DirectAccess IPHTTPS interface qualify over Teredo

Posted by Ahmed Nabil In | 3 comments»
Its been noticed on several Direct access deployments that the Client IPHTTPS interface gets connected first over the Teredo interface although nothing is preventing the Teredo interface to get activated. Most of the clients won't prefer the IPHTTPS because of its high overhead and low performance compared to Teredo or 6to4. After some investigation and consulting Microsoft esclation engineers it turned out that its a well known issue on several clients where the Teredo and IPHTTPS race together and IPHTTPS wins at the end due to timing issues. This is elaborated in details on the following Microsoft Technet article

As per that attached below image extracted from the above mentioned article that this issue can occur and IPHTTPS will win and get qualified first.

IPHTTPS qualify over Teredo due to timing issues

 To test whether my client is in this condition, i ran IPCONFIG /ALL on my client machine and i noticed that i have public addresses on both my Teredo and IPHTTPS interface as per attached.

Both IPHTTPS and Teredo interface have public IP address

To make sure you are using always Teredo you can implement one of the following workarounds:

  1. Disable IPHTTPSinterface from the Device Manager - View Hidden devices - Network adapters (unless you need IPHTTPS in locations where Teredo UDP port is blocked)
  2. After logging and connecting using the IPHTTPS, Restart the "IP Helper" Service.

For more information about this issue please check Tom Shinder article

Also its recommended to patch the UAG/Direct Access server with the latest fixes related to Direct Access, the most recent updates/fixes are as follows:



admin Says:

ok now I have hundreds of clients and lot of them are connecting via IPHTTPS instead of Teredo even that there is nothing preventing them from using it. How to fix this in domain? Any GPO ideas?

Ahmed Nabil Says:

I would suggest the following (Passed by this issue before and confirmed it with Microsoft Support team):

You need to open gpmc.msc on the domain controller and perform the following steps.

1. Highlight the “UAG Direct Access : clients”
2. On the right pane, go to the settings tab.
3. View the administrative templates, go to the policy definition which says Network/TCPIP Settings/IPv6 transition technologies.
4. Right click the policy which says “IP-HTTPS state” and click on edit
5. Expand computer configuration  Policies  Administrative templates  Network  TCPIP settings  IPv6 transition technologies  Edit the policy IP-HTTPS state
6. Select the “Select state from the following options” under the Options window. Select the state as Disabled.

Amazing Quotes Says:

Very Nice And Interesting Post, thank you for sharing
Inspirational Quotes - Gym Quotes
Best Quotes - Success Quotes
Positive Life Quotes - Image Bank
Future Quotes - Excellence Quotes
كلام جميل - Keep Smiling Quotes

Post a Comment