[This article originally appeared in the "Closer to the Edge" blog at: http://blog.msedge.org.uk/2010/11/uag-directaccess-application.html]
I don’t believe that Microsoft is planning on providing an official list of known DirectAccess application compatibility issues and their respective solutions or mitigation methods. Consequently, I thought it might be useful to create a wiki article that captures known UAG DA application compatibility issues I am seeing in the forums and also from my own deployment experiences. UAG DA sometimes has the upper hand over native DirectAccess implementations here, as the option to utilise the in-built NAT64 functionality is potentially available, but this is not always a sufficient solution as the communication between DirectAccess clients and UAG will always take place over IPv6.
Tom Shinder has a great article on the subject of DirectAccess Application Compatibility which I am going to reference as a good primer for this subject; it can be found here. The TechNet information available here is also useful background reading. Note: Although this article was originally written for UAG DirectAccess it is also applicable to Windows Server 2012 DirectAccess.
UAG DirectAccess Application Compatibility Table
Application or Product Name
Application Vendor
Application Version
Known Issues
Known Solution or Mitigation Techniques
Office Communication Server
Microsoft
2007 and 2007R2
OCS client does not support IPv6 NAT64 not possible.
Deploy an OCS Edge solution and define NRPT exemption rules for OCS related host names to use the Internet facing OCS Edge solution. More info here.
Metaframe, XenApp
Citrix
5.x and below
Citrix client does not support IPv6. NAT64 to Citrix servers is not possible.
Deploy an internal Citrix Secure Gateway (CSG) solution or define NRPT exemption rules to use an Internet facing CSG solution. More info here.
FlexNet Manager
Flexera Software
Unknown
Product does not support IPv6.
Host application using RDS RemoteApp, Citrix XenApp or use an SSTP/VPN fall-back method. More info here.
SAP GUI
SAP
7.20+
Support for IPv6 is not enabled by default.
Add a client system environment variable of SAP_IPv6_ACTIVE=1. To be able to do load balancing you will also need to install SAPRouter. More info here.
Lotus Notes
IBM
8.0+
Add the TCP_EnableIPv6=1 line to the [notes] section of the notes.ini file. More info here.
vSphere Client
VMware
4.1
Unable to resolve hostname errors when trying to open virtual machine consoles.
This has been fixed in vSphere client version 5.0 update 1 and later.
Please feel free to keep this wiki article updated at regular intervals to try and keep the information as up to date and dynamic as possible. This should then provide a reference location that people can refer back to when thinking about potential application compatibility issues, or when new solutions are found.
So, if you have problems with application compatibility when using UAG DirectAccess, then add them here! Please provide as much information as possible, ideally including the following minimum information:
Community input would be of great value here, so please do provide feedback where possible! Additional comments and corrections to keep the table as accurate as possible, are also welcome…
This article was originally written by:
Jason Jones, Forefront MVP Principal Security Consultant Silversands Limited -------- My Forefront Edge Blog: http://blog.msedge.org.uk/ My ISA Server Blog: http://blog.msfirewall.org.uk/ MVP Profile: https://mvp.support.microsoft.com/profile/Jason.Jones Twitter: http://twitter.com/jjatsilversands
Richard Mueller edited Revision 8. Comment: Replaced RGB values with color names in HTML to restore colors
Richard Mueller edited Revision 7. Comment: Removed (en-US) from title, added tags
Hi Jason,
I clicked the link to your blog so that you traffic doesn't suffer :)
Thanks!
Tom
WPAD (Web Proxy Automatic Detection) is not supported either. All because the wpad file returns a static IPv4 address for every array node. Well, at least with TMG. This might only be desired for those who use force-tunneling. But for split-tunneling I always make sure wpad.<yourdomain> (and proxy.<yourdomain>) is configured as an exclusion in the NRPT table. This improves response time or might prevent problems.
@Boudewijn - you configure TMG WPAD to use DNS names as discussed here: blogs.technet.com/.../understanding-by-design-behavior-of-isa-server-2006-using-kerberos-authentication-for-web-proxy-requests-on-isa-server-2006-with-nlb.aspx
thanks