ISATAP – Direct Access Manage Out

Posted by robd on January 14, 2022
Direct Access

I was working with Direct Access recently and the manage out function. The idea is servers on premises can communicate with direct access clients on the internet who are using a IPv6 over IPv4 protocol.

For example, it’s great when you want to manage SCCM clients who are not in the office.

To do this you need an ISATAP server that sits in-between the Direct Access servers and the internal servers, I like to think of ISATAP as like a DHCP/DNS server that gives out IPv6 addresses to internal servers which then in turn allows them to query IPv6 clients.

I’m going to presume you’ve setup Direct Access and ISATAP and at some point it was all working (if anyone wants a guide on setup of ISATAP, just shout), now for what ever reason you can not resolve IPv6 clients!!

  • Logon to your Direct Access (DA) Server, pick a client and check you can ping it, it should return a IPv6 address.
  • ping
  • Logon to your ISATAP server and ping the same client, if it does then great the issue is not between DA and ISATAP, if not then it’s time to check your connectivity (firewall and routes) between the two servers.
  • Logon to a server that that using the ISATAP server and ping the same client, in my case this did not work.
  • So first check the interface on the server, ipconfig /all

This is bad.  If its fe80 it means windows has assigned a IP itself and not had a address assigned from ISATAP, bit like APIPA address.

  • You can disable and enable ISATAP on the server to check if it changes to fe70
netsh int ipv6 isatap set state disable

netsh int ipv6 isatap set state enable
  • Moving back to the ISATAP server, there basically two things to check, the interface and the routes
  • First check the interface and its idx number:
netsh Int ipv6 show int
  • In my case I know the interface I configured when I set up the server was IDX 6 where as below it shows IDX 9, this means that something has changed, potentially a VMWare hardware update.

  • As the interface has changed that means the interface settings have been lost and the static routes, so lets add them again:
    • First on the NIC, add forwarding:
netsh Int ipv6 set int 12 forwarding = enabled

    • Then on the ISATAP Interface
netsh Int ipv6 set int 9 advertise = enabled
netsh Int ipv6 set int 9 forwarding = enabled

  • Next check the routes for the interface, the magic route is mising
netsh int ipv6 show route

  • Add it back
netsh interface ipv6 add route fd07:4444:4444:1::/64 9 publish=yes

  • Finally check the server again

  • YAY!!!

Tags: , , ,

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.