Forum Discussion
NimbostratusIPHTTPS with DirectAccess Not working with F5
I am helping a client implement DirectAccess 2012 using IPHTTPS as the Protocol. The setup is
ISP Firewall----Client Firewall------F5 (Big IP) ----DA Servers---Internal Network.
The ISP is doing 1-1 NAT for the Public IP Addresses to the Client’s Firewall to an internal range. Then the traffic is forwarded to the F5 and then DA. The setup works fine when using DA with a single Server configuration. I can connect and access internal resources but when I enable External Load Balancer with a standard SSL Forwarding to the DA, the setup never works. I am NOT terminating the SSL on F5.
The Servers are pointing to the internal IP of F5 as DG. Also, one thing that I am confused about is where to use the VIP which is created at the time of DA ELB Wizard. I have four Servers with 10.20.4.41, 42,43,44 and when I run the Load Balancing Wizard, it upgrades the 41 IP as VIP and I have to use 45 as the DIP but since F5 only requires the Self IP but no VIP. Where exactly do I use this IP which is on the same Network as the DA Server’s external Interface? I am using Performance L4 profile on the F5.
True Mac spoofing is not needed.
I see two strange things. 1. Teredo interfaces are being enabled. Setup 2 interfaces behind edge device normally skips this step as Teredo only works with Public IPv4 addresses on the DA servers. 2. The pseudo network adapter is not getting an address assigned.
What is the output of the powershell command "get-NetDnsTransitionConfiguration" ?
Martijn
12 Replies
Amit_Bhatnagar_Thank you for the response! Here is the Output...I could not find out what is mentioned in your Post. Can you please check?
---------------------------------- IPv6 Configuration ----------------------------------pushd interface ipv6 reset set global groupforwardedfragments=disabled add route prefix=fd37:3bf2:a48c:1::/64 interface="isatap.{74A133D5-B0FC-4D28-A5E9-D847384C2E58}" nexthop=:: publish=Yes add route prefix=fd80:aea0:34a6:1::/64 interface="isatap.{CF3F733D-4E37-4E79-A80D-12041AA27A41}" nexthop=:: publish=Yes add route prefix=fd80:aea0:34a6:1000::/64 interface="IPHTTPSInterface" nexthop=:: publish=Yes add route prefix=fd80:aea0:34a6::/48 interface="BE-PROD (DMZ-L3)" nexthop=:: publish=Yes add route prefix=fd80:aea0:34a6:7777::/96 interface="BE-PROD (DMZ-L3)" nexthop=:: publish=Yes set interface interface="Local Area Connection* 9" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled set interface interface="isatap.{74A133D5-B0FC-4D28-A5E9-D847384C2E58}" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled advertisedefaultroute=enabled set interface interface="Teredo Tunneling Pseudo-Interface" forwarding=enabled advertise=enabled mtu=1280 nud=enabled ignoredefaultroutes=disabled set interface interface="BE-PROD (DMZ-L3)" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled set interface interface="isatap.{CF3F733D-4E37-4E79-A80D-12041AA27A41}" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled advertisedefaultroute=enabled set interface interface="DMZ-L2" forwarding=disabled advertise=enabled nud=enabled ignoredefaultroutes=disabled set interface interface="Loopback Pseudo-Interface 1" forwarding=enabled advertise=disabled metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled ecncapability=ecndisabled set interface interface="6TO4 Adapter" forwarding=enabled advertise=disabled metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled ecncapability=ecndisabled set interface interface="IPHTTPSInterface" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled advertisedefaultroute=disabled add address interface="BE-PROD (DMZ-L3)" address=fd80:aea0:34a6:3333::1/128 add address interface="IPHTTPSInterface" address=fd80:aea0:34a6:1000::1/128 add address interface="IPHTTPSInterface" address=fd80:aea0:34a6:1000::2/128 popd
End of IPv6 configuration ---------------------------------- 6to4 Configuration ----------------------------------pushd interface 6to4
reset set state state=enabled popd
End of 6to4 configuration
Martijn_65080Cirrus
Hi Amit,
I have encountered some problems when switching from single server to loadbalancing and back. Please check the follwing setting and make sure the DNS 64 setup is complete after running the loadbalncing wizard.
run the following in the command prompt; netsh int ipv6 dump. Take note of the IPv6 address in the "Loopback Pseudo-Interface 1" This should be the IPv6 internal VIP configured during setup.
Run the following powershell command; get-NetDnsTransitionConfiguration Make sure the output contains the follwing; AcceptInterface : {Loopback Pseudo-Interface 1}
Check the local firewall on the server and make sure that DNS requests are allowed to the internal IPv6 VIP address that you got from the netsh dump under the Loopback Pseudo-Interface 1
F5 only needs to host the VIP that you configure clients to connect to. (External DNS name you configure during DA setup or config).
I presume the DA servers have their external interface configured with the DG to the F5 ? Do you use SNAT on the virtual server ?
Kind regards,
Martijn
