ManageOut stopped working after ELB was activated

Hi, I have a challange With ManageOut.

At first, I had a single DA server (single nic, no native IPv6) which was working and I then enabled Limited Isatap for a few internal Clients (Win2012 R2).

That worked perfectly, the Win2012 R2 servers (ManageOut Clients) picked up an IPv6 address on the isatap tunnel Interface.

However, after I activated External Load Balancing on the first node, and made it work With a the same server as a member of a BIG-IP VIP, the internal Win2012 R2 ManageOut Clients stopped to recieve an IPv6 address on the isatap Interface. Now it only shows a link-local IPv6, which is of course not very useful.

I have of course changed the IP of my custom ISATAP hostname in DNS, so now the hostname is made of 3 IP addresses (1 of the VIP on BIG-IP, 1 IP of each DA server). And that is according to this: http://blogs.technet.com/b/jasonjones/archive/2013/04/19/limiting-isatap-services-to-directaccess-manage-out-clients.aspx

Not sure if ISATAP is really supported on Win2012R2, but I have not found other Method of deploying ManageOut for only a small number of internal Clients. But it used to work with a single server.

Thanks for your help!


March 4th, 2015 9:46am

Hi,

Check this: https://technet.microsoft.com/en-us/library/dn464274.aspx?f=255&MSPPError=-2147217396#bkmk_isa

ISATAP is only supported without NLB.

When you activate a NLB Cluster, the DirectAccess wizard automatically creates specific rules in your server's firewall to block ISATAP.

Manage-Out in a NLB environment is only supported when using native IPv6 configuration.

Gerald


Free Windows Admin Tool Kit Click here and download it now
March 4th, 2015 10:26am

Thanks, I understand now that it is not supported. But as far I as I am Reading the last comment on http://blogs.technet.com/b/jasonjones/archive/2013/04/19/limiting-isatap-services-to-directaccess-manage-out-clients.aspx, it is possible to make it work in an unsupported matter.

What happens if I allow ISATAP traffic into the DA servers?

March 4th, 2015 11:59am

Each DirectAccess server is an ISATAP router so your manage-out computers will only be able to contact the clients connected through the server you are using for your ISATAP configuration.

Gerald


Free Windows Admin Tool Kit Click here and download it now
March 4th, 2015 1:14pm

Each DirectAccess server is an ISATAP router so your manage-out computers will only be able to contact the clients connected through the server you are using for your ISATAP configuration.

Gerald


March 4th, 2015 1:14pm

Each DirectAccess server is an ISATAP router so your manage-out computers will only be able to contact the clients connected through the server you are using for your ISATAP configuration.

Gerald


Free Windows Admin Tool Kit Click here and download it now
March 4th, 2015 1:14pm

Hi,

Having multiple ISATAP router will be complicated and Painfull. Id you only need remote management of a limited subset of computers (helpdesk for example) you don't need ISATAP. A DirectAccess client connected on Internet have an IPv6 Address, so it can communicate with another DirectAccess client on Internet. I wrote an article on the subject last year : http://danstoncloud.com/blogs/simplebydesign/archive/2014/07/30/windows-remote-assistance-between-directaccess-clients-made-easy-and-simple.aspx

If you really need that some internal server initiate communication to DirectAccess clients connected on Internet, choices will be limited. Configure an NLB/HLB dedicated to your ISATAP router. Do you really have internal servers that initiate communications to DirectAccess clients? 

March 4th, 2015 4:28pm

Hi Benoit,

Three's no way to comment your article on your website and I have a question.
What you've found is really good but this rely on Link-Local addresses that can't be resolved to "friendly names".

Did you find something for that because asking an end-user to find his LLA then dictate something like fe80::add8:34dd:b0be:e97c is sometimes not easy.

Gerald

Free Windows Admin Tool Kit Click here and download it now
March 5th, 2015 5:32am

Hi,

That's why i use Windows remote assistance. It include all IP addresses in the invitation file. Yes My approach does not fit with SCCM remote control or RDP. Using Global addresses is possible but how long would it takes to replicate in your internal AD?

March 5th, 2015 6:29am

Hi, and thanks for you answer BenoitS.

It is a requirement from the customer that ManageOut should work, for Helpdesk users to RDP into DA clients on the outside.

In worst case, Helpdesk users have to use the DA servers themself for RDP to DA clients. Of course not a good solution, but all Helpdesk users have domain admin rights anyway (not my recommendation). But it would be nice if I can make it work directly from the hosts on the inside, without deploying native IPv6. 

So you think I am stuck with this?

Free Windows Admin Tool Kit Click here and download it now
March 5th, 2015 6:34am

Thanks for the info Benoit.
I suppose you're using msra from the client to send an assistance request instead of offering assistance from the Manage-Out computer, which relies on DNS Name.
Will test that :D

For Steve,

A solution you can try but that will be unsupported:

-In the DirectAccess server GPO, disable the rule that block ISATAP (Inbound Rule named Block ISATAP ICMPv6-In (Router Solicitation)) then refresh the GPO on your servers.

- Implement multiple ISATAP records in your DNS pointing to each DirectAccess Server's Internal IP (like ISATAPSRV1 <Server1 IP>, ISATAPSRV2 <SERVER2 IP>)

- Implement Multiple GPOs to deploy the new ISATAP records on Manage-Out computers.

Each Manage-Out computer will then be able to contact clients connected through a specific DirectAccess server but you will need at least 1 Manage-Out computer per DirectAccess server and Manage-Out1 will not be able to contact clients for Server2.

Also, you need to check if the change made in the DirectAccess Server GPO is not reverted back when you change something in the Remote Access console.

Gerald




March 5th, 2015 7:20am

Thanks for the info Benoit.
I suppose you're using msra from the client to send an assistance request instead of offering assistance from the Manage-Out computer, which relies on DNS Name.
Will test that :D

For Steve,

A solution you can try but that will be unsupported:

-In the DirectAccess server GPO, disable the rule that block ISATAP (Inbound Rule named Block ISATAP ICMPv6-In (Router Solicitation)) then refresh the GPO on your servers.

- Implement multiple ISATAP records in your DNS pointing to each DirectAccess Server's Internal IP (like ISATAPSRV1 <Server1 IP>, ISATAPSRV2 <SERVER2 IP>)

- Implement Multiple GPOs to deploy the new ISATAP records on Manage-Out computers.

Each Manage-Out computer will then be able to contact clients connected through a specific DirectAccess server but you will need at least 1 Manage-Out computer per DirectAccess server and Manage-Out1 will not be able to contact clients for Server2.

Also, you need to check if the change made in the DirectAccess Server GPO is not reverted back when you change something in the Remote Access console.

Gerald




Free Windows Admin Tool Kit Click here and download it now
March 5th, 2015 7:21am

Hi,

If we consider that ISATAP router does not have to be highly reliable it can be configured after DirectAccess configuration or some GPO that will overide DirectAccess configuration. We do not change DirectAccess configuration, we overide it. So we can have ISATAP router on a single DirectAccess Gateway.

March 5th, 2015 8:00am

Hi and thanks for all response.

@Gerald: I was thinking about doing step 1 as you mention, but I have not tried it yet, since it is always a risk.
Step 2: Already implemented, the problem is the firewall rules you mention in step 1, that prevents ManageOut hosts to get an IPv6 address on the ISATAP interface.
Step 3: I guess it could be possible, but not until I have a working ISATAP interface on the ManageOut hosts.

@BenoitS: That is acceptable, that the ISATAP router is not setup with HA/Cluster. I only have high availability requirement on the incoming DA traffic, which is in place now with BIG-IP.

So you guys think I can just create a new GPO that overrides the DA server GPO, regarding the firewall rules blocking ISATAP traffic?

Free Windows Admin Tool Kit Click here and download it now
March 5th, 2015 8:31am

Yes, Override the Block ISATAP ICMPv6-In (Router Solicitation) setting using another GPO will work.
I was thinking that the Block rule will always win but just tested it and it's not.

Better idea from Benoit because it's not recommended to edit the default DirectAccess GPO :D

Gerald

  • Proposed as answer by BenoitSMVP 18 hours 21 minutes ago
March 5th, 2015 8:54am

Yes, Override the Block ISATAP ICMPv6-In (Router Solicitation) setting using another GPO will work.
I was thinking that the Block rule will always win but just tested it and it's not.

Better idea from Benoit because it's not recommended to edit the default DirectAccess GPO :D

Gerald

  • Proposed as answer by BenoitSMVP 1 hour 37 minutes ago
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2015 8:55am

Thanks for the info Benoit.
I suppose you're using msra from the client to send an assistance request instead of offering assistance from the Manage-Out computer, which relies on DNS Name.
Will test that :D

For Steve,

A solution you can try but that will be unsupported:

-In the DirectAccess server GPO, disable the rule that block ISATAP (Inbound Rule named Block ISATAP ICMPv6-In (Router Solicitation)) then refresh the GPO on your servers.

- Implement multiple ISATAP records in your DNS pointing to each DirectAccess Server's Internal IP (like ISATAPSRV1 <Server1 IP>, ISATAPSRV2 <SERVER2 IP>)

- Implement Multiple GPOs to deploy the new ISATAP records on Manage-Out computers.

Each Manage-Out computer will then be able to contact clients connected through a specific DirectAccess server but you will need at least 1 Manage-Out computer per DirectAccess server and Manage-Out1 will not be able to contact clients for Server2.

Also, you need to check if the change made in the DirectAccess Server GPO is not reverted back when you change something in the Remote Access console.

Gerald




March 5th, 2015 12:19pm

Thanks for the info Benoit.
I suppose you're using msra from the client to send an assistance request instead of offering assistance from the Manage-Out computer, which relies on DNS Name.
Will test that :D

For Steve,

A solution you can try but that will be unsupported:

-In the DirectAccess server GPO, disable the rule that block ISATAP (Inbound Rule named Block ISATAP ICMPv6-In (Router Solicitation)) then refresh the GPO on your servers.

- Implement multiple ISATAP records in your DNS pointing to each DirectAccess Server's Internal IP (like ISATAPSRV1 <Server1 IP>, ISATAPSRV2 <SERVER2 IP>)

- Implement Multiple GPOs to deploy the new ISATAP records on Manage-Out computers.

Each Manage-Out computer will then be able to contact clients connected through a specific DirectAccess server but you will need at least 1 Manage-Out computer per DirectAccess server and Manage-Out1 will not be able to contact clients for Server2.

Also, you need to check if the change made in the DirectAccess Server GPO is not reverted back when you change something in the Remote Access console.

Gerald




Free Windows Admin Tool Kit Click here and download it now
March 5th, 2015 12:19pm

Thanks for the info Benoit.
I suppose you're using msra from the client to send an assistance request instead of offering assistance from the Manage-Out computer, which relies on DNS Name.
Will test that :D

For Steve,

A solution you can try but that will be unsupported:

-In the DirectAccess server GPO, disable the rule that block ISATAP (Inbound Rule named Block ISATAP ICMPv6-In (Router Solicitation)) then refresh the GPO on your servers.

- Implement multiple ISATAP records in your DNS pointing to each DirectAccess Server's Internal IP (like ISATAPSRV1 <Server1 IP>, ISATAPSRV2 <SERVER2 IP>)

- Implement Multiple GPOs to deploy the new ISATAP records on Manage-Out computers.

Each Manage-Out computer will then be able to contact clients connected through a specific DirectAccess server but you will need at least 1 Manage-Out computer per DirectAccess server and Manage-Out1 will not be able to contact clients for Server2.

Also, you need to check if the change made in the DirectAccess Server GPO is not reverted back when you change something in the Remote Access console.

Gerald




March 5th, 2015 12:19pm

Yes, Override the Block ISATAP ICMPv6-In (Router Solicitation) setting using another GPO will work.
I was thinking that the Block rule will always win but just tested it and it's not.

Better idea from Benoit because it's not recommended to edit the default DirectAccess GPO :D

Gerald

  • Proposed as answer by BenoitSMVP Thursday, March 05, 2015 1:54 PM
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2015 1:53pm

Yes, Override the Block ISATAP ICMPv6-In (Router Solicitation) setting using another GPO will work.
I was thinking that the Block rule will always win but just tested it and it's not.

Better idea from Benoit because it's not recommended to edit the default DirectAccess GPO :D

Gerald

  • Proposed as answer by BenoitSMVP Thursday, March 05, 2015 1:54 PM
March 5th, 2015 1:53pm

Yes, Override the Block ISATAP ICMPv6-In (Router Solicitation) setting using another GPO will work.
I was thinking that the Block rule will always win but just tested it and it's not.

Better idea from Benoit because it's not recommended to edit the default DirectAccess GPO :D

Gerald

  • Proposed as answer by BenoitSMVP Thursday, March 05, 2015 1:54 PM
  • Marked as answer by SteveSteve2014 22 hours 57 minutes ago
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2015 1:53pm

Yes, Override the Block ISATAP ICMPv6-In (Router Solicitation) setting using another GPO will work.
I was thinking that the Block rule will always win but just tested it and it's not.

Better idea from Benoit because it's not recommended to edit the default DirectAccess GPO :D

Gerald

  • Proposed as answer by BenoitSMVP Thursday, March 05, 2015 1:54 PM
  • Marked as answer by SteveSteve2014 Wednesday, March 11, 2015 8:21 AM
March 5th, 2015 1:53pm

Yes, Override the Block ISATAP ICMPv6-In (Router Solicitation) setting using another GPO will work.
I was thinking that the Block rule will always win but just tested it and it's not.

Better idea from Benoit because it's not recommended to edit the default DirectAccess GPO :D

Gerald

  • Proposed as answer by BenoitSMVP Thursday, March 05, 2015 1:54 PM
  • Marked as answer by SteveSteve2014 Wednesday, March 11, 2015 8:21 AM
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2015 1:53pm

Hi Gerald, how did you test the override?

According to this (https://technet.microsoft.com/en-us/library/cc755191%28v=ws.10%29.aspx), block takes precedence over allow rules, since block rules are proccessed first.

I tried to create a new GPO that allows ICMPv6-In (Router Solicitation), but it does not apply. The winning GPO setting is always the automatic Block rule created by the DA server.

March 8th, 2015 11:43am
Hi,

When using GPO, Block will only win against a setting in the same GPO or a GPO with a higher number in the link order (or if the GPO is Enforced to always win against all GPOs).
If your DIrectAccess Server GPO is not enforced, just place the override gpo before the official DirectAccess Server GPO using the Link Order in GPMC.

Gerald





Free Windows Admin Tool Kit Click here and download it now
March 8th, 2015 5:01pm
Hi,

When using GPO, Block will only win against a setting in the same GPO or a GPO with a higher number in the link order (or if the GPO is Enforced to always win against all GPOs).
If your DIrectAccess Server GPO is not enforced, just place the override gpo before the official DirectAccess Server GPO using the Link Order in GPMC.

Gerald





March 8th, 2015 9:00pm
Hi,

When using GPO, Block will only win against a setting in the same GPO or a GPO with a higher number in the link order (or if the GPO is Enforced to always win against all GPOs).
If your DIrectAccess Server GPO is not enforced, just place the override gpo before the official DirectAccess Server GPO using the Link Order in GPMC.

Gerald





Free Windows Admin Tool Kit Click here and download it now
March 8th, 2015 9:00pm
Hi,

When using GPO, Block will only win against a setting in the same GPO or a GPO with a higher number in the link order (or if the GPO is Enforced to always win against all GPOs).
If your DIrectAccess Server GPO is not enforced, just place the override gpo before the official DirectAccess Server GPO using the Link Order in GPMC.

Gerald





March 8th, 2015 9:00pm

Thanks, I managed to make it work!

Due to a creative AD configuration, it took almost 2 hours (!) before the GPO was replicated and applied, so I started to think that I did something wrong.

One thing I noted, is that both IPv6 Client prefixes are equal on both DA servers, shouldn't it be different prefixes / IP pool? I haven't done anything to the IPv6 range, all the IPv6 config was setup automatic from DA itself.

Free Windows Admin Tool Kit Click here and download it now
March 11th, 2015 4:27am
Hi,

Seems strange. Are you sure of that?
The difference may be just a number like this:

DA1 HTTPS Prefix: fdff:9647:a271:1000::/64
DA2 HTTPS Prefix: fdff:9647:a271:1001::/64


Gerald

March 12th, 2015 10:07am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics