UAG DirectAccess–Guess the Device in the Request/Response Path


imageTake a look at the figures below and see if you can guess what device is in the request/response path that you don’t typically see a UAG DirectAccess deployment.

First, the ipconfig output on a DirectAccess client located behind a NAT device:

image

Figure 1

Now let’s ping DC1:

image

Figure 2

Now let’s do a tracert from CLIENT1 and DC1:

image

Figure 3

With this information you should be able to figure out what the “novel” device is in the path between CLIENT1 and DC1. If you know, then consider yourself pretty well-versed with IPv6 addressing. If you don’t know, then here’s a great opportunity to learn something new!

UPDATE!

Now take a look at figures 4 and 5 and determine what device was removed from the path:

image

Figure 4

image

Figure 5

Think about the solutions and put your answer in the comments section. Give your reasoning. I’ll post the answer and a network diagram of the solution tomorrow.

Have fun!

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Forefront iX 
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time):
http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter:
https://twitter.com/tshinder
Facebook:
http://www.facebook.com/tshinder

Visit the TechNet forums to discuss all your UAG DirectAccess issues
http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/threads

Stay up-to-date with “just in time” UAG DirectAccess information on the TechNet wiki http://social.technet.microsoft.com/wiki/tags/DirectAccess/default.aspx

Comments (9)

  1. Anonymous says:

    You guys are doing great! I added two more figures to make the exercise a bit more interesting.

    Thanks!

    Tom

  2. Anonymous says:

    @Ken –

    No, the UAG server is in the path. But – something was removed.

    This is a pretty tricky (interesting?) scenario – you'll like the explanation tomorrow 🙂

    Thanks!

    Tom

  3. Anonymous says:

    Hey guys,

    I'll post the answer on Friday – got caught up in meetings today.

    Thanks!

    Tom

  4. richardf says:

    Is it a 6to4 gateway/router? Due to the fact the hops between the client and DC have 6to4 prefixes and the client is assigned a 6to4 prefix.

  5. Ken Carvel says:

    Is that a separate ISATAP router?  Usually the UAG server would be the ISATAP router, but it looks like this other router is in between them.

  6. Jason Jones says:

    I would guess an IPv6 firewall is in the path; this creates the additional hop in the tracert…

  7. Ken Carvel says:

    Now it looks like the UAG server isn't in the path.

  8. Christoph Falta says:

    I would guess that you also have a native IPv6 deployment in the network where your client is, since the “2002:…” – IPv6 address is assigned to the network adapter itself and not to a 6to4 tunnel adapter.

    That would also explain the IPv6 address marked as “Temporary” (Statless autoconfig?) and the Site-Local IPv6 address (fec0:..).

    So I’d say that you have a native IPv6 router in-between.

  9. Jason Jones says:

    The client is no longer receiving a native IPv6 address and is now using Teredo/IP-HTTPS transition technologies.

    I am guessing the IPv6 firewall or router than was doing RA has been removed and we are relying on IPv4 only (hence the use of transition technolgies)…