DirectAccess is a great method for providing secure remote access to corporate laptops. However getting RemoteApps to work when using DirectAccess is a challenge! DirectAccess is completely based on IPv6 encapsulated over IPv4 using IP-HTTPS (when using Windows 8). Company resources are addressed using IPv6 however RemoteApps solely communicate over IPv4 which causes an error when starting a RemoteApp when connected by Direct Access.

To resolve this issue we need to use something called ISATAP (Intra-Site Automatic Tunnel Addressing Protocol), which defines a method for generating a link-local IPv6 address from an IPv4 address.

In this tutorial we are using a company called ICT R US, internal domain = IRU.INT and external domain is ICTRUS.COM

To enable ISATAP the following steps need to be taken:

  1. Create DNS A record for ISATAP in the internal domain
  2. Create group policy defining the previous created dns record as ISATAP router name
  3. Enable ISAPSTATE in GPO
  4. Enable this policy to all servers involved in the RemoteApp environment (gateway, rdweb, rds brokers and session hosts)
  5. Add the fqdn of the RDS broker farm into the Name Resolution Policy Table on the DirectAccess server

After these 5 steps have been implemented RemoteApp will also work in a DirectAccess connection.

Create group policy defining the previous created dns record as ISATAP router name

Using the DNS management console we’re going to create an A Record called SBCISATAP which point to the IPv4 address of the DirectAccess server. We’re going to call the record SBCISATAP.IRU.INT because ISATAP.IRU.INT as record name apparently isn’t allowed (memo to self: why not?) We can use any name for this record (fluffybunny.iru.int comes to mind :-) )

da-5

 

 

 

 

 

 

 

 

 

Enable ISAPSTATE in GPO

Once we have created the A record, we can create a group policy to define the ISATAP router name:

Two settings need to be enabled, both are found in Computer Configuration | Policies | Administrative Templates | Network | TCPIP Settings | IPv6 Transition Technologies:

da-3

 

 

 

 

 

 

 

 

 

 

Enable ISAPSTATE in GPO

We now have to change the ISATAP state by changing the following setting:

da-4

 

 

 

 

 

 

 

 

 

This  policy needs to be applied to all servers involved with the RemoteApp deployment:  RDS Gateway server (if present), RDWeb server(s), RDS Broker(s) and the RDS Session host(s)

Add the fqdn of the RDS broker farm into the Name Resolution Policy Table on the DirectAccess server

Open the Remote Access Management Console and click on the “edit” button of the Infrastructure Servers (Step 3):

da-1b

 

 

 

 

 

 

 

We need to add the DNS suffic for the RDS Broker or broker farm:

da-1a

 

 

 

 

 

 

 

 

 

 

Although not really a DNS suffix, we are using the FQDN of the broker farm. Do Not Forget to click the “Detect” button becasue we need the IPv6 address listed here! We’ll end up with something like this:

da-1;

 

 

 

 

 

 

 

 

 

 

 

After the group policy s applied to the servers, we can test if ISATAP is working correctly by opening a command prompt on the DirectAcces server:da-6

 

 

 

 

 

 

A nslookup to a server which doesn’t have ISATAP enabled will result in a normal IPv4 address but a nslookup to a server with ISATAP enabled will give both IPv6 and IPv4 addresses

 

 

Kudos  to Stephan Wibier, PQR

 

 

 

 

 

 

 

Share on FacebookTweet about this on TwitterShare on LinkedInEmail this to someone