Hello guys!
I have a DirectAccess 2012 R2 (two nodes in WinNLB Cluster). It is a DA Deployment only and it is virtualized on HV 2012 R2. Everything works almost fine when we are talking about DA clients accessing internal resources (IP-HTTPS only and even Force-tunneling enabled, since this is a requirement), except that sometimes DA clients just hang in "Connecting" state; this is not main concern and I am well passed this (I've found it documented in MS VKB). For things to be even more complicated, this setup of DA is "trapped" between two hardware firewalls, external & internal.
Some issues arised when I have begun to play with Manage-out scenario limited for dedicated machines only (ISATAP not enabled globally of course).
I followed instructions in a book "Microsoft DirectAccess Best Practises and Troubleshooting" by Jordan Krause and I am well aware of all the possible issues (ISATAP in internal IPv4 network officially unsupported, issues with NLB
in this scenario and Force-tunneling etc.). I have studied almost all of possible Guides, Blogs etc, so the setup is already tweaked a lot. I Will provide additional details only if neccessary after I'll get answers to a few direct
questions below. Thank you!
1. Protocol 41: Does it have to be enabled on both Firewalls?
It is now enabled only on internal firewall and only than my dedicated Manage-out machine successfully installed ISATAP adapter and obtained its own ISATAP IP Address. Therefore I think it must be enabled on external firewall as well... inbound and
outbound?
2. Does the DA Client machine have to have / obtain ISATAP IP Address in this scenario while IP-HTTPS or Teredo Address is already there?
3. Does the Manage-out session use existing Tunnel from DA Server onward? So, from beginning; this Manage-out session is initiated from Manage-out machine... 1st hop is DA Server as ISATAP Router. From there onward... does it go to existing DA Client's tunnel or it creates a new tunnel?
3.1 How safe it is if it creates new tunnel?
4. Is there any chance that DA's default Windows Firewall settings block something?
5. Is there a need that Port 3389 must be enabled on external firewall outbound even though the session should go into the tunnel? WAFS on DA Clients is already allowing 3389, 445, IMCPv4,6 of course... by the book. But ping in general is blocked on those internal and external firewalls :(
I guess that's all for now :)
Thank you very much for any possible answer(s)!
Bye