Hi,

We are about to migrate from UAG DA to WIndows 2012 R2 DA but we have some problems. Windows 7 clients are having problems to connect frome time to time and it seems to be related to when the client tries to connect using Teredo. SOmetimes teredo is ceonnecting fine but most of the times it doesnt. IP-HTTPS is on the other hand working fine.

The Server i installed as an Edge device with 2 Puplic IP adresses. Teredo has been enabled using Powershell.

Kristian

That's par for the course with Teredo, as it uses UDP/3544 to connect to the DA server and this is sometimes blocked by intermedaries, such as Internet service providers. In roaming scenarios for your users, e.g. hotels / 3G networks, this may be problematic. IP-HTTPS, on the other hand, generally works, as once the connection has been established, e.g. via a Captive Portal, say at a hotel, connectivity ensues. On thing I have noticed is that occasionally, when shifting from one network to another, where the laptop is in sleep mode, the IPHelper service (iphlpsvc) needs a kick by stopping and restarting it.

I would recommend to disable Teredo and NAT64 on the Clients (trough GPO), thereby making sure that IPHTTPS is the only Interface used by the DA Client. As Mylo states, it can be problematic With Teredo when you have a Client in an unknown network you don't have Control of what ports are allowed or not.

Since you are using Windows 7 clients, it will be advantageous to you to keep Teredo enabled, because it is faster/more efficient than IP-HTTPS. Have you tried setting Teredo to "EnterpriseClient" state on all of your DA client computers? I always recommend doing this in any of my installs.

Disable 6to4 on all of the DA clients (I assume this is what Steve meant) :)
And set Teredo to "EnterpriseClient"

You can test this on a few machines with netsh int teredo set state enterpriseclient

And if/when you are ready to make this change global, you can create a GPO, apply it to your DA client machines, and set both 6to4 to disabled and Teredo to EnterpriseClient at the same time in that GPO.

Hi Jordan, What's your impressions with using the combination of Terodo and IP-HTTPS from a supportability point-of-view? I've had situations with roaming users at (various) customers in the past where they put their laptop into sleep mode in Windows 7 whilst roaming between locations and the network stack combined with IPHelper doesn't detect the new "state" particularly well (even with the Enterpriseclient setting . Only by bumping IPHelper does the whole redetection phase begin anew. Do you provide your users with the ability to restart iphlpsvc thru some sort of scripted option, given that giving local admin rights is ill-advised (and this is not normally possible with a standard user)? Reboot is of course an option, but never sits well with execs :-)

We don't usually make any special consideration for the user, as the point of DA is to make everything seamless for them. There are going to be instances where Teredo wouldn't work anyway, with or without an IP Helper service reset, and so if/when client computers decide to connect using IP-HTTPS, we just let that happen.

What I have seen many times is that in some cases Teredo and IP-HTTPS connect at the same time. In these situations, IP-HTTPS is the one who is actually carrying the traffic, but if that DA connection remains connected for a little while (10ish minutes, maybe), the connections tend to re-evaluate and drop the IP-HTTPS, swinging them back over to Teredo for the remainder of that connection. This doesn't always happen, but it often does to my own machine.