Use a HOSTS File Entry to Control ISATAP Host Configuration

imageISATAP is an optional configuration option you can take advantage of when working with UAG DirectAccess. What ISATAP allows you to do is automatically assign IPv6 addresses to computers on the network that already have IPv4 addresses (which is going to be all of them). The advantage conferred when using ISATAP is that you can have an entirely IPv4 infrastructure (that is to say, your routers don’t support IPv6 and you haven’t done anything to enable IPv6 on your network) is that you can initiate connections from computers on the intranet to DirectAccess clients that are located somewhere on the Internet.

ISATAP clients can do this because they tunnel IPv6 messages inside an IPv4 tunnel. When traveling over the intranet, the IPv6 messages move over the network inside the IPv4 header and when they reach the destination, the IPv4 header is removed and the IPv6 header is exposed and the packet is then received by the ISATAP tunnel adapter. When the ISATAP host connects to a DirectAccess client, it connects to an IPv6 only host (the DirectAccess client), since DirectAccess clients only communicate over IPv6 when connecting to resources on the intranet.

This works by sending the packets from the ISATAP enabled host on the intranet to the ISATAP router on the UAG DirectAccess server. When the ISATAP enabled host on the intranet tries to connect to a DirectAccess client, it sends the IPv4 encapsulated IPv6 packet to the ISATAP router on the UAG DirectAccess server. When the packet arrives at the UAG DirectAccess server, the ISATAP router removes the IPv4 header and forwards the IPv6 packet to the DirectAccess client. And when the DirectAccess client returns its response, the IPv6 packet is sent to the UAG DirectAccess server, and then the ISATAP router on the UAG DirectAccess server encapsulates that IPv6 packet with an IPv4 header and forwards it to the ISATAP host on the intranet.

In general, ISATAP is a good thing, but it can create some potential issues. First, you need to be aware that in order to configure their ISATAP adapters, the ISATAP enabled hosts need to be able to resolve the name ISATAP. Usually, you put a host (A) record for ISATAP in your DNS and all machines can then resolve this name to configure their ISATAP adapters. Since all Vista and above and Windows Server 2008 and above hosts are automatically configured as ISATAP enabled hosts, all of these machines will automatically configure their ISATAP adapters after they resolve the ISATAP name.

So, What’s the Problem?

The problem is that not everyone wants to enable IPv6 on their networks. For a number of reasons, some firms want to disable IPv6 on the machines on their networks. The problem is that if you disable IPv6, but leave the ISATAP adapter enabled, the NAT64/DNS64 feature won’t work when the DirectAccess clients try to connect to these machines. The reason for this is that when the ISATAP adapter initializes, it registers its IPv6 ISATAP address in DNS automatically. When the DirectAccess client resolves the name of the host that has IPv6 disabled but ISATAP adapter enabled, it will get a quad A (AAAA) record and try to connect to that host using its IPv6 address. But since IPv6 is disabled on that host, the connection attempt will fail.

The Solution

In practice, very few hosts on the intranet need to be able to initiate connections to the DirectAccess clients. Only management servers, and maybe computers assigned to corporate IT need this kind of access, and perhaps computers run by the Help Desk. If you’ve decided to disable IPv6 on your network, you might be better served by not putting the ISATAP address in DNS. Instead, put the ISATAP entry into the HOSTS file of the machines that need to initiate connections to the DirectAccess clients.

In this case, there is no ISATAP entry in DNS, so hosts without an ISATAP entry in their HOSTS file will not enable their ISATAP adapters. The machines that have an ISATAP entry in their HOSTS files will be able to resolve the name ISATAP and they will enable their ISATAP adapters and they will then be able to initiate connections to DirectAccess clients. With this configuration, the DirectAccess clients can use the UAG DirectAccess server’s NAT64/DNS64 to connect to the hosts that don’t have ISATAP enabled, and they will be able to use IPv6 to connect to the ISATAP enabled hosts that have the ISATAP entry in their HOSTS files.



Tom Shinder
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The “Edge Man” blog :
Follow me on Twitter:

Visit the TechNet forums to discuss all your UAG DirectAccess issues

Stay up-to-date with “just in time” UAG DirectAccess information on the TechNet wiki