I'm very happy with my multisite DirectAccess deployment so far. IPHTTPS is used as the only transition technology and the Intranet is full dual stack (IPv4+IPv6). So, no ISATAP is needed at all. The last step is activating a manage out scenario. For this manage out scenario I have some trouble getting it working. Let explain the issue in more depth.
I've observed that the IPHTTPS Tunnel interface on the DA client gets two IPv6 addresses from the DA server irrespective of the setting 'Randomize Identifiers' in the global IPv6 setting on the DA client (netsh int ipv6 set global rand=dis|ena). The effect is that the DA client uses the temp IPv6 address to setup the IPsec tunnels to the DA server, but that only the normal IPv6 address is registered in the intranet DNS. I belief the latter is normal behavior.
Therefore, in a manage out scenario (i.e. RDP from an Intranet server into a DA client) a request is made to the normal IPv6 address of the DA client but there is no established IPsec tunnel yet. In other words you need to create on the DA client a specific Windows Firewall rule to allow IKE traffic inbound in order to establish an IPsec tunnel from the DA server to the DA client.
I can't find any reference to this important step in any documentation. I also remember vaguely that in some Windows 10 builds the temp IPv6 address was not assigned to DirectAccess clients by default (*).
So, the obvious question is, is what I observed correct and if so, can we disable the DirectAccess temp IPv6 address on the IPHTTPS Tunnel interface for Windows 8/8.1 host?
Added 28/08/2015: I've just tested the Windows 10 RTM version and as far as I can tell, it gets a temp IPv6 address too. Therefore the question can be extended to Windows 10.
Best Regards,
Stefaan
- Edited by spouseele Friday, August 28, 2015 10:55 AM added Windows 10 experience