Current Setup -

Two 2012 R2 servers in an NLB cluster

Hi All,

Having some issues with manage out. We use SCCM to remote onto DA clients it used to work fine using the DA server as a ISATAP router.

However not sure what's gone wrong but helpdesk machines that now point to the DA server as an ISATAP router no longer recieve an IPV6 address unless they are on the same IP range as the DA server.

So for example DA server IP address 10.1.1.5

Helpdesk machine 10.1.104.30 - ISATAP adapter shows a IPV6 local link IP address

if i change the IP address of the helpdesk machine to 10.1.1.10 for example it will pick up an IPV6 address on the ISATAP interface (this used to work before regardless of what range you are on)

The only thing i can think of that has changed is that i virtualised the DA servers not to long ago and set the NLB clusters both internal and external to MULTICAST from UNICAST as per recommendations online when running DA on VMWare.

I know ISATAP isn't offically supported by MS on 2012 R2 - but this used to work fine, so any help would be greatly appreicated.

Wierd i've disabled the windows firewall on the DA server for the DOMAIN profile and the helpdesk machines pick up an ISATAP address when on a different range.....

wonder if it's some kinda of security update (windows patch) that's added a rule of some kind...

i've re-enabeld the FW for the domain profile - but anyone got any ideas what rule it could be please?

Kind of fixing my own issue here :)

Found the rule it's Block ISATAP ICMPv6-In (Router Solicitation)

There is another one called Block ISATAP ICMPv6-Out (Router Advertisement) on the outbound rule

Both rules are being added by the DA Server GPO (I presume DA created these as i setup DA from scratch and never setup these rules)

I disabled the Block ISATAP ICMPv6-In (Router Solicitation) rule via GPO and updated policy server side gpupdate /force

Helpdesk machines recieve iPV6 addresses correctly on the isatap interface.

I've re-enabled the rule has don't know what the implications are

Anyone able to assist (that's if i don't answer my own question in the meantime lol)

• Edited by gsm_2013 Friday, January 30, 2015 1:59 PM added pic

These rules are enabled by the DirectAccess server when you use NLB because ISATAP is not supported in your configuration.

https://technet.microsoft.com/library/dn464274.aspx#bkmk_isa

I suppose that you are using IPv4 between your NLB Cluster and your internal infrastructure.

When a DirectAccess server is implemented, it create an IPv6 subnet like fded:abcd:abcd:1000::/64 for the clients. The second server added in the Cluster will use something like fded:abcd:abcd:1001::/64.

When the DirectAccess client connect to the Infrastructure, it will receive an IPv6 address from the fded:abcd:abcd:1000::/64 pool if it connects through Server1 or fded:abcd:abcd:1001::/64 if it connects through Server2.

Server1 can be an ISATAP router for the clients connected through Server1 only.
Server2 can be an ISATAP router for the clients connected through Server2 only.

BUT you can only have 1 ISATAP configuration for your Manage-Out computers so you can only contacts the clients connected through 1 ISATAP server and you will be unable to contact the clients connected through the second server.

This is why the ISATAP is blocked in the Server's Firewall.

If you want to Manage-Out clients with a NLB configuration, you must use native IPv6 between your DirectAccess Cluster and your internal infrastructure.

Grald

• Proposed as answer by Gerald Mathieu Friday, January 30, 2015 11:36 PM
• Edited by Gerald Mathieu Saturday, January 31, 2015 12:02 AM