The Private Cloud Man

Private Cloud Technologies, Architecture and more!

UAG DirectAccess–Guess the Device in the Request/Response Path

UAG DirectAccess–Guess the Device in the Request/Response Path

  • Comments 9
  • Likes

imageTake a look at the figures below and see if you can guess what device is in the request/response path that you don’t typically see a UAG DirectAccess deployment.

First, the ipconfig output on a DirectAccess client located behind a NAT device:

image

Figure 1

Now let’s ping DC1:

image

Figure 2

Now let’s do a tracert from CLIENT1 and DC1:

image

Figure 3

With this information you should be able to figure out what the “novel” device is in the path between CLIENT1 and DC1. If you know, then consider yourself pretty well-versed with IPv6 addressing. If you don’t know, then here’s a great opportunity to learn something new!

UPDATE!

Now take a look at figures 4 and 5 and determine what device was removed from the path:

image

Figure 4

image

Figure 5

Think about the solutions and put your answer in the comments section. Give your reasoning. I’ll post the answer and a network diagram of the solution tomorrow.

Have fun!

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Forefront iX 
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time):
http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter:
http://twitter.com/tshinder
Facebook:
http://www.facebook.com/tshinder

Visit the TechNet forums to discuss all your UAG DirectAccess issues
http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/threads

Stay up-to-date with “just in time” UAG DirectAccess information on the TechNet wiki http://social.technet.microsoft.com/wiki/tags/DirectAccess/default.aspx

Comments
  • Is it a 6to4 gateway/router? Due to the fact the hops between the client and DC have 6to4 prefixes and the client is assigned a 6to4 prefix.

  • Is that a separate ISATAP router?  Usually the UAG server would be the ISATAP router, but it looks like this other router is in between them.

  • I would guess an IPv6 firewall is in the path; this creates the additional hop in the tracert...

  • You guys are doing great! I added two more figures to make the exercise a bit more interesting.

    Thanks!

    Tom

  • Now it looks like the UAG server isn't in the path.

  • @Ken -

    No, the UAG server is in the path. But - something was removed.

    This is a pretty tricky (interesting?) scenario - you'll like the explanation tomorrow :)

    Thanks!

    Tom

  • I would guess that you also have a native IPv6 deployment in the network where your client is, since the “2002:…” - IPv6 address is assigned to the network adapter itself and not to a 6to4 tunnel adapter.

    That would also explain the IPv6 address marked as “Temporary” (Statless autoconfig?) and the Site-Local IPv6 address (fec0:..).

    So I’d say that you have a native IPv6 router in-between.

  • The client is no longer receiving a native IPv6 address and is now using Teredo/IP-HTTPS transition technologies.

    I am guessing the IPv6 firewall or router than was doing RA has been removed and we are relying on IPv4 only (hence the use of transition technolgies)...

  • Hey guys,

    I'll post the answer on Friday - got caught up in meetings today.

    Thanks!

    Tom

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment