Troubleshooting DirectAccess – Teredo Server/Relay not healthy #uag

This week I had an issue with my DirectAccess lab environment which is based on the Test Lab Guide scenario “Demonstrate Forefront UAG DirectAccess Network Load Balancing and Array Configuration“. In the DirectAccess Monitor Reports one of the array members was not healthy at the Network Security, Teredo Server and Teredo Relay level.

In the event log I found the following error: Event ID 10114 Source: UAG DA Management. Continue reading “Troubleshooting DirectAccess – Teredo Server/Relay not healthy #uag”

#DirectAccess support for wildcard certificates

As you probably might know Forefront UAG DirectAccess deployment requires a public key infrastructure (PKI) to issue certificates to DirectAccess clients, the Forefront UAG DirectAccess server, and the network location server.

Certifcates used by DirectAccess can be catagorized by:

Continue reading “#DirectAccess support for wildcard certificates”

Configuring #DirectAccess for #Lync #OCS voice/video in a split DNS scenario

 One of the considerations for DirectAccess planning is to decide which DNS names should be resolved internally, by your organization’s internal DNS servers, and which should be resolved externally, using an external (ISP) DNS server configured for your computer’s network interface. This distinction about which DNS server to send each query to is configured on a Windows 7 or Windows Server 2008 R2 computer using entries in the DNS Client resolver’s Name Resolution Policy Table (NRPT).

It’s recommended to use Edge Server role rather than VPN, IPSEC etc. protocols. There is an overhead and added latency when these protocols are used. The Audio/Video and media traffic is highly sensitive to latency and jitter. If you add additional encryption, it will cause delay, because it’s needed to process the traffic on client AND server side for encrypt and decrypt the data. If the traffic goes through DirectAccess network path, it can cause a long delay, jitter. Because the sensivity of A/V and media.

Without split-brain DNS, there is a natural dividing line between the DNS queries that DirectAccess and the NRPT should send to internal DNS and those that should stay on the internet. But beware! If you have split-brain DNS you may need to make some special allowances for DNS queries that should stay on the internet. Continue reading “Configuring #DirectAccess for #Lync #OCS voice/video in a split DNS scenario”

#Forefront #UAG 2010 SP1 | #DirectAccess Resources

Past few weeks I have been involved with the implementation of direct access to one of our customers. This implementation was successfully achieved by using the following resources:


Planning & Design

  Continue reading “#Forefront #UAG 2010 SP1 | #DirectAccess Resources”

Configuration Manager clients Auto-Site Assignment with DirectAccess IPv6 #sysctr

Currently I’am implementing DirectAccess (DA) infrastructure for a Dutch customer. First I must say I am very satisfied with its operation of DA. Part of DA is remote management (Eventlog, RDP, SCCM, DPM) of Internet DA clients from Intranet, which is pretty nice working as well!

I was wondering how SCCM client auto-site assignment works through DA. Is it a supported scenario and how does I have to define site boundaries as auto site-assignment is based on? Does I have to define my DA server IPv6 or corporate IPv6 prefix as SCCM IPv6 site boundary? Yes, yes, yes!!! Auto-site assignment is supported by DA and works pretty straight foward as it does for your intranet clients :-)

But first some background of IPv6 prefix.

If you have an IPv4 address on the internal facing interface of UAG DirectAccess server, DirectAccess assumes that you don’t have IPv6 deployed in your organization. An IPv6 address is 128 bit – the first 64 bits are the IPv6 “prefix” (which is similar to the IPv4 network ID) and the last 64 bits represent the IPv6 Host ID (similar to the IPv4 host ID). The UAG DirectAccess wizard configures the network prefix information using a 6to4 prefix based on the public IP address bound to the UAG DirectAccess server. Continue reading “Configuration Manager clients Auto-Site Assignment with DirectAccess IPv6 #sysctr”