I deployed Windows Server 2012 (not R2) on a physical server with one NIC on the corporate LAN, and the other NIC in our DMZ (natted).  We are using IP-HTTPS only.  Port 443 is open on our Cisco ASA.  Also, ICMP and ICMP6 protocols are also allowed through the ASA to help troubleshoot.  All client computers are Win7 Enterprise.  Manage-out computers are either Server 2008 R2, or Win7.

I have a test laptop at my house connected in successfully.

Manage out does not work from my AntiVirus Mgmt server, my WSUS server, or my workstation.  It does work directly from the DirectAccess server though (RDP, Services, Event Viewer, File browsing, msinfo32, Compmgmt, etc).

Corporate network is IPv4, so I have a custom ISATAP DNS entry named DA-ISATAP.domain.com with the DA-server's internal IPv4 address.  I have the GPO successfully applied to the manage-out computers that enables ISATAP and specifies the DA-server as the router.

Manage-out computers show what seems to be correct configuration for their respective ISATAP tunnel adapters.

Manage-out computers are also specified in the Infrastructure Server Setup portion of the Remote Access Mgmt Console.

On the DA-server, I have enabled Advertising, Forwarding, and Advertising Default Route enabled for the ISATAP adapter.

Manage-out computers are able to resolve the IPv4 address of the custom DNS entry I created for the gpo: "DA-ISATAP.domain.com". They are also able to ping it successfully.

Manage-out computers are resolving an IPv6 address when I try to ping the remote computer's name.  The requests time out.

I did a wireshark capture on the DA-server internal connection.  I set the capture filter for the IP address of one of the manage-out computers.  When I try to connect, Wireshark picks up a bunch of TCP Retransmissions.

I run the same capture on just the DA-server's DMZ interface, and it doesn't pick up anything.  It leads me to believe that something would be incorrect on the DA-server...right?

On the Dashboard, all Operations Status are green.  There's no checkmark for "ISATAP", but I figured the ones for DNS64 and NAT64 would cover it.

One weird thing I noticed, and I'm not sure what to make of it - When I show IPv6 interfaces in netsh, there are two isatap entries.  One is isatap.domain.com and the other is isatap.{identifier}

For what it's worth, advertising, forwarding, and advertise default route are enabled on both.  Could having two interfaces  here be what's mucking up my manage-out attempts?

EDIT:  Another question I have.  When I'm troubleshooting via Wireshark, I'm not 100% sure what I should be looking for?

If I set up a capture on the DirectAccess client connected at my house, and I want to check if I'm getting communication from the WSUS server, what would the remote host be for inbound traffic from the WSUS server?

1) The WSUS IPv4 address?
2) The WSUS ISATAP tunnel adapter IPv6 address?
3) The DirectAccess Server DMZ connection address?
4) The public IP address for DA.mydomain.com? 

• Edited by bswient Monday, June 01, 2015 12:09 PM Additional question(s)

Hi,

As far as I read your information you should be ok, but I can't tell for sure. Before I walk you through some things you have to know that DirectAccess with ISATAP is officially not supported by Microsoft anymore. That one reason why it's not so well documented. But DirectAccess still allows you. I have implemented it multiple times with success, but It can sometimes be somewhat tricky. One thing to note, you don't have to configure anything on the DirectAccess Server.

• First of all you have to check the health of your DirectAccess Server through the GUI and check wether 6to4 is running with a green checkmark. It probably is, but just to make sure. In fact ISATAP uses 6to4.
• I asume you are using a single DirectAccess Server, no cluster. If you do host a Hyper-V Cluster, please note that ISATAP requires round-robin A-records. One to each Address; the physical IP Addresses, and the virtual IP Address.
• If you run IPCONFIG on you DirectAccess Manage-Out Clients (ISATAP Clients) they should have an IPv6 Address on the ISATAP tunnel interface. In fact is an 6to4 suffix.
• You must configure an inbound firewall rule on your DirectAccess Clients. The inbound firewall rule must be configured for the public and private profile. The inbound firewall rule must also have the IPv6 suffix of your DirectAccess Manage-Out Clients (ISATAP Clients) as the source. The protocols are up to you. Normally when your DirectAccess Clients also use Teredo (UDP/3544) for connectivity, you also need to configure 'Allow edge traversler', but not in your case since you only use IP-HTTPS.

One other question. What do you mean by "On the DA-server, I have enabled Advertising, Forwarding, and Advertising Default Route enabled for the ISATAP adapter."? What I mentioned, you don't have to configure anything on the DirectAccess Server. 

Ok, first check the things I described

Boudewijn,

Thanks so much for the reply.  To clarify what I meant about "enabling Advertising, Forwarding, etc..." I was referring to Colin Brown's troubleshooting steps found here (step 7):

http://blogs.technet.com/b/privatecloud/archive/2013/04/01/troubleshooting-directaccess-manage-out-connections.aspx

I do have the inbound firewalls configured correctly.  The big thing that's puzzling me is that I can manage out from the Direct Access server perfectly.  Everything connects.  So it's reasonably safe to say that the Cisco ASA and clients are configured fine.  It's just that any computer on the internal network fails to reach the clients.  It looks like the traffic is reaching the DirectAccess server's internal network connection but stops there.

Ok. You use a Cisco ASA on the outside interface. Do you happen to have a or the Cisco ASA in between your internal network and the DirectAccess Server as well?

Just checking. Because I happen to have had a customer who had an ASA on the internal network, like having your DirectAccess Server in a DMZ. And apparently the 6to4/IPv6 protocol (which is used for ISATAP) didn't work through the ASA. Can't tell if it wasn't supported, but it just didn't work properly. The only solution was to use a firewall rule with full "IP" from the DirectAccess Manage-Out Clients to the DirectAccess S

No, we only have a single ASA device with 3 interfaces - outside, DMZ, and inside.

Our DirectAccess server's external network adapter is in the DMZ and the the internal adapter is inside.

Hi,

I recommend you to confirm that if the link below is helpful for you.
Problems with DirectAccess Connections:
https://technet.microsoft.com/en-us/library/ee844125(v=ws.10).aspx

General Methodology for Troubleshooting DirectAccess Connections
https://technet.microsoft.com/en-us/library/ee624058(v=ws.10).aspx

Best Regards,
Eve Wang      

I'm 2/3 of the way there.  I've got 2 of the 3 manage out servers working.  They could not read the GPOs due to some stupid inheritance filtering on their containers in AD.

However, I'm still having a problem with my Antivirus/System center server.  This one is running Server 2008 SP2 (not R2).

I had to do some manual work with netsh to enable the isatap adapter.  I also used netsh to set the router. When I check the state and router, it shows enabled, and the correct router FQDN.

However, when I run IPCONFIG /ALL, the isatap adapter does not show a default gateway.

I looked at local group policy editor to make sure the GPO was applied, and noticed that the"IPv6 Transition Technologies" component is completely missing:



Not sure how I can fix this..

Hi,

I have confirmed my server which is Windows Server 2008 Enterprise with SP2, there is no "IPv6 Transition Technologies". Instead, Windows Server 2008 R2 Enterprise and later version OS has this option.

Best Regards,
Eve Wang