Hello.
I have implemented Win2012R2 DirectAccess for one of our customer. Its an IPHTTPs solution, 2 node cluster with external load balancer based on F5 BigIP. All client machines are Win8.1.
Every time client is connected to DirectAccess, it gets 2 IPv6 addresses. IPSec tunnel is built on temporary IPv6 address, but client register itself in corporate DNS with permanent IPv6.
It doesn't create any problem when it comes to access of corporate network from client.
But in my case - we have implemented manage-out solution, which allow to manage DirectAccess connected client. Solution is also based on F5 BigIP Ipv6 bridge.
The problem is: manage-out servers can access client only on IPv6 address, used in IPSec tunnel communication - temporary IPv6.
And it eliminate possibility to manage DA connected clients by name.
If I turn off temporary IPv6 on clients (Set-NetIPv6Protocol -UseTemporaryAddresses Disabled) - IPSec tunnel is build with primary IPv6 and, as result, I can access client from manage-out server by name: since same address is in DNS and in IPSec communicate between client and DA server.
The most funny thing is that ICMPv6 packets from manage-out server can reach client, no matter temporary IPv6 is on or off.
But when it comes to any TCP/UDP packets from manage-out - I always need to specify IPv6 address of client which is used in IPSec communication.
Checked that with Microsoft Message Analyzer, which can easily see traffic inside IPSec tunnel on client.
So the question is: is it possible to use both temporary and primary IPv6 address, which is default settings for clients, and still be able to access clients by name? Is there a hidden logic or settings inside DirectAccess cluster or IPSec that can associate temporary and primary IPv6 address of client? Or its normal to simply disable temporary IPv6?