Hi we have a direct access setup which uses IPHTTPS (no isatap, 6to4 or teredo) with one internal interface, so it uses Natting. Everything is working fine but I'm trying to reach my Direct Access clients from a server which I can't get to work. I followed this guide http://blog.msedge.org.uk/2013/03/windows-server-2012-directaccess-manage.html. I'm able to ping:

• from direct access server to ipv6 of internal server
• from internal server to ipv6 prefix:3333::1 of direct access server
• from direct access server to direct access client
• from direct access client to ipv6 prefix:3333::1 of direct access server

But still unable to ping a direct access client from the internal server or reverse. I guess the direct access server would be acting then as router with one leg as ethernet interface and one leg as iphttps interface.

Does anyone know how to do this or has another solution for my setup?

HI,

It look like a forwarding / advertise not configured on your DirectAccess Gateway network interface. Can you provide the result of NETSH.EXE INTERFACE IPV6 SHOW INTERFACE <ID of DirectAccess Gateway network interface>. There are two parameters named forwarding and advertise. Forwarding manage the routing and advertise handle how route are advertised to Other hosts.

Hi thanks for your reply. Actually I tried that yesterday, I enabled advertising and routing on my LAN interface and IPHTTPS interface. This is the result of the netsh command of the LAN interface on the DA server:

Interface Trusted Parameters
----------------------------------------------
IfLuid                             : ethernet_7
IfIndex                            : 12
State                              : connected
Metric                             : 5
Link MTU                           : 1500 bytes
Reachable Time                     : 15000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 1
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : enabled
Advertising                        : enabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : enabled
Managed Address Configuration      : disabled
Other Stateful Configuration       : disabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : enabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled
ECN capability                     : application

Hi

Last point : Did you enable required firewall rules on the directAccess client. Because it's an incoming trafic that was not initiated by the client, you must neable the NAT-Transversal option. It's the edge-transversal option in the Advanced tab. It's only applicable to incoming protocols.

Hi, I tried this now, still no luck.

Hello,

With your configuration, the DirectAccess server should be used as an ISATAP router.
Have you configured your internal servers to receive an IPv6 address using ISATAP?

Gerald

Hi Gerald,

No I didn't, following the article (http://blog.msedge.org.uk/2013/03/windows-server-2012-directaccess-manage.html) it looked like it wasn't necessary.Anyway, I guess that will be my next step now. Thanks!

Hi,

What you want to do is a part of the Manage-Out configuration for DirectAccess.

On the top of your article, there's a link you can use (http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html) because it's not recommended to deploy ISATAP addresses on all your infrastructure.

As BenoitS said before, you'll also need to be sure that your clients are able to respond to ICMPv6 because it may be disabled in your client's firewall by default.

If you want to use the Remote Assistance, you'll need to create extra rules in your client's firewall to allow an internal server/workstation to be able to contact a DirectAccess client connected from outside your corporate network.

Gerald

• Edited by Gerald Mathieu 2 hours 16 minutes ago

Jason Jones blog post was designed to be used in an IPv6 Network connectivity. If IPV6 is not yet deployed on your internal Network then you need ISATAP. Limiting ISATAP is a best practice because ISATAP enabled clients will register both IPv4 and IPv6 address in DNS. Most problematic, because all your ISATAP enabled clients are using a same DirectAccess router (DirectAccess gateway), they all share the same IPV- Prefix. From a AD Topology point of view, they are all on the same subnet.This could lead to major problem because when two hosts try to communicate, they will try to resolve IPv6 if possible then IPv4.

If you're looking for Remote assistance (MSRA), you have two choices :
Offer remote assistance from LAN to DirectAccess clients (ISATAP/IPV6 approach) :
 http://danstoncloud.com/blogs/simplebydesign/archive/2014/03/12/directaccess-remote-management-from-padawan-to-jedi.aspx
 http://danstoncloud.com/blogs/simplebydesign/archive/2014/03/20/directaccess-remote-management-from-jedi-knight-to-master-seating-at-the-jedi-council.aspx

Offer remote assistance to a DirectAccess client from another DirectAccess client :
 http://danstoncloud.com/blogs/simplebydesign/archive/2014/07/30/windows-remote-assistance-between-directaccess-clients-made-easy-and-simple.aspx

The second approach it better because :
Does not need to discuss about IPv6 with the network team
Fully compatible with multisite / HLB / GSLB scenarios

Hi,

What you want to do is a part of the Manage-Out configuration for DirectAccess.

On the top of your article, there's a link you can use (http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html) because it's not recommended to deploy ISATAP addresses on all your infrastructure.

As BenoitS said before, you'll also need to be sure that your clients are able to respond to ICMPv6 because it may be disabled in your client's firewall by default.

If you want to use the Remote Assistance, you'll need to create extra rules in your client's firewall to allow an internal server/workstation to be able to contact a DirectAccess client connected from outside your corporate network.

Gerald

• Edited by Gerald Mathieu Thursday, February 05, 2015 9:31 AM

Hi,

What you want to do is a part of the Manage-Out configuration for DirectAccess.

On the top of your article, there's a link you can use (http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html) because it's not recommended to deploy ISATAP addresses on all your infrastructure.

As BenoitS said before, you'll also need to be sure that your clients are able to respond to ICMPv6 because it may be disabled in your client's firewall by default.

If you want to use the Remote Assistance, you'll need to create extra rules in your client's firewall to allow an internal server/workstation to be able to contact a DirectAccess client connected from outside your corporate network.

Gerald

• Edited by Gerald Mathieu Thursday, February 05, 2015 9:31 AM