imageNow for the moment you’ve all been waiting for – the answers to UAG SP1 DirectAccess Contest 1–Round 2/Quiz 2 and Contest 2 Round 1/Quiz 2!

Here you go:

===========================================

Question 1:

ISATAP is an IPv6 transition technology that enables computers to tunnel IPv6 packets inside an IPv4 header. Which of the following scenarios are enabled when ISATAP is enabled on your network (select all correct answers):

     A.  ISATAP hosts on an IPv4 only network can communicate with hosts on an IPv6 only network
     B.  ISATAP hosts on an IPv4 only network can initiate connections to DirectAccess clients
     C.  DirectAccess clients can only communicate with ISATAP hosts on the intranet
     D.  ISATAP is required for all DirectAccess deployments

The answer to question 1 is A and B.

An ISATAP router can be placed on an intranet and enable routing from an IPv4 network to an IPv6 network. The ISATAP hosts on the IPv4 network can tunnel their IPv6 communications inside an IPv4 header and send the IPv4 encapsulated packets to the ISATAP router. When they reach the ISATAP router, the IPv4 header is removed and the IPv6 packet is forwarded to its destination on the IPv6 portion of the intranet. DirectAccess clients “live” in an IPv6 only network, since all communications sent and received by DirectAccess clients are IPv6. When an ISATAP host on the intranet initiates a connection to a DirectAccess client, it tunnels an IPv6 packet in an IPv4 header and forwards it to an ISATAP router (typically installed on the UAG DirectAccess server itself). Then the IPv4 header is removed and the IPv6 packet is forwarded to the DirectAccess client.

DirectAccess clients can communicate with non-ISATAP (and non-IPv6 capable) hosts on the intranet because UAG DirectAccess includes the NAT64/DNS64 service that performs IPv6/IPv4 protocol translation. For this reason, ISATAP is not required for all IPv6 deployments. However, only ISATAP hosts and machines that have native IPv6 addressing can initiate connections to DirectAccess clients.

===========================================

Question 2:
The number of concurrent Teredo clients per UAG DirectAccess server is determined by the Neighbor cache limit. What is the default number of Teredo clients per server support for UAG DirectAccess?
     A.  64
     B.  128
     C.  256
     D.  512

The answer to question 2 is C.

If you check the TechNet article at http://technet.microsoft.com/en-us/library/ee382271(WS.10).aspx you would have been led to believe that the answer is 128. However, if you go to your UAG server and run the command netsh interface ipv6 show global, you will see the following:

image

We then need to ask “is the 256 value specific for UAG DirectAccess”? I can’t tell you for sure as I don’t have any Windows DirectAccess labs up to check the default value. But the question was specific regarding “UAG DirectAccess server” and the default value for a UAG DirectAccess server is 256.

OK – it was a tricky question, but sometimes you have to check these things out on a live server Smile

===========================================

Question 3:

IP-HTTPS is a IPv6 transition technology that enables a DirectAccess clients to connect to the UAG DirectAccess server even when the clients are located behind web proxy or port restricted firewalls. Which of the following statements are true regarding IP-HTTPS?
     A.  IP-HTTPS has higher protocol overhead than Teredo and 6to4
     B.  IP-HTTPS has higher processing overhead than Teredo and 6to4
     C.  IP-HTTPS is required when Force Tunneling is enabled
     D.  IP-HTTPS requires client certificate authentication to establish the SSL session

The answer to question 3 is A, B, C and D.

IP-HTTPS has higher protocol overhead because it puts an HTTP header on top of the IPv4 header that’s used by all three IPv6 transition technology. IP-HTTPS has higher processing overhead because in addition to the IPsec processing required by all DirectAccess connections, it adds SSL processing on top of that. IP-HTTPS is required when you want to do Force Tunneling, which is one of the reasons why you want to avoid Force Tunneling if you can.

The answer that tripped most of you was D. While not obvious, you can find information on this behavior at http://social.technet.microsoft.com/wiki/contents/articles/troubleshooting-the-no-usable-certificate-s-ip-https-client-error.aspx and http://technet.microsoft.com/en-us/library/ee731901(WS.10).aspx

===========================================

Leaderboard

image

===========================================

This quiz was pretty tough – and the game is really close because of it!

I’m pretty sure I got all of the entries this time (I missed a couple of you in the last quiz). If you sent in an entry and don’t see your score recorded, please let me know so that I can score your entry and get it into the leaderboard.

Make sure to check late Thursday or Friday this week for the next quiz. I’m hoping to get a “video question” up so that you’ll need to watch a short video to solve the problem.

See you then!

Thanks!

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Forefront iX 
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time):
http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter:
http://twitter.com/tshinder
Facebook:
http://www.facebook.com/tshinder

Visit the TechNet forums to discuss all your UAG DirectAccess issues
http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/threads

Stay up-to-date with “just in time” UAG DirectAccess information on the TechNet wiki http://social.technet.microsoft.com/wiki/tags/DirectAccess/default.aspx