All posts tagged ISATAP

IPv6 Recommend Reading for DirectAccess Administrators

IPv6 Recommended ReadingDirectAccess uses IPv6 exclusively for communication between the DirectAccess client and server. The DNS64 and NAT64 services running on the DirectAccess server allow the client to connect to IPv4-only resources on the corporate network. Although no IPv6 knowledge is necessary to implement DirectAccess, it is most certainly required to support it going forward. A fundamental understanding of IPv6 is vital when it comes to troubleshooting DirectAccess connectivity issues, so learning IPv6 is critically important for the DirectAccess administrator.

To help you learn more about IPv6, here are three essential resources I think you will find helpful!

Understanding IPv6 Practical IPv6 for Windows Administrators IPv6 Address Planning


Understanding IPv6 (Joe Davies) – This is an excellent reference for the IPv6 protocol and should be on every DirectAccess administrator’s desk. This book provides detailed documentation and explanations for the IPv6 protocol including IPv6 transition protocols, which are commonly used with DirectAccess.

Practical IPv6 for Windows Administrators (Ed Horley) – Another essential title for learning IPv6. This book focuses on the use of IPv6 for a variety of popular Windows workloads, including DirectAccess.

IPv6 Address Planning (Tom Coffeen) – This book is an optional read for DirectAccess administrators, but a recommended one still. There is no IPv6 address planning required to implement DirectAccess, as most commonly IPv6 addressing happens automatically. However, this book will help you understand IPv6 subnetting, which can be helpful for fully understanding DirectAccess.

If you prefer video training, be sure to check out this great course on Pluralsight from Ed Horley. Don’t be afraid of IPv6. Embrace it! Start learning IPv6 today!

1 Comment
by Richard M. Hicks on January 28, 2016  •  Permalink
Posted in DirectAccess, IPv6, Training
Tagged , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 28, 2016

https://directaccess.richardhicks.com/2016/01/28/ipv6-recommend-reading/

DirectAccess Manage Out from Windows 10 Does Not Work

Note: The issue described in this article has been resolved in Windows 10 version 1703 (Creators Update). Making these changes is no longer required after installing the Creators Update release of Windows 10.

For DirectAccess manage out deployments using ISATAP, you may encounter a scenario in which you are unable to initiate outbound connections to connected DirectAccess clients from a Windows 10 computer. Outbound connections using ISATAP from Windows 7, Windows 8, Windows Server 2008/R2, or Windows Server 2012/R2 systems work without issue.

DirectAccess Manage Out from Windows 10 Does Not Work

As it turns out, there is a bug in the Windows 10 DNS client code that prevents manage out using ISATAP from a Windows 10 client from working correctly. Thanks to the diligent effort of DirectAccess administrators Mike Piron and Jason Kuhns, a workaround has been identified. To deploy the workaround, it will be necessary to implement registry changes to alter the default behavior of the DNS resolver in Windows 10. You can implement these changes on a Windows 10 DirectAccess manage out machine by using the following PowerShell commands:

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name DisableParallelAandAAAA -PropertyType dword -Value 1 -Force

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name DisableServerUnreachability -PropertyType dword -Value 1 –Force

Once these registry changes have been made, you should now be able to use ISATAP for DirectAccess manage out connections from a Windows 10 machine.

10 Comments
by Richard M. Hicks on November 10, 2015  •  Permalink
Posted in DirectAccess, DNS, IPv6, IPv6 Transition, ISATAP, PowerShell, Remote Access, Windows 10, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Tagged , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 10, 2015

https://directaccess.richardhicks.com/2015/11/10/directaccess-manage-out-from-windows-10-does-not-work/

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

For DirectAccess manage out scenarios, it is necessary to configure the Windows firewall on the DirectAccess client to allow any required inbound communication from the corporate network. For example, if management hosts on the internal network need to initiate Remote Desktop sessions with remote connected DirectAccess clients, the Remote Desktop – User Mode (TCP-In) Windows firewall rule will need to be enabled for the Public and Private profiles.

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

While enabling this rule will allow remote desktop connections to be made from the corporate network, its default configuration will also accept remote desktop connections from any network. From a security perspective this is not desirable.

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

A better solution is to restrict access to connections originating only from the corporate network. To do this it will be necessary to identify the ISATAP prefix used internally. To determine the corporate ISATAP prefix, run the ipconfig command on a management workstation that is configured for ISATAP. The ISATAP prefix will be the first 96 bits of the IPv6 address assigned to the ISATAP tunnel adapter (essentially everything with the exception of the embedded IPv4 address).

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

On the DirectAccess client, right-click the firewall rule and choose Properties. Choose the Scope tab and then select These IP addresses . Click Add and then enter the ISATAP prefix as shown here.

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

Once the firewall rule is configured to restrict access to the ISATAP prefix, only corporate management workstations on the internal network will have access to remote DirectAccess clients.

21 Comments
by Richard M. Hicks on April 13, 2015  •  Permalink
Posted in DirectAccess, IPv6, IPv6 Transition, ISATAP, Remote Access, Security, Windows Server 2012, Windows Server 2012 R2
Tagged , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 13, 2015

https://directaccess.richardhicks.com/2015/04/13/directaccess-client-firewall-rule-configuration-for-isatap-manage-out/

« Older Posts
Newer Posts »