SSH Administration over a DirectAccess Connection

SSH Administration over a DirectAccess ConnectionFrom a client perspective, DirectAccess is an IPv6 only solution. All communication between the DirectAccess client and server takes place exclusively over IPv6. This can make things challenging for network engineers tasked with administering network devices using SSH over a DirectAccess connection. Often network devices don’t have corresponding hostname entries in DNS, and attempting to connect directly to an IPv4 address over a DirectAccess connection will fail.

To resolve this issue, it is necessary to create internal DNS records that resolve to IPv4 addresses for each network device. With that, the DNS64 service on the DirectAccess server will create an IPv6 address for the DirectAccess client to use. The NAT64 service will then translate this IPv6 address to IPv4 and connectivity will be established.

However, for many large organizations this might not be feasible. You may have hundreds or thousands of devices on your network to administer, and creating records in DNS for all these devices will take some time. As a temporary workaround, it is possible to determine the NAT64 IPv6 address for any network device and use that for remote network administration.

The process is simple. On a client that is connected remotely via DirectAccess, resolve the name of a known internal server to an IP address. The quickest and easiest way to do that is simply to ping an internal server by its hostname and note the IPv6 address it resolves to.

SSH Administration over a DirectAccess Connection

Now copy the first 96 bits of that address (everything up to and including the 7777::) and then append the IPv4 address of the network device you wish to manage in familiar dotted-decimal notation. The IPv6 address you create should look something like this:

fd74:45f9:4fae:7777::172.16.1.254

Enter this IPv6 address in whichever tool you use to manage your network devices and it should work. Here’s an example using the popular Putty tool connecting via SSH to a network device in my lab.

SSH Administration over a DirectAccess Connection

Figure 1 – DirectAccess Client IPv6 Prefix w/Appended IPv4 Address

SSH Administration over a DirectAccess Connection

Figure 2 – Successful connection over DirectAccess with Putty.

Going forward I would strongly recommend that you make it part of your normal production implementation process and procedures to create DNS records for all network devices. In the future you’ll absolutely have to do this for IPv6, so now is a good time to get in the habit of doing this. It will make your life a lot easier, trust me!

Please note that adding entries to the local HOSTS file of a DirectAccess client does not work! The name must be resolved by the DNS64 service on the DirectAccess server in order to work properly. Although you could populate the local HOSTS file with names and IPv6 addresses using the method I described above, it would cause problems when the client was on the internal network or connected remotely using traditional client-based VPN, so it is best to avoid using the HOSTS file altogether.

Leave a comment

6 Comments

  1. Gary

     /  March 11, 2016

    Hi Richard,
    I’ve a query, we run direct access https only and as standard create dns names for any/all devices that we use this for, but it’s not possible for me to ssh to anything inside my network direct access.I am able to ping all my boxes on fqdn, but ssh simply times out. of course, they work internally no issues.

    all of my other services seem to just act as if DA is a regular network (file/print/etc) so i’m a bit puzzled by it. Is this something specific in the linux boxes I run that could be causing the issue? they’re standard centos7 or ubuntu 14.4LTS mainly with nothing dramatically changed on the network configurations.

    Reply
    • Very strange. Are you using Putty? Or something else perhaps?

      Reply
      • Gary

         /  March 14, 2016

        yep, putty or mobaxterm or ssh.exe all just time out immediately. I can simulate it very easily, on network with the cable and everything fully functional, remove the cable and wifi activates, DA kicks in and email for instance (or file share) connects up fine, but any ssh connection is immediately dead.

        we have https only direct access, but it has never given us any issue with any other protocol. I actually kind of wondered if it was the way the linux servers were configured or something.

      • I wouldn’t expect the session to continue uninterrupted when you switch from the LAN to DirectAccess because you’re using IPv4 when you’re on the LAN. When you switch to DirectAccess you’ll have to use IPv6 as I outlined in the post.

  2. Matt

     /  April 13, 2016

    Hi,

    I am experiencing a similar thing to Gary. We have an entry in DNS, get a ping reply with an IPv6 address from the device when connected with DA but it fails to connect over SSH using putty 0.63. I am establishing a new connection once connected with DA.

    Reply
    • That sure is odd. Works perfectly for me using Putty 0.62. :/ I’d suggest taking a network trace on the device you’re trying to connect to and see if the traffic is getting there in the first place. Compare both ICMP and SSH traffic and see what the difference is.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: