I deployed Windows Server 2012 (not R2) on a physical server with one NIC on the corporate LAN, and the other NIC in our DMZ (natted). We are using IP-HTTPS only. Port 443 is open on our Cisco ASA. Also, ICMP and ICMP6 protocols are also allowed through the ASA to help troubleshoot. All client computers are Win7 Enterprise. Manage-out computers are either Server 2008 R2, or Win7.
I have a test laptop at my house connected in successfully.
Manage out does not work from my AntiVirus Mgmt server, my WSUS server, or my workstation. It does work directly from the DirectAccess server though (RDP, Services, Event Viewer, File browsing, msinfo32, Compmgmt, etc).
Corporate network is IPv4, so I have a custom ISATAP DNS entry named DA-ISATAP.domain.com with the DA-server's internal IPv4 address. I have the GPO successfully applied to the manage-out computers that enables ISATAP and specifies the DA-server as the router.
Manage-out computers show what seems to be correct configuration for their respective ISATAP tunnel adapters.
Manage-out computers are also specified in the Infrastructure Server Setup portion of the Remote Access Mgmt Console.
On the DA-server, I have enabled Advertising, Forwarding, and Advertising Default Route enabled for the ISATAP adapter.
Manage-out computers are able to resolve the IPv4 address of the custom DNS entry I created for the gpo: "DA-ISATAP.domain.com". They are also able to ping it successfully.
Manage-out computers are resolving an IPv6 address when I try to ping the remote computer's name. The requests time out.
I did a wireshark capture on the DA-server internal connection. I set the capture filter for the IP address of one of the manage-out computers. When I try to connect, Wireshark picks up a bunch of TCP Retransmissions.
I run the same capture on just the DA-server's DMZ interface, and it doesn't pick up anything. It leads me to believe that something would be incorrect on the DA-server...right?
On the Dashboard, all Operations Status are green. There's no checkmark for "ISATAP", but I figured the ones for DNS64 and NAT64 would cover it.
One weird thing I noticed, and I'm not sure what to make of it - When I show IPv6 interfaces in netsh, there are two isatap entries. One is isatap.domain.com and the other is isatap.{identifier}
For what it's worth, advertising, forwarding, and advertise default route are enabled on both. Could having two interfaces here be what's mucking up my manage-out attempts?
EDIT: Another question I have. When I'm troubleshooting via Wireshark, I'm not 100% sure what I should be looking for?
If I set up a capture on the DirectAccess client connected at my house, and I want to check if I'm getting communication from the WSUS server, what would the remote host be for inbound traffic from the WSUS server?
1) The WSUS IPv4 address?
2) The WSUS ISATAP tunnel adapter IPv6 address?
3) The DirectAccess Server DMZ connection address?
4) The public IP address for DA.mydomain.com?
- Edited by bswient Monday, June 01, 2015 12:09 PM Additional question(s)