Teredo with DirectAccess in Server 2012

All replies

• 

  

  0

  Sign in to vote

  Hi,

  Yes it requires two consecutive public IPv4 addresses in Windows Server 2012 also.

  The short explanation is that the teredo procotol is build around connecting to two different IPv4 addresses to determine what type of NAT the client is behind.

  ---

  Jonas Blom | Relevo AB | http://blog.nrpt.se

  • Proposed as answer by Jonas Blom Thursday, September 20, 2012 7:58 AM
  • Marked as answer by danovich_ Friday, September 21, 2012 3:58 AM

  Thursday, September 20, 2012 7:57 AM
• 

  

  0

  Sign in to vote

  Awesome thanks for the quick answer.

  Is it safe to say that if a DirectAccess client has been assigned a public IPv4 address, it will use the 6to4 transition technology to connect to the intranet. If the DirectAccess client cannot connect to the DirectAccess server with 6to4, it will use IP-HTTPS?

  ---

  My Microsoft Core Infrastructure & Systems Management blog - blog.danovich.com.au

  Friday, September 21, 2012 3:58 AM
• 

  

  0

  Sign in to vote

  That is correct in theory. Here is the order of preference by a DA client:

  1. 6to4 - This attempts to connect if the client has a public IP address, as you stated
  2. Teredo - This attempts to connect using UDP if the client is behind a NAT
  3. IP-HTTPS - If the client is behind a NAT and fails to connect Teredo (or isn't configured to if your server doesn't meet the Teredo requirements) then it will fall back on IP-HTTPS.

  I disable 6to4 on almost all of my installs. I have seen a few things go wrong with it, most commonly when clients are using cell cards for connectivity (which still commonly give out public IP addresses) - the carriers will sometimes allow the initial handshake for 6to4, and so the client thinks its connected, but then the carrier drops all packets over Protocol 41, and so the DA tunnels never build and the client doesn't figure out that it needs to switch. I have seen this happen enough times that I now disable 6to4 on the clients using a GPO during time of implementation.

  Thursday, October 25, 2012 6:03 PM
• 

  

  0

  Sign in to vote

  Is this the case even when you set up DirectAccess behind a NAT?

  ---

  Donald Roy Airey

  Saturday, October 27, 2012 1:54 PM
• 

  

  0

  Sign in to vote

  Nope! Great question. When you place a 2012DA behind a NAT, you can only use IP-HTTPS, the other two protocols are not used at all.

  Saturday, October 27, 2012 4:49 PM
• 

  

  0

  Sign in to vote

  Thanks.  It's difficult to find a definitive answer to that.

  Follow-up question: Will DirectAccess act as a NAT for my corporate workstations and servers.  That is, if I set up my network according to the Microsoft Test Lab Guide, will CLIENT1 or APP1 (on the corporate network, behind EDGE1) be able to access the Internet through the DirectServer machine (EDGE1)?

  ---

  Donald Roy Airey

  Saturday, October 27, 2012 7:20 PM
• 

  

  0

  Sign in to vote

  No, not natively. When you walk through the TLG for DirectAccess it is only going to give you incoming connections for DA clients. Depending on what TLG you are using or what steps you take, you can also enable regular IPv4-based VPN connectivity through the same box, giving regular VPN access to clients that are not DirectAccess capable.

  The regular VPN uses RRAS, and RRAS by itself can also be used to route outgoing internet traffic, so you might be able to get into RRAS after configuring the incoming connections and tweak the rules there to allow it to also pass outbound web traffic, but I have never tried this myself to know for sure. An important thing to keep in mind, even if you got this to work, RRAS has no anti-malware type filters that it can apply to the traffic, so you would be simply giving the clients full outbound access to the internet like any router could. A better solution for protecting outbound traffic would of course be to use a proxy server of some kind. TMG was always my recommendation in this space, and you can still buy it until December, but it is unfortunately on a path to be discontinued.

  • Proposed as answer by Donald Roy Airey Wednesday, October 31, 2012 4:39 PM

  Monday, October 29, 2012 12:37 PM
• 

  

  0

  Sign in to vote

  Jordan,

  Thanks again for the information.  I've been wrestling with this for the last week.  I have a NAT built with RRAS on my EDGE machine.  It works just fine.  After installing DirectAccess using the TLG, it no longer functions.  If I reinstall the NAT function manually in RRAS, it creates NAT mappings, but doesn't work.  I thought the big marketing angle with DirectAccess in Server 2012 was that it co-existed with RRAS, but this doesn't appear to be the case.

  Let me try the question a little differently: given the construction of the network in the TLG, what would be the "Best Practices" means of providing NAT and VPN functionality to the computers on the CORPNET?  The TLG explicitly goes through the steps of setting up the Default Gateway to be the EDGE machine (10.0.0.2) on all the network interface cards even though EDGE doesn't appear to provide this function.

  ---

  Donald Roy Airey

  
  

  • Edited by Donald Roy Airey Wednesday, October 31, 2012 4:40 PM

  Wednesday, October 31, 2012 4:39 PM
• 

  

  0

  Sign in to vote

  Server 2012 URA (Unified Remote Access) co-exists DirectAccess and VPN, which happens to be provided by good ole' RRAS. I haven't ever seen reference to being able to use outbound RRAS on these boxes as well.

  I haven't been through the TLG where it has you set the Default Gateway to the EDGE server, so I'm afraid I don't know the specifics of that or the answer to your question. The TLG is likely designed for showing the inbound connectivity, and it may not be concerened at all without access outbound. That wouldn't surprise me.

  Wednesday, October 31, 2012 8:36 PM
• 

  

  0

  Sign in to vote

  That's not very unified, now is it.  What possible use to a small to medium sized firm is an inbound-only solution?  Semi-Unified Remote Access (SURA)?  Slightly Less Trouble than 2008 R2 Remote Access (SLTT2008R2RA)?  That's probably why I'll never have a career in marketing.

  ---

  Donald Roy Airey

  Wednesday, October 31, 2012 10:14 PM
• 

  

  0

  Sign in to vote

  I found this which says you no longer need two consecutive public ipv4 addresses in server 2012

  "

  • Support for Direct Access server behind a NAT device

  The Teredo IPv6 transition technology is used typically when the client system is assigned a private IP address (and for modern Windows clients, will be used when the client is assigned a public IP address and 6to4 isn’t available). A Windows Server 2008 R2 Direct Access server requires two network interfaces with two consecutive public IPv4 addresses assigned to the external interface. This is required so that it can act as a Teredo server.

  Now in Windows Server 2012 direct access server can be deployed behind a NAT device with support for only one single network interface and removes the public IPv4 address prerequisite."

  Link to full posting about teredo and direct access server here http://blogs.technet.com/b/meamcs/archive/2012/05/03/windows-server-2012-direct-access-part-1-what-s-new.aspx

  Tuesday, October 22, 2013 4:33 PM
• 

  

  0

  Sign in to vote

  The only way to make Teredo work is to have two consecutive public IP addresses. Server 2012 DA can be implemented with a single public IP, or with a single NAT'd IP, but in either of those installation scenarios, Teredo will not work. You will only have IP-HTTPS available.

  Tuesday, October 22, 2013 5:42 PM