locked
DirectAccess - IPHTTPS Tunnel with native IPv6 client RRS feed

Answers

  • Hi,

    First, there is a video you might find something for your reference.

    Configuring and Implementing DirectAccess with Windows Server 2012

    http://technet.microsoft.com/en-us/video/tdbe13-configuring-and-implementing-directaccess-with-windows-server-2012.aspx

    Moreover, you may refer to this topology to compare with your current environment. From your description, I guess the DA server is using 6to4 tunnel to transfer technology, however, the DA server no responses to client. Could you please check these from links below?

    Capacity Planning for DirectAccess Servers

    http://technet.microsoft.com/pt-pt/library/ee382271(v=ws.10).aspx;

    At last, may I know if DirectAccess server is connected directly to the public Internet? If so,disabling these IPv6 transition protocols is not required. Hope this helps. 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by Alex Lv Tuesday, September 2, 2014 1:59 AM
    Friday, August 29, 2014 10:18 AM

All replies

  • Hi,


    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.


    Thanks for your understanding and support.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Wednesday, August 20, 2014 7:03 AM
  • According to http://technet.microsoft.com/en-us/library/jj134148.aspx:

    [quote]
    Native IPv6 client computers can connect to the DirectAccess server over native IPv6, and no transition technology is required.
    [/quote]

    OK, that sounds good but I haven't found yet any reliable guidance how to implement such a DirectAccess scenario. So, any hint is more than welcome.

    Regards,
    Stefaan

    Wednesday, August 20, 2014 11:48 AM
  • Hi,

    It seems we could meet the requirement depend on the following articles. But the weakpoint is that

    Step 1: Plan the DirectAccess Infrastructure

    http://technet.microsoft.com/en-us/library/jj574101.aspx

    DirectAccess uses IPv6 with IPsec to create a secure connection between DirectAccess client computers and the internal corporate network. However, DirectAccess does not necessarily require connectivity to the IPv6 Internet or native IPv6 support on internal networks. Instead, it automatically configures and uses IPv6 transition technologies to tunnel IPv6 traffic across the IPv4 Internet (6to4, Teredo, IP-HTTPS) and across your IPv4-only intranet (NAT64 or ISATAP). For an overview of these transition technologies, see the following resources:

    Thank you.

    Best regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, August 21, 2014 12:12 PM
  • Hi Steven

    I know that IPv6 is not required neither internally nor externally. But our real life scenario is as follows:

    DA Server Internal network: IPv4 (private IP's) and IPv6 (public IP's).

    DA Clients with only IPv4 (private IP's): IP-HTTPS kicks in (6to4 and Teredo are explicitely disabled on the client). This is working great! No problems at all.

    DA Clients with both IPv4 (private IP's) and IPv6 (public IP's): we see that IP-HTTPS still kicks in although it shouldn't according to http://technet.microsoft.com/en-us/library/jj134148.aspx. That creates as far as we can tell another problem with the DNS registration (see related thread).

    Because we can't control the DA client environment, both cases should work without problems.

    Regards,
    Stefaan

    Thursday, August 21, 2014 1:36 PM
  • Hi Stefaan,

    Thank you for your reply.

    Based on your description, I will discuss with our group and let you know the update.

    Regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, August 25, 2014 8:20 AM
  • After some more research I found the Technet article http://technet.microsoft.com/en-us/library/ee844198(v=WS.10).aspx. If that's still valid then no IPHTTPS should be used at all as both the DA client and the DA server have a public IPv6 address and can reach each other.

    DA Client:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
       Physical Address. . . . . . . . . : 9C-B6-54-EF-D9-37
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2a02:a010:1:12::10(Preferred)
       Link-local IPv6 Address . . . . . : fe80::75df:2d9e:9fa6:a730%3(Preferred)
       IPv4 Address. . . . . . . . . . . : 172.29.0.16(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.240.0
       Default Gateway . . . . . . . . . : 2a02:a010:1:12::1
                                           172.29.0.1
       DHCPv6 IAID . . . . . . . . . . . : 60601940
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-74-91-FD-9C-B6-54-EF-D9-37

       DNS Servers . . . . . . . . . . . : 195.238.2.21
                                           195.238.2.22
       NetBIOS over Tcpip. . . . . . . . : Enabled

    DA Server:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
       Physical Address. . . . . . . . . : 00-50-56-87-24-4C
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2a02:a010:1:20::203(Preferred)
       Link-local IPv6 Address . . . . . : fe80::7960:e687:d4f3:4bf6%18(Preferred)
       IPv4 Address. . . . . . . . . . . : 193.75.143.203(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 2a02:a010:1:20::21
                                           193.75.143.21
       DHCPv6 IAID . . . . . . . . . . . : 520114262
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-39-9F-8F-00-50-56-87-31-60
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Also, why do we see in the "DirectAccess Policy-DaServerToCorpSimplified" as "Local Tunnel Endpoint" on the DA Server and as "Remote Tunnel Endpoint" on the DA Client the IPv6 address 2002:c14b:8fcb::c14b:8fcb ? That's the "Tunnel adapter 6TO4 Adapter" of the DA Server. Shouldn't that be the IPv6 address 2a02:a010:1:20::203 in our case?

    Regards,
    Stefaan

    Wednesday, August 27, 2014 12:58 PM
  • Hi Stefaan,

    From your description, we can know it can work fine when we disable to use the IPHTTPS.

    For you questions, you think the DA Client IPV6 address should be IPv6 address 2a02:a010:1:20::203 not the  6to4 adapter address 2002:c14b:8fcb::c14b:8fcb ?

    Actually, 6to4 is an IPv6 transition technology that enables DirectAccess clients to connect to the Forefront UAG DirectAccess server over the IPv4 Internet. 6to4 is used when clients have a public IP address. IPv6 packets are encapsulated in an IPv4 header, and sent over the 6to4 tunnel adapter to the DirectAccess server. After running the wizard and applying GPOs, 6to4 is automatically configured for DirectAccess clients and the DirectAccess server. 6to4 is defined in RFC 3056. For more information, see IPv6 Transition Technologies (http://go.microsoft.com/fwlink/?LinkID=154382).

    Hope this make sense. If there is any misunderstood, please let me know. Thanks.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, August 28, 2014 10:13 AM
  • Hi Steven,

    the point is that both the DA client and server are natively on the IPv6 Internet. From what I have learned so far indicates that in this scenario no transition technology should be used at all. Therefore:

    1. why is IPHTTPS still used in the first place?
    2. why do I see in the DirectAccess policy the IPv6 address of the 6to4 adapter on the DA server as Tunnel Endpoint and not the IPv6 address of the external adapter on the DA server?
      As a result I see at the DA server inbound ISAKMP requests from the IPv6 address of the DA client towards the IPv6 address of the 6to4 interface of the DA server. However I don't see any response from de DA server.

    I suspect there is some configuration issue on the DA server because several Technet articles and Joe Davis IPv6 bible say this scenario is supported. However we don't find any good guidance how to implement such a DirectAccess scenario.

    Regards,
    Stefaan

    Friday, August 29, 2014 8:25 AM
  • Hi,

    First, there is a video you might find something for your reference.

    Configuring and Implementing DirectAccess with Windows Server 2012

    http://technet.microsoft.com/en-us/video/tdbe13-configuring-and-implementing-directaccess-with-windows-server-2012.aspx

    Moreover, you may refer to this topology to compare with your current environment. From your description, I guess the DA server is using 6to4 tunnel to transfer technology, however, the DA server no responses to client. Could you please check these from links below?

    Capacity Planning for DirectAccess Servers

    http://technet.microsoft.com/pt-pt/library/ee382271(v=ws.10).aspx;

    At last, may I know if DirectAccess server is connected directly to the public Internet? If so,disabling these IPv6 transition protocols is not required. Hope this helps. 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by Alex Lv Tuesday, September 2, 2014 1:59 AM
    Friday, August 29, 2014 10:18 AM
  • We will rebuild the environment to perform some further testing and report back the results.
    However, this can take a while.

    Regards,
    Stefaan

    Tuesday, September 2, 2014 4:46 PM
  • Hi,

    Thanks for your reply and looking forward to your report back.

    Have a nice day.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, September 4, 2014 6:55 AM
  • I just want to let you know I am experiencing the same results with my DirectAccess implementation. 

    2012 r2 DA server has 2 public ipv4 and 1 native ipv6 address

    Client using Verizon 4GLTE connection has private ipv4 and native ipv6.

    What I see on the DA server is before logging in a user the client computer establishes a Native ipv6 connection.  Then when a user logs in a seperate iphttps connection is created.

    Even stranger when I disable ipv6 on the client computer both connections use Teredo.

    Thursday, December 4, 2014 11:32 PM
  • Native IPv6 connections are possible, but I think this is undocumented:

    If you want you use your native IPv6 adresses for as tunnel endpoint IP (and not the 6to4 adresses) you will need to configure 2 (!) public IPv6 adresses on the external interface before first-time-using the wizard.

    If you do this the wizzard will use one IPv6 public IP as infrastructure tunnel destination IP and one IPv6 public IP as user tunnel destination IP.
    If you don't the wizzard will use the 6to4 Interface address space as destination.
    In this case, depending on your evironment, you might need to configure a default route to the IPv6 equivalent of 192.88.99.1 (2002:c058:6301::) on the 6to4 Interface:

    New-NetRoute -DestinationPrefix ::/0 -InterfaceIndex XX -NextHop 2002:c058:6301::

    Be aware: using native IPv6 connections on server- and clientside will certainly lead you into MTU issues if your corporate Network is IPv4 only (because of problems delivering "packet too big" Messages)

    Otherwise: using the 6to4 address space (together with public 6to4 Gateways) lead to big differences in connection quality depending on the 6to4 Gateway utilization)

    If you have other experiences, please share.

    Friday, January 20, 2017 9:57 AM