we're planning to use DA on a new project. I have read whatever I could find about DA and thought I had my arms around it. Until I met a Microsoft specialist a few days ago who told me we'd have to use UAG. He stated that, unless we have a 100% IPv6 infrastructure from the client all the way to and also inside the corpnet, we'd need UAG. Now I'm confused.
I understand UAG makes the configuration a lot easier, but it also adds cost. So I'd like to be very sure before I go to the customer and ask another several thousand bucks for UAG.
The corpnet has two W2k3 servers, one SBS W2k8 and a number of W2k8 R2 servers. Access to the W2k3 boxes from the outside will be through a terminal server, which runs on W2k8 R2. All clients are Win7. We do have a few printers and other old devices in the LAN, which only understand IPv4.
Does DA mean that even corpnet-internal clients have to use IPv6? That we can not use IPv4 devices like printers? If yes, we'll have to use the UAG.
I hope somebody has the answers or point me to a doc that describes this matter.
Hi Wolf, The information you got is not entirely true. You do not need a native IPv6 infrastructure to support the Windows DA. However, all your devices that you want the DA clients to connect to need to be IPv6 capable (which means they at least need to be able to configure themselves as ISATAP hosts).
The Windows 2003 servers won't be accessible using the Windows DA solution, because they're really not completely IPv6 capable (yes, I know there is an IPv6 add-on, but services support is spotty and the results are unlikely to be positive). The Windows Server 2008 machines will be OK and the DA clients will be able to reach them.
However, if the clients are connecting to a Windows Server 2008 terminal server to connect to the Windows 2003 machines, that will work fine, since the connection is actually to the Windows 2008 machine.
All clients must be Windows 7 Enterprise or Ultimate.
Intranet clients don't have to use IPv6, although they can when they are configured as ISATAP hosts. However, ISATAP tunnels IPv6 in an IPv4 header, so you don't need to change anything on the customer's network. There will be no effect on the intranet clients being able to access the IPv4 printers.
Let me know if you have any questions. Just post them here. I check every day.
I talked to a lot of people about that but nobody was as precise as you and there seesm to be a lot of misunderstandings in the field about the whole concept.
All our clients will be Enterprise and I'll study this ISATAP next.
So, just to make this a 100% clear. The internal clients will be able to print on IPv4 printers and talk to IPv4 WLAN access points without needing UAG. Right?
Another element to consider is that even with UAG, the NAT64 component only works inbound. Consequently, if you need the remote management capabilites of DA (connect to remote DA clients from intranet management clients/servers) you will need some for of IPv6 capability on the management hosts.
I agree on all points. And you know that I want everyone to use UAG for the reasons you mention. But maybe after getting a taste of the value of the Windows DA, they'll he'll want to move up to an enterprise solution and get the full benefits of DA by using UAG.
Thanks a bundle, Jason! This is exactly what I was looking for. A clear "what works, what doesn't" chart. Why can't the guys in Redmond write their product information that understandable?
I do understand the advantages of UAG now. I just wish the MS docu had anyhwere mentioned them that clearly as you guys did. Then we would have put the price for UAG into the offer and the customer would have agreed to it as we could have convinced him with good arguments. Now we come after the fact and have to try to up the price...
But better we find out now than after the installation, when half of the stuff doesn't work without UAG!
Great! Let us know if you run into any issues with your UAG DirectAccess deployment.
In addition to Jason's blog (which is GREAT for UAG DirectAccess information), there is also my "Edge Man" blog where you can find some useful information on UAG and DirectAccess.