ISP Address Field is Blank in DirectAccess Status and Reports

When viewing DirectAccess client status in the Remote Access Management console, you will notice that the ISP address field is blank for clients using the IP-HTTPS IPv6 transition protocol. However, the ISP Address information is displayed for clients using the 6to4 or Teredo IPv6 transition protocols.

ISP Address Field is Blank in DirectAccess Status and Reports

This is expected behavior and occurs as a result of the way in which the DirectAccess reports obtain the client’s public ISP address information. The ISP address is derived from the IPv6 address used to establish the DirectAccess client’s IPsec Security Associations (SAs) on the DirectAccess server. For clients using the 6to4 or Teredo IPv6 transition protocols, the client’s public IPv4 address is embedded in its IPv6 address. This information is displayed in the ISP Address field. However, the IP-HTTPS IPv6 transition protocol uses completely random IPv6 addresses. Without an embedded IPv4 address, the Remote Access Management console lacks the information to display in the ISP Address field.

Updated 3/22/2015: With a little extra work it is possible to find the IPv4 ISP address for DirectAccess clients using the IP-HTTPS IPv6 transition protocol. For more information, please refer to Microsoft PFE Martin Solis’ excellent blog post on the subject here.

DirectAccess Load Balancing and Multisite Configuration Options Unavailable

Looking for more information about DirectAccess load balancing? See my post entitled DirectAccess Deployment Guide for Kemp LoadMaster Load Balancers.

DirectAccess in Windows Server 2012 R2 supports load balancing and multisite configuration options to provide both local and geographic redundancy, respectively. To configure either of these options, open the Remote Access Management console, expand Configuration in the navigation tree, highlight DirectAccess and VPN, and then select either Enable Multisite or Enable Load Balancing in the Tasks pane.

DirectAccess Load Balancing and Multisite Configuration Options Unavailable

Depending on your configuration you may encounter a scenario in which these features do not appear in the Remote Access Management console.

DirectAccess Load Balancing and Multisite Configuration Options Unavailable

This occurs when the Web Application Proxy (WAP) role is installed on the DirectAccess server. Although this is a supported configuration, enabling load balancing or multisite on a DirectAccess server with WAP installed requires additional configuration. Specifically, load balancing and/or multisite must be configured before installing the WAP role.

To restore support for load balancing and multisite configuration options, remove the WAP role using the GUI or with the Uninstall-WindowsFeature Web-Application-Proxy PowerShell command.

Disable 6to4 IPv6 Transition Protocol for DirectAccess Clients

Introduction

DirectAccess client to server connections are established exclusively over IPv6. To allow for this communication to take place over the public IPv4 Internet, DirectAccess uses IPv6 transition protocols – 6to4, Teredo, and IP-HTTPS – to tunnel IPv6 communication over IPv4. 6to4 is supported when the DirectAccess server is edge facing with a public IPv4 address assigned to its external network interface. Two consecutive public IPv4 addresses are required to support Teredo. IP-HTTPS is used in all scenarios, and exclusively when the DirectAccess server is located in a perimeter or DMZ network behind a NAT device.

6to4 and Teredo Advantages

Not all IPv6 transition protocols are created equal. For Windows 7 clients, 6to4 and Teredo provide significant performance advantages when compared to IP-HTTPS (Windows 8.x clients can use null encryption for IP-HTTPS, which eliminates this performance advantage). 6to4 and Teredo offer nearly identical performance, but 6to4 suffers from some unique challenges and should be disabled by default for all DirectAccess deployments.

Note: IP-HTTPS null encryption is disabled for all clients when client-based remote access VPN or one-time password (OTP) authentication is configured on the DirectAccess server, which can impact performance for Windows 8.x clients using IP-HTTPS.

Unreliable Fallback

The 6to4 IPv6 transition protocol is used when a DirectAccess client has a public IPv4 address assigned to its network interface. 6to4 uses IP protocol 41 for transport, and does not work when the client is behind a NAT. If outbound IP protocol 41 is blocked (a common scenario) then the client should fallback to Teredo or IP-HTTPS. In my experience this doesn’t always happen. In fact, the protocol fallback fails with enough regularity that it is the primary reason I recommend disabling it by default.

Active Directory IP Subnet Assignment

6to4 is also problematic when it comes to configuring Active Directory IP subnets for clients in a multisite DirectAccess deployment. 6to4 addresses begin with the 2002::/16 prefix followed by the IPv4 address of the client represented in hexadecimal using the form WWXX:YYZZ::WWXX:YYZZ. For example, if the DirectAccess client’s public IPv4 address is 198.51.100.83, its 6to4 address would be 2002:c633:6453::c633:6453. Since this IPv6 address is created using only the client’s IPv4 address, there is no way to associate the client to a specific entry point. The administrator is left with assigning the 2002::/16 prefix to the most centrally located AD site. This will undoubtedly result in some DirectAccess clients using domain controllers that are not ideal, which will ultimately lead to slow log on times and mapped drive failures.

Summary

In some deployment scenarios, 6to4 and Teredo offer performance advantages when compared to IP-HTTPS. Performance is identical for both 6to4 and Teredo, and considering the challenges that 6to4 poses, it should be disabled by default for DirectAccess deployments. This eliminates the possibility of associated connectivity issues, while still allowing DirectAccess clients to use the Teredo IPv6 transition protocol and not incur any performance penalty. Details about disabling IPv6 transition protocols can be found here.

%d bloggers like this: