I can only imagine the pain for roaming profiles over *any* VPN link. We have not implemented IPv6 internally or externally - the only IPv6 addresses on machines internally are self-assigned link-local, aside from the NAT64 and other stuff on the 2012 R2 DA server itself, and two servers with ISATAP addresses for manage out capability (a tools box and our PDQ Deploy/Inventory server).
I really want to do an IPv6 implementation, but realistically it's far down the list of priorities. Too many other things to work on before getting dual-stacked. Kurt On Tue, Jan 3, 2017 at 1:21 PM, Miller Bonnie L. <[email protected]> wrote: > That's troubling, we have many of the pieces in place now, but haven't gone > live yet as we are trying to rid ourselves of roaming profiles first--very > painful over DA to wait around for those to load, if they do at all. > > Testing from here has worked, but that has all been through a couple of cell > connections, although they do have v6 addresses dished to them (Verizon for > mine). I still have Comcast at home, so it sounds like time to fire up a > test. > > Do you have native v6 to the edge on your server end, or are you using NAT? > We have native v6, so not sure if it will make a difference. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Kurt Buff > Sent: Thursday, December 22, 2016 9:16 PM > To: ntsysadm <[email protected]> > Subject: Re: [NTSysADM] Anyone here using DirectAccess? > > We use all of the available protocols - Teredo, IP-HTTPS and 6to4, on a > 2012R2 server. The server has the usual two consecutive addresses to > facilitate their use. > > In the one case where I was able to work with the remote employee to > reconfigure his router and stop it from handing out IPv6 addresses, the > problem immediately disappeared. > > This explanation from 2011 covers the problem, but doesn't provide a solution. > https://www.ivonetworks.com/news/2011/11/client-side-ipv6-and-directaccess-dont-always-get-along/ > > These folks have taken the sledgehammer approach, which seems highly > inappropriate, and I'm not going there, and I don't even know if it > works: > http://www.torivar.com/2016/05/19/direct-access-client-side-ipv6-issues/ > > Kurt > > On Thu, Dec 22, 2016 at 8:02 PM, Eric Morrison <[email protected]> > wrote: >> Odd issue for it not to work as IPv6 is the technology it uses. Are you only >> allowing 443 traffic? DA v1 used Teredo and required a few other ports if >> they came in over IPv6 I believe. >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Kurt Buff >> Sent: Thursday, December 22, 2016 3:57 PM >> To: ntsysadm <[email protected]> >> Subject: [NTSysADM] Anyone here using DirectAccess? >> >> I've been fighting (once every couple of months) with DirectAccess over IPv6 >> addresses handed out by home routers. >> >> Some staff (mostly Comcast and ATT customers) are getting the addresses, >> along with an IPv4 address, and when that happens, it's very hit or miss >> whether the computer at home will connect via DirectAccess. >> >> Fortunately, we have a backup SSL VPN unit, so folks can use that as an >> alternative, but it's not really satisfactory to staff to have to figure out >> that DirectAccess isn't working and then switch to the SSL VPN. >> >> I've googled off and on for a long time (months!), and posted in the >> appropriate forum on Technet, with no particular resolution. >> >> I don't experience it, because Frontier FIOS isn't handing me an IPv6 >> address, so I can't replicate it directly, and when I get a call from >> someone who's suffering, they generally don't want to take the time to >> do the extensive troubleshooting required >> >> Frustrating... >> >> Any thoughts welcome. >> >> Kurt >> >> > >
