DirectAccess is a great method for providing secure remote access to corporate laptops. However getting RemoteApps to work when using DirectAccess is a challenge! DirectAccess is completely based on IPv6 encapsulated over IPv4 using IP-HTTPS (when using Windows 8). Company resources are addressed using IPv6 however RemoteApps solely communicate over IPv4 which causes an error when starting a RemoteApp when connected by Direct Access.
To resolve this issue we need to use something called ISATAP (Intra-Site Automatic Tunnel Addressing Protocol), which defines a method for generating a link-local IPv6 address from an IPv4 address.
In this tutorial we are using a company called ICT R US, internal domain = IRU.INT and external domain is ICTRUS.COM
To enable ISATAP the following steps need to be taken:
After these 5 steps have been implemented RemoteApp will also work in a DirectAccess connection.
Create group policy defining the previous created dns record as ISATAP router name
Using the DNS management console we’re going to create an A Record called SBCISATAP which point to the IPv4 address of the DirectAccess server. We’re going to call the record SBCISATAP.IRU.INT because ISATAP.IRU.INT as record name apparently isn’t allowed (memo to self: why not?) We can use any name for this record (fluffybunny.iru.int comes to mind )
Enable ISAPSTATE in GPO
Once we have created the A record, we can create a group policy to define the ISATAP router name:
Two settings need to be enabled, both are found in Computer Configuration | Policies | Administrative Templates | Network | TCPIP Settings | IPv6 Transition Technologies:
Enable ISAPSTATE in GPO
We now have to change the ISATAP state by changing the following setting:
This policy needs to be applied to all servers involved with the RemoteApp deployment: RDS Gateway server (if present), RDWeb server(s), RDS Broker(s) and the RDS Session host(s)
Add the fqdn of the RDS broker farm into the Name Resolution Policy Table on the DirectAccess server
Open the Remote Access Management Console and click on the “edit” button of the Infrastructure Servers (Step 3):
We need to add the DNS suffic for the RDS Broker or broker farm:
Although not really a DNS suffix, we are using the FQDN of the broker farm. Do Not Forget to click the “Detect” button becasue we need the IPv6 address listed here! We’ll end up with something like this:
A nslookup to a server which doesn’t have ISATAP enabled will result in a normal IPv4 address but a nslookup to a server with ISATAP enabled will give both IPv6 and IPv4 addresses
Kudos to Stephan Wibier, PQR