives a Group Policy update.
netsh int teredo set state disabled will work - even if it's set to EnterpriseClient state, but you may have to enter that command a few times.
Or you can use a GPO to fight the other GPO - setup a GPO that disables Teredo at that level, assign it to your test computer, and do it that way. A little more involved though. :)