Home > DirectAccess, UAG > Setting IP addresses on a UAG DirectAccess Server

Setting IP addresses on a UAG DirectAccess Server

NOTE:
I have written a much more comprehensive guide on UAG DirectAccess that you can find on my Concurrency Blog. This particular article has also been updated and can be found there as Part 1 of the series.

DirectAccess is pretty cool stuff, but getting started with it might send your head spinning if you haven’t done it before. One of the first things you need to do before configuring DirectAccess is to correctly set up the IP addresses of your server.

I will assume you are not using IPv6 for anything else right now. This TechNet article is a good starting point.

Your UAG server will act as an entry point into your network from the outside Internet, so you need two network interfaces. One will be connected to your network (AKA Internal NIC or Inside Interface) and the other will be conencted to the Internet or perhaps to your DMZ (AKA External NIC or Outside Interface). Here’s a few things to focus on when setting up your IP addresses.

Remove the gateway from the Internal NIC

The Gateway needs to be set on the External NIC so that all traffic that is not bound for something within your Windows Domain is treated as “External” and gets routed through its outside interface (its own internet connection).

Add Static Routes for any private subnets to the Internal NIC

Because the External NIC gets the gateway setting, the Internal NIC should NOT have a default gateway. But what if you have multiple subnets or VLAN’s in your domain? Without a gateway on the internal nic, your server will not be able to talk outside of it’s own subnet. You fix that by defining persistent static routes on the Internal NIC. Any traffic destined for an IP within the range of a defined route will traverse your Internal NIC and anything else will go through the default gatewate (aka default route).

I like to get the list of Subnets as shown in the AD Sites and Services MMC and then run the command below for each one. NOTE: In slash notation a /16 is 255.255.0.0 and /24 is 255.255.255.0. All routes get “metric 1” and -p makes it persistent.

> route add [NETWORK] mask [SUBNET] [GATEWAY] metric 1 –p

So if your UAG server has an internal IPv4 address of 192.168.1.50 and uses 192.168.1.1 as it’s gateway, but you also have a 10.10.0.0 network, you would add it like this:

> route add 10.10.0.0 mask 255.255.0.0 192.168.1.1 metric 1 –p

Set the IPv6 Address to the HEX of your IPv4 address

If your network is 100% IPv4, meaning all your IP addresses are the traditional “dotted quad” a.b.c.d style, then you do not have any IPv6 addresses to worry about and it means you will be using ISATAP (see here). This seems to be the most common scenario (this TechNet article calls it “Scenerio #3” actually). That scenario also states that you will not need to assign an IPv6 address.

However, you must leave IPv6 enabled, and that leaves it seeking out a DHCP server, so I still like to assign an address. The confusing bit is how do you know what IPv6 address to use? The quick way is to sort of convert your IPv4 address and you can do that using the converter at SubnetOnline. You want to know how it works? You take your IPv4 address, convert each octet into it’s Hexadecimal value (here’s a tool for that). Then combine those values with a prefix of fe80::5efe. For example, let’s use 192.168.1.50.

So 192.168.1.50 becomes fe80:0000:0000:0000:0000:5efe:c0a8:0132. An IPv6 address is made up of eight groups of hexadecimal quartets separated by colons. This constant allows some tricks to be used in order to reduce the length of an IPv6 address for us humans to read. It’s called Shorthand notation when you eliminate all leading 0’s and completly omit groups that are all 0’s. So fe80:0000:0000:0000:0000:5efe:c0a8:0132 becomes fe80::5efe:c0a8:132 but means exacly the same thing. You can read more about IPv6 notation at IPv6.com it and ISATAP on Wikipedia.

No DNS on the External NIC

Make sure the Internal Interface is the only one configured with DNS servers and do not register the external interface with DNS. Also, uncheck File and Printer Sharing for Microsoft Networks, uncheck Client for Microsoft Networks, and from the advanced settings you should uncheck NetBIOS over TCP/IP.

Change Binding Order

I am not sure this makes much of a difference really, but while troubleshooting another issue with Microsoft, they had me change the binding order under the Advanced Settings of the Network Connections Control Panel. Just hit Alt to bring up the Advanced menu, select Advanced settings and then move the Internal NIC to the top of the list.

Once you have this done, the last thing you need to do (or perhaps first thing you should have done) is to make sure the nics are actually attached to the corret network. Ensure that the routing on your switches and gateways is set up correctly and if you’re using a VM that your virtual networks are configured correctly to allow access to the two network segments.

Now you can move on to actually configuring DirectAccess itself.

Note: Jason Jones, a Forefront MVP, also has a good post on this topic.

Advertisements
Categories: DirectAccess, UAG Tags: , ,
  1. 2010-Aug-16 at 03:59 pm

    Loving those cool pictures!!! 🙂

  1. 2010-Jul-22 at 03:04 am
  2. 2012-Aug-10 at 06:51 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: