Windows 2012 Direct Access – ISATAP Router

Click here for other Direct Access related articles.

Out of box Windows 2012 Direct Access configuration wizard enabled ISATAP Router in the Direct Access Server. This ISATAP router can distribute IPv6 IP Addresses & Routes to Windows ISATAP clients. Manage Out clients gets benefitted from this to make IPv6 enabled manage out connection. IIN this article I am not I am not covering how to configure ISATAP router in a standalone server; may be later in another article. For information about other IPv6 Transition technologies check out this article by me.

About ISATAP Interface

Current days all advance IPv6 enabled Operating systems mostly shipped with ISTAP IPv6 Transition technology. You may have observed ISATAP Network Interface while doing IPConfig. We expect One ISATAP Interface per Physical NIC. If you see more than that, try to uninstall them from device manager by doing show hidden devices.

By default these ISATAP interface names looks like isatap.{GUID} – like below picture. ISATAP Interfaces can be seen using IPConfig or NETSH command i.e. netsh interface ipv6 interface

These GUIDs represent the Physical Interface to which it is bonded to. GUID of physical adapter can be seen using “wmic nicconfig get description, SettingI” from cmd prompt

From above two pictures we can compare and say ISATAP Interface 14 is mapped to Hyper-v Network Adapter #2 and ISATAP interface 27 is mapped to Hyper-v Network Adapter.

This is also another easy way to find out this; Just add a DNS Suffix in one Physical Interface. It will create another ISATAP interface with same DNS suffix. In below picture it created another ISATAP adapter for Corpnet. If you open device manager you will see a new ISATAP interface.

So better to uninstall all ISATAP adapters, add DNS suffix in the Physical Interface & reboot the server. It will create new ones & name them perfectly for identification.

ISATAP Router Discovery

To discover an ISATAP router these clients can query ISTAP.DomainName.Com. Where Domain name is the domain discovered by NIC. So this DNS A record should point to ISATAP Router’s IPv4 Address. This is hardcoded to operating system & part of IPv6 ISATAP transition technology.

If client is able to resolve ISATAP router’s DNS record, it will able to subscribe IPv6 Prefix & published routes. Without Proper deployment it may create routing issue etc., if deployed to all computers in the network. Because as soon as client configures itself using IPv6 address applications aware of IPv6 will start communicating over IPv6 to other ISATAP host or thru the ISATAP router to da different subnet. For better understanding grabbed below pic from https://espix.net/~wildcat/ipv6/i17_isatap_v1a.pdf

In this condition we may not like to create a Global DNS record as ISATAP. There is another option where we can use a custom DNS entry for this record & apply that GPO to specific clients where we want to enable ISATAP functionalities. There is a nice popular article by Jason Jones how to configure this.

• Create a DNS A record as “DirectAccess-ISTAPRouter.Contoso.Local” & point it to Direct Access Servers Internal IP Address
• Create an Empty GPO
• In GPO open “Computer Configuration | Policies | Administrative Templates | Network | TCPIP Settings | IPv6 Transition Technologies“
• Configure below parameters;
  • ISATAP Router Name: Enabled
    
  • Enter a Router or relay Name: “DirectAccess-ISTAPRouter.Contoso.Local”
    
• Apply above GPO to respective clients. In direct access case Manage Out clients

You may need to reboot the client machine to get the ISATAP IPv6 addresses assigned. Else you may try “sc control iphlpsvc paramchange” to refresh the adapter

Troubleshoot few things

• How to verify if ISTAP is enabled?
  • Use NETSH Status command “netsh interface isatap show state“
  • By default state is default
  • But if router is enabled state will be “enabled”
  • If it is enabled thru group policy like on clients it will show enabled (group policy)
• How to disable ISATAP functionality from OS?
  • Follow this article
• Which ISATAP router is used by client?
  • Use “netsh int isatap show router“

• Which routes are published thru router?
  • In Router use below NETSH command to test i.e. netsh int ipv6 show route. Make sure publish is set to yes. You can add extra routes for publish too.

• How to verify if client is receiving IPv6 routes & default gateway is pointing to ISATAP route?
  • Use same netsh int ipv6 show route
    command and make sure client is receing routes and gateway is pointing to ISATAP address of router