• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DA and UAG and IPv6 ???

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> DA and UAG and IPv6 ??? Page: [1]
Login
Message << Older Topic   Newer Topic >>
DA and UAG and IPv6 ??? - 20.Sep.2010 1:52:56 PM   
WolfH

 

Posts: 3
Joined: 20.Sep.2010
Status: offline
Hi,

we're planning to use DA on a new project. I have read whatever I could find about DA and thought I had my arms around it. Until I met a Microsoft specialist a few days ago who told me we'd have to use UAG. He stated that, unless we have a 100% IPv6 infrastructure from the client all the way to and also inside the corpnet, we'd need UAG. Now I'm confused.

I understand UAG makes the configuration a lot easier, but it also adds cost. So I'd like to be very sure before I go to the customer and ask another several thousand bucks for UAG.

The corpnet has two W2k3 servers, one SBS W2k8 and a number of W2k8 R2 servers. Access to the W2k3 boxes from the outside will be through a terminal server, which runs on W2k8 R2. All clients are Win7. We do have a few printers and other old devices in the LAN, which only understand IPv4.

Does DA mean that even corpnet-internal clients have to use IPv6? That we can not use IPv4 devices like printers? If yes, we'll have to use the UAG.

I hope somebody has the answers or point me to a doc that describes this matter.

Thanks

Wolf
Post #: 1
RE: DA and UAG and IPv6 ??? - 22.Sep.2010 11:37:06 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Wolf,
The information you got is not entirely true. You do not need a native IPv6 infrastructure to support the Windows DA. However, all your devices that you want the DA clients to connect to need to be IPv6 capable (which means they at least need to be able to configure themselves as ISATAP hosts).

The Windows 2003 servers won't be accessible using the Windows DA solution, because they're really not completely IPv6 capable (yes, I know there is an IPv6 add-on, but services support is spotty and the results are unlikely to be positive). The Windows Server 2008 machines will be OK and the DA clients will be able to reach them.

However, if the clients are connecting to a Windows Server 2008 terminal server to connect to the Windows 2003 machines, that will work fine, since the connection is actually to the Windows 2008 machine.

All clients must be Windows 7 Enterprise or Ultimate.

Intranet clients don't have to use IPv6, although they can when they are configured as ISATAP hosts. However, ISATAP tunnels IPv6 in an IPv4 header, so you don't need to change anything on the customer's network. There will be no effect on the intranet clients being able to access the IPv4 printers.

Let me know if you have any questions. Just post them here. I check every day.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to WolfH)
Post #: 2
RE: DA and UAG and IPv6 ??? - 23.Sep.2010 2:48:15 AM   
WolfH

 

Posts: 3
Joined: 20.Sep.2010
Status: offline
Thanks Tom, that is very helpful!

I talked to a lot of people about that but nobody was as precise as you and there seesm to be a lot of misunderstandings in the field about the whole concept.

All our clients will be Enterprise and I'll study this ISATAP next.

So, just to make this a 100% clear. The internal clients will be able to print on IPv4 printers and talk to IPv4 WLAN access points without needing UAG. Right?

Cheers
Wolf 

(in reply to WolfH)
Post #: 3
RE: DA and UAG and IPv6 ??? - 23.Sep.2010 4:38:59 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi Wolf,

In reality, using DA without UAG if you do not have IPv6 capable resources internally is going to be pretty disappointing and functionally limited.

To add to this, ISATAP is only really viable on Vista+ client and Windows Server 2008+ servers.

You will also find that the options available for high availability and scaling with native DA are pretty limited too.

I wrote this a while back which may help for comparison: http://blog.msedge.org.uk/2010/01/path-to-directaccess-part-1-choosing.html

Another element to consider is that even with UAG, the NAT64 component only works inbound. Consequently, if you need the remote management capabilites of DA (connect to remote DA clients from intranet management clients/servers) you will need some for of IPv6 capability on the management hosts.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to WolfH)
Post #: 4
RE: DA and UAG and IPv6 ??? - 24.Sep.2010 11:08:40 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jason,

I agree on all points. And you know that I want everyone to use UAG for the reasons you mention. But maybe after getting a taste of the value of the Windows DA, they'll he'll want to move up to an enterprise solution and get the full benefits of DA by using UAG.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 5
RE: DA and UAG and IPv6 ??? - 24.Sep.2010 3:47:47 PM   
WolfH

 

Posts: 3
Joined: 20.Sep.2010
Status: offline
Thanks a bundle, Jason! This is exactly what I was looking for. A clear "what works, what doesn't" chart. Why can't the guys in Redmond write their product information that understandable?

I do understand the advantages of UAG now. I just wish the MS docu had anyhwere mentioned them that clearly as you guys did. Then we would have put the price for UAG into the offer and the customer would have agreed to it as we could have convinced him with good arguments. Now we come after the fact and have to try to up the price...

But better we find out now than after the installation, when half of the stuff doesn't work without UAG!

Thanks Wolf

(in reply to Jason Jones)
Post #: 6
RE: DA and UAG and IPv6 ??? - 27.Sep.2010 11:36:10 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Wolf,

Great! Let us know if you run into any issues with your UAG DirectAccess deployment.

In addition to Jason's blog (which is GREAT for UAG DirectAccess information), there is also my "Edge Man" blog where you can find some useful information on UAG and DirectAccess.

Check out The Edge Man over at:

http://blogs.technet.com/b/tomshinder/

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to WolfH)
Post #: 7
RE: DA and UAG and IPv6 ??? - 27.Sep.2010 11:44:28 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Nice feedback, thanks!

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 8
RE: DA and UAG and IPv6 ??? - 28.Sep.2010 12:04:47 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey - I gotta give credit where credit is due :)

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> DA and UAG and IPv6 ??? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts