Hi,
in my testing environment I am trying to simulate situation that you will not probably see too much often – IPv6 only resource in the internal network. IPv4 resources are reachable but IPv6 are not.
Remote client:
Behind IPv4 NAT device - IP-HTTPS only
Internal network devices / resources:
1. Edge device: NAT device (2x NIC) - IPv4 only (the ISP do not offer IPv6 yet)
Internal IP address: 10.25.0.1 (255.255.0.0)
NAT: Port 433 is mapped to Direct Access server.
2. DirectAccess server (1x / 2x NIC)
3. IPv4 only resource (for example website)
IP address: 10.25.22.8
4. IPv6 only resource (for example IIS and another website)
IP address: fd12:3456::55
DirectAccess components:
- Separate IIS VM with static IPv4 and static IPv6 as NLS (Network Location Server)
- Separate IIS VM with static IPv4 and static IPv6 as HTTP to validate that client is connected
- Domain Controllers and DNS with static IPv4 and static IPv6
- DNS: record "isatap" that leeds to internal IPv4 address of the DirectAccess server (isatap was removed from the globalqueryblocklist). I am not sure if I need this.
------------------------
First configuration (functional):
DirectAccess server with two NICs.
Both NICs have static IPv4 and enabled IPv6 (Unique local “fd” address is not set – the IPv6 is blank).
Internal NIC: 10.25.2.1 (no gateway)
External NIC: 10.25.2.2 (10.25.0.1 as gateway), NAT mapping
When I finish the advanced DirectAccess setup (not the quick start) everything works great and Operation Status shows green checkmarks. Remote client is able to connect (IP-HTTPS) and the client is able to access all resources EXCEPT the IPv6 only resource.
------------------------
Second configuration (cannot connect):
DirectAccess server with two NICs:
Internal NIC: 10.25.2.1, fd12:3456::1 (no gateway)
External NIC: 10.25.2.2 (10.25.0.1 as gateway), NAT mapping
After setup the clients are not able to connect from the outside (IP-HTTPS) and I can see warning in the Operation Status:
WARNING: Network Adapters
Error:
DirectAccess client cannot connect to all resources on the corporate network.
Causes:
Routers required to send packets to the corporate network have not been published on the adapter <name>. These routes are required for remote clients to reach the corporate network.
Resolution:
Publish the IPv6 routes on the network adapter that connects to the corporate network.
I do not understand what kind of routes should be published. I do not have multiple subnets / routers on the network so I do not have to specify “the another hop” persistent route.
------------------------
Third configuration (cannot connect):
DirectAccess server with two NICs:
Internal NIC: 10.25.2.1, fd12:3456::1 (no gateway), NAT mapping
The same results as the previous… (WARNING: Network Adapters)
------------------------
My final goal is to setup internal network where most of the servers have only IPv6 “fd” addresses. This is not a problem. The problem is, that I am not able to implement the DirectAccess for clients that are connected over the IPv4 internet.
Please can somebody give me advice?
Thank you.
in my testing environment I am trying to simulate situation that you will not probably see too much often – IPv6 only resource in the internal network. IPv4 resources are reachable but IPv6 are not.
Remote client:
Behind IPv4 NAT device - IP-HTTPS only
Internal network devices / resources:
1. Edge device: NAT device (2x NIC) - IPv4 only (the ISP do not offer IPv6 yet)
Internal IP address: 10.25.0.1 (255.255.0.0)
NAT: Port 433 is mapped to Direct Access server.
2. DirectAccess server (1x / 2x NIC)
3. IPv4 only resource (for example website)
IP address: 10.25.22.8
4. IPv6 only resource (for example IIS and another website)
IP address: fd12:3456::55
DirectAccess components:
- Separate IIS VM with static IPv4 and static IPv6 as NLS (Network Location Server)
- Separate IIS VM with static IPv4 and static IPv6 as HTTP to validate that client is connected
- Domain Controllers and DNS with static IPv4 and static IPv6
- DNS: record "isatap" that leeds to internal IPv4 address of the DirectAccess server (isatap was removed from the globalqueryblocklist). I am not sure if I need this.
------------------------
First configuration (functional):
DirectAccess server with two NICs.
Both NICs have static IPv4 and enabled IPv6 (Unique local “fd” address is not set – the IPv6 is blank).
Internal NIC: 10.25.2.1 (no gateway)
External NIC: 10.25.2.2 (10.25.0.1 as gateway), NAT mapping
When I finish the advanced DirectAccess setup (not the quick start) everything works great and Operation Status shows green checkmarks. Remote client is able to connect (IP-HTTPS) and the client is able to access all resources EXCEPT the IPv6 only resource.
------------------------
Second configuration (cannot connect):
DirectAccess server with two NICs:
Internal NIC: 10.25.2.1, fd12:3456::1 (no gateway)
External NIC: 10.25.2.2 (10.25.0.1 as gateway), NAT mapping
After setup the clients are not able to connect from the outside (IP-HTTPS) and I can see warning in the Operation Status:
WARNING: Network Adapters
Error:
DirectAccess client cannot connect to all resources on the corporate network.
Causes:
Routers required to send packets to the corporate network have not been published on the adapter <name>. These routes are required for remote clients to reach the corporate network.
Resolution:
Publish the IPv6 routes on the network adapter that connects to the corporate network.
I do not understand what kind of routes should be published. I do not have multiple subnets / routers on the network so I do not have to specify “the another hop” persistent route.
------------------------
Third configuration (cannot connect):
DirectAccess server with two NICs:
Internal NIC: 10.25.2.1, fd12:3456::1 (no gateway), NAT mapping
The same results as the previous… (WARNING: Network Adapters)
------------------------
My final goal is to setup internal network where most of the servers have only IPv6 “fd” addresses. This is not a problem. The problem is, that I am not able to implement the DirectAccess for clients that are connected over the IPv4 internet.
Please can somebody give me advice?
Thank you.