Share via

Step 4: Configure UAG1

  • Article

Applies To: Unified Access Gateway

UAG1 acts as the UAG DirectAccess server for the network. UAG1 will be connected to both the similar Internet and the intranet and requires one network interface that is connected to each of these networks. The UAG DirectAccess server provides the following network services:

  1. ISATAP router—An ISATAP router is an IPv6 router that advertises subnet prefixes to ISATAP hosts, and forwards IPv6 traffic between ISATAP hosts and hosts on other IPv6 subnets. The ISATAP router provides ISATAP clients with the information they need to properly configure their ISATAP adapters. For more information about ISATAP, Migrating Your Intranet to IPv6 with ISATAP.

  2. Teredo server—A Teredo server is an IPv6/IPv4 node that is connected to both the IPv4 Internet and the IPv6 intranet, and supports a Teredo tunneling interface over which packets are received. The general role of the Teredo server is to assist in the address configuration of the Teredo client, and to facilitate the initial communication between Teredo clients and other Teredo clients or between Teredo clients and IPv6 hosts. The Teredo server listens on UDP port 3544 for Teredo traffic. DirectAccess clients located behind NAT devices and firewalls use Teredo to connect to the UAG DirectAccess server. For more information on Teredo, see Teredo Overview.

  3. IPsec gateway—The full intranet access model (which is used in this lab document) allows DirectAccess clients to connect to all resources inside the intranet. It does this by using IPsec-based tunnel policies that require authentication and encryption and IPsec sessions that terminate at the IPsec gateway. The IPsec gateway is a function that is hosted on the UAG DirectAccess server.

  4. IP-HTTPS server—IP-HTTPS is a new protocol for Windows 7 and Windows Server 2008 R2, that allows hosts behind a Web proxy server or firewall to establish connectivity by tunneling IPv6 packets inside an IPv4-based HTTPS session. HTTPS is used instead of HTTP so that Web proxy servers will not attempt to examine the data stream and terminate the connection. The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections. Note that IP-HTTPS does not work behind authenticating Web proxies (when authentication is required), or from behind Web proxies that perform outbound SSL inspection.

  5. NAT64/DNS64 IPv6/IPv4 protocol translator—The UAG DirectAccess server includes NAT64 and DNS64, which enables DirectAccess clients on the Internet to connect to IPv4 resources on the intranet. DirectAccess clients always use IPv6 to communicate with intranet servers. When a DirectAccess client needs to connect to IPv4 resources on the intranet, it issues a DNS query for the FQDN of the resource. DNS64 intercepts the request, sends the query to the intranet DNS server, and obtains the IPv4 address of the resource. DNS64 then dynamically generates an IPv6 address for the client of the IPv6 address dynamically assigned to the IPv4 resource; in addition, DNS64 informs NAT64 of the IPv4/IPv6 mapping. The client issues a request for the dynamically generated IPv6 address, which is intercepted by NAT64, and then NAT64 forwards the request to the IPv4 address of the intranet resource. NAT64 also returns the response based on entries in its state table. For more information about DNS64 and NAT64, see Deep Dive Into DirectAccess – NAT64 and DNS64 In Action.

  6. 6to4 relay router—A 6to4 relay router can accept traffic from DirectAccess clients using the 6to4 IPv6 transition technology and forward the traffic over an IPv4 intranet. The UAG DirectAccess server acts as the 6to4 relay router and provides addressing information to the DirectAccess clients. DirectAccess clients use this information to configure their 6to4 tunnel adapter to forward IPv6 messages over the IPv4 Internet to the UAG DirectAccess servers. For more information on 6to4, see Routing IPv6 Traffic over an IPv4 Infrastructure

INET1 configuration consists of the following steps:

  1. A. Install the operating system on UAG1 —The first step is to install the Windows Server 2008 R2 operating system on UAG1. Forefront Unified Access Gateway 2010 requires Windows Server 2008 R2.

  2. B. Configure TCP/IP Properties on UAG1—After installing the operating system on UAG1, configure the TCP/IP Properties to provide the server an IP address, subnet mask, DNS server address and connection specific suffix on both the internal and external interfaces. Settings are configured on both the Internet and the corpnet interfaces.

  3. C. Rename UAG1 and Join it to the corp.contoso.com Domain—Change the default computer name assigned during setup to UAG1 and join it to the CORP domain. Domain membership is required for the DirectAccess solution.

  4. D. Obtain a Certificate for the IP-HTTPS Listener on UAG1—The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections from DirectAccess clients on the Internet. The IP-HTTPS listener requires a Web site certificate to support the SSL connection between itself and the DirectAccess client.

  5. E. Install Forefront UAG on UAG1—Install the Forefront Unified Access Gateway software on UAG1.

  6. F. Run the UAG Getting Started Wizard on UAG1—The UAG Getting Started Wizard walks you through the process of initial configuration of the UAG server.

  7. G. Run the UAG DirectAccess Configuration Wizard on UAG1 DirectAccess is not enabled by default. The UAG DirectAccess wizard must be run to enable DirectAccess features and capabilities on UAG1.

  8. H. Confirm Group Policy Settings on UAG1 The UAG DirectAccess wizard configures GPOs and settings that are automatically deployed to the Active Directory. One GPO is assigned to the UAG DirectAccess server, and one is deployed to machines that belong to the DirectAccess Clients security group. The step confirms that the Group Policy settings were deployed to the UAG DirectAccess server.

  9. I. Confirm IPv6 settings on UAG1—For the DirectAccess solution to function, the IPv6 settings on Forefront UAG must be correct. This step confirms these setting on UAG1.

  10. J. Update IPv6 Settings on DC1—DC1 is capable of being an ISATAP host. However, this functionality might not be immediately available. This step expedites DC1 setting itself up as an ISATAP host by updating its IPv6 configuration.

  11. K. Update IPv6 Settings on APP1—APP1 is capable of being an ISATAP host. However, this functionality might not be immediately available. This step expedites APP1 setting itself up as an ISATAP host by updating its IPv6 configuration.

  12. L. Confirm IPv6 Address Registration in DNS—IPv6 capable hosts can communicate with one another over IPv6 using their ISATAP adapters. However, they must be able to resolve the destination host to an IPv6 address to use this capability. This step confirms that the IPv6 ISATAP addressees are registered in DNS.

  13. M. Confirm IPv6 Connectivity between DC1/APP1/UAG1—After activating the IPv6 settings on DC1, APP1 and UAG1, test IPv6 connectivity by using the ping utility.

A. Install the operating system on UAG1

The first step is to install the Windows Server 2008 R2 operating system on UAG1. Forefront Unified Access Gateway 2010 requires Windows Server 2008 R2.

To install the operating system on UAG1

  1. On UAG1, start the installation of Windows Server 2008 R2.

  2. Follow the instructions to complete the installation, specifying Windows Server 2008 R2 Enterprise Edition and a strong password for the local administrator account. Log on using the local administrator account.

  3. Connect one network interface to the simulated Internet or virtual switch representing the simulated Internet, and the other to the corpnet or virtual switch representing the corpnet. Connect the network adapter to the Internet subnet.

B. Configure TCP/IP properties on UAG1

After installing the operating system on UAG1, configure the TCP/IP properties to provide the server with an IP address, subnet mask, DNS server address and connection specific suffix, on both the internal and external interfaces. Settings are configured on both the Internet and the corpnet interfaces. Note that you will enter two consecutive public IP addresses to the external interface of UAG1. This is required to support DirectAccess clients and Teredo. Public IP addresses are required. If you use private IP addresses on the external interface, the UAG DirectAccess Configuration Wizard will warn you of the configuration error and not enable DirectAccess.

To configure TCP/IP properties on UAG1

  1. On UAG1, in Initial Configuration Tasks, click Configure networking.

  2. In Network Connections, right-click the network connection that is connected to the Corpnet subnet or virtual switch, and then click Rename.

  3. Enter Corpnet, and then press ENTER.

  4. Right-click Corpnet, and then click Properties.

  5. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  6. Select Use the following IP address. In IP address, enter 10.0.0.2. In Subnet mask, enter 255.255.255.0.

  7. Select Use the following DNS server addresses. In Preferred DNS server, enter 10.0.0.1.

  8. Click Advanced, and then click the DNS tab.

  9. In DNS suffix for this connection, enter corp.contoso.com, click OK two times, and then click Close. A connection specific DNS suffix is not required for DirectAccess to work correctly..

  10. In the Network Connections window, right-click the network connection that is connected to the Internet subnet, and then click Rename.

  11. Enter Internet, and then press ENTER.

  12. Right-click Internet, and then click Properties.

  13. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  14. Select Use the following IP address. In IP address, enter 131.107.0.2. In Subnet mask, enter 255.255.255.0.

  15. Click Advanced. On the IP Settings tab, click Add for IP Addresses.

  16. In IP address, enter 131.107.0.3. In Subnet mask, enter 255.255.255.0, and then click Add.

  17. Click the DNS tab.

  18. In DNS suffix for this connection, enter isp.example.com, click OK two times, and then click Close. (A connection specific DNS suffix is not required for DirectAccess to work correctly.)

  19. Close the Network Connections window.

  20. To check network communication between UAG1 and DC1, click Start, click All Programs, click Accessories, and then click Command Prompt.

  21. In the command window, enter ping dc1.corp.contoso.com and press ENTER. Verify that there are four responses from 10.0.0.1

  22. Close the command window.

C. Rename the computer and join UAG1 to the corp.contoso.com domain

Change the default computer name assigned during setup to UAG1, and join UAG1 to the corp.contoso.com domain.

To rename the computer and join UAG1 to the corp.contoso.com domain

  1. On the UAG1 computer or virtual machine, in the Initial Configuration Tasks window, click the Provide computer name and domain link.

  2. On the Computer Name tab, click the Change button.

  3. In the Computer Name/Domain Changes dialog box, in the Computer name box, enter UAG1. In the Member of frame, select the Domain option. Enter corp.contoso.com in the box. Click OK.

  4. In the Windows Security dialog box, in the User name box, enter Administrator and enter the CORP domain’s administrator password. Click OK.

  5. Click OK in the Welcome to the domain dialog box.

  6. Click OK in the Computer Name/Domain Changes dialog box informing you that you must restart the computer.

  7. Click Close in the System Properties dialog box.

  8. Click Restart Now in the dialog box informing you that you must restart to apply the changes.

  9. Log on as CORP\User1.

D. Obtain the IP-HTTPS listener certificate on UAG1

The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections from DirectAccess clients on the Internet. The IP-HTTPS Listener requires a Web site certificate to support the SSL connection between itself and the DirectAccess client. The common name on this certificate must be the name the external DirectAccess client uses to the connect to the IP-HTTPS Listener, and must be resolvable using an Internet-based DNS server to the first of the two consecutive IP addresses bound to the external interface of the UAG DirectAccess server. Do the following to obtain the IP-HTTPS certificate.

To obtain the IP-HTTPS listener certificate on UAG1

  1. On UAG1, click Start, type mmc, and then press ENTER. Click Yes at the User Account Control prompt.

  2. Click File, and then click Add/Remove Snap-ins.

  3. Click Certificates, click Add, click Computer account, click Next, select Local computer, click Finish, and then click OK.

  4. In the console tree of the Certificates snap-in, open Certificates (Local Computer)\Personal\Certificates.

  5. Right-click Certificates, point to All Tasks, and then click Request New Certificate.

  6. Click Next two times.

  7. On the Request Certificates page, click Web Server 2003, and then click More information is required to enroll for this certificate.

  8. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select Common Name.

  9. In Value, type uag1.contoso.com, and then click Add.

  10. In Alternative name, for Type, select DNS.

  11. In Value, enter uag1.contoso.com, and then click Add.

  12. Click OK, click Enroll, and then click Finish.

  13. In the details pane of the Certificates snap-in, verify that a new certificate with the name uag1.contoso.com was enrolled with Intended Purposes of Server Authentication.

  14. Right-click the certificate, and then click Properties.

  15. In the Friendly Name box, enter IP-HTTPS Certificate, and then click OK.

  16. Close the console window. If you are prompted to save settings, click No.

E. Install Forefront UAG on UAG1

Install the Forefront Unified Access Gateway software on UAG1.

To create A records

  1. On UAG1, insert the Forefront UAG DVD into the optical drive.

    Note

    Ensure that you install Forefront UAG from the DVD. Network installations are not supported.

  2. Click Start, click Computer, double-click the DVD drive Forefront UAG 2010, and then double-click Setup.

  3. In the Setup window, under Prepare and Install, click Install Forefront UAG. Click Yes in the User Account Control dialog box.

  4. On the Welcome to the Forefront UAG Setup Wizard page, click Next.

  5. Read the License Terms, and if you choose to proceed, select I accept the License Terms for Microsoft Software, and then click Next.

  6. On the Select Installation Location page, click Next, and wait for the installation to complete successfully.

  7. On the You have successfully completed the Forefront UAG Setup page, click Restart now, and then click Next. Wait for the server to restart.

  8. Log on to UAG1 as CORP\User1.

F. Run the Forefront UAG Getting Started Wizard

The UAG Getting Started Wizard walks you through the process of initial configuration of the UAG server. This sets up the basic information required to configure the networking settings on the server, defines the server topology (standalone or array), and whether or not to join Microsoft update for updating the server.

To run the Forefront UAG Getting Started Wizard

  1. On UAG1, click Start, point to All Programs, click Microsoft Forefront UAG, and then click Forefront UAG Management. Click Yes in the User Account Control dialog box. UAG will start to configure itself for the first time. The Getting Started Wizard splash screen appears.

  2. In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.

  3. On the Welcome to the Network Configuration Wizard page, click Next.

  4. On the Define Network Adapters page, select Corpnet in the Internal column, and Internet in the External column. Leave SSL Network tunneling as unassigned, and then click Next.

  5. On the Define Internal Network IP Address Range page, verify that the range that appears is 10.0.0.0 to 10.0.0.255, and then click Next.

  6. On the Completing the Network Configuration Wizard page, click Finish.

  7. On the Getting Started Wizard, click Define Server Topology.

  8. On the Welcome to the Server Management Wizard page, click Next.

  9. On the Select Configuration page, select Single server, and then click Next.

  10. On the Completing the Server Management Wizard page, click Finish.

  11. In the Getting Started Wizard, click Join Microsoft Update.

  12. On the Use Microsoft Update for Forefront UAG page, select I don’t want to use Microsoft Update, and then click OK.

    Note

    In a production environment, it is highly recommended that you select the use Microsoft Update option.

  13. On the Getting Started Wizard page, click Close.

  14. In the Getting Started Wizard dialog box, when prompted Do you want to activate the configuration now, click Yes.

  15. On the Activate Configuration page, enter a password and confirm the password for the backup file that will save the current UAG configuration. Click Next.

  16. On the Activate Configuration page, confirm that the Back up configuration before performing this activation check box is selected, and then click Activate.

  17. Wait for the Activation completed successfully message, and then click Finish.

  18. To exit the Microsoft Forefront UAG Management console, click the File menu, click Exit, and then click Yes when prompted Do you want to close the Forefront UAG Management console.

G. Run the UAG DirectAccess Configuration Wizard

DirectAccess is not enabled by default. To enable DirectAccess features and capabilities on UAG1, you must run the DirectAccess Configuration Wizard. After running the DirectAccess Configuration Wizard, two new Group Policy objects are created; one is linked to the computer account for the UAG DirectAccess server, and the other is linked to the DirectAccess clients security group (DA_Clients) you configured earlier. In addition, the IPv6 components, including support for IPv6 transition technologies and IPv6/IPv4 protocol transition technologies, are enabled on the UAG DirectAccess server.

To run the UAG DirectAccess Configuration Wizard

  1. Click Start, point to All Programs, click Microsoft Forefront UAG, and then click Forefront UAG Management. Click Yes in the User Account Control dialog box.

  2. In the left pane of the Forefront Unified Access Gateway console, click DirectAccess. In the Forefront UAG DirectAccess Configuration pane, in the Clients box, click Configure.

  3. In the UAG DirectAccess Client Configuration dialog box, click Add.

  4. In the Select Group dialog box, enter DA_Clients, click OK, and then click Finish.

    Note

    You must use the custom security group that created for the DirectAccess clients. Never use a built-in security group.

  5. In the DirectAccess Server box, click Configure.

  6. On the Connectivity page, in First Internet-facing IPv4 address, select 131.107.0.2. In Internal IPv4 address, select 10.0.0.2, and then click Next.

    Note

    The information that appears regarding ISATAP being enabled on the UAG server, and that an ISATAP entry must be entered into DNS and that ISATAP must be removed from the Global Query Block List. This procedure was carried out earlier during configuration of DC1.

  7. On the Managing DirectAccess Services page, click Next.

    Note

    The default settings on this page enable both NAT64 and DNS64, which allow DirectAccess clients to communicate with IPv4-only servers and resources on the corpnet.

  8. On the Authentication Options page, for Browse and select a root or intermediate certificate that verifies certificates sent by DirectAccess clients, select Use root certificate, and then click Browse. In the list of certificates, click the corp-DC1-CA root certificate, and then click OK.

  9. For Select the certificate that authenticates the UAG DirectAccess server to a client connecting using IP-HTTPS, click Browse. In the list of certificates, click the IP-HTTPS certificate, click OK, and then click Finish.

  10. In the Infrastructure Servers box, click Configure.

  11. On the Network Location Server page, enter nls.corp.contoso.com, click Validate and wait for the notice Validation successful. The URL https://nls.corp.contoso.com is reachable, and then click Next.

  12. On the DNS Suffixes page, click Next.

    Note

    The DNS suffixes listed on this page determine the communications that are sent through the DirectAccess tunnel to the DirectAccess server and to the corpnet.

  13. On the Management Servers and DCs page, click the Domains\corp.contoso.com entry. Note in the Servers List that DC1.corp.contoso.com was automatically discovered. Click Finish.

    Note

    Infrastructure servers are those servers that are accessed through the infrastructure tunnel, which is established before the use logs on. The infrastructure tunnel enables DirectAccess client computer management even when no user is logged on.

  14. In the Application Servers box, click Configure. Confirm that the Require end-to-edge authentication and encryption option is selected. Click Finish.

  15. In the Forefront UAG DirectAccess pane, click Generate Policies.

  16. In the Forefront UAG DirectAccess Configuration Review dialog box, click Apply Now. After the script has finished executing, in the DirectAccess Policy Configuration message box, click OK, and then click Close.

  17. Open an elevated command prompt. At the command prompt, enter gpupdate /force and then press ENTER. Note that this is a requirement for the lab deployment only and would not be part of your enterprise deployment.

  18. In the Microsoft Forefront UAG Management console, click the File menu, and then click Activate. In the Activate Configuration dialog box, click Activate. Wait for the Activation completed successfully message, and then click Finish.

  19. To exit the Microsoft Forefront UAG Management console, click the File menu, click Exit, and then click Yes when prompted Do you want to close the Forefront UAG Management console.

H. Confirm Group Policy settings on UAG1

The UAG DirectAccess wizard configures GPOs and settings that are automatically deployed to the Active Directory. One GPO is assigned to the UAG DirectAccess server, and another is deployed to machines that belong to the DirectAccess Clients security group. The following steps confirm that the Group Policy settings were deployed to the UAG DirectAccess server.

  1. On DC1, click Start, point to Administrative Tools, and click Group Policy Management.

  2. Expand Forest: corp.contoso.com and Domains, and then expand corp.contoso.com.

  3. Two new GPOs will be linked to the default domain policy; UAG DirectAccess: Client{3491980e-ef3c-4ed3-b176-a4420a810f12} is applied to members of the DA_Clients security group, and UAG DirectAccess: DaServer{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300} is applied to the UAG server. Note that these GPO names are correct for Forefront UAG 2010 release version and may change with subsequent versions, such as Update 1. Confirm that the correct security filtering is done for each of these Group Policy objects, by clicking on the GPO, and then viewing the entries in the Security Filtering section on the Scope tab in the right pane of the console.

  4. On UAG1, open an elevated command prompt. Change the focus to c:\Users\User1\Desktop.

  5. At the command prompt, enter gpresult /scope computer /f /h report.html, and press ENTER.

  6. On the desktop, double-click the report file. In the Group Policy Objects section, note that in the Group Policy Objects\Applied GPOs section, UAG DirectAccess: DAServer{ab991ef0-6fa9-4bd9-bc42-3c397ce8ad300} appears, shows that the DirectAccess server GPO has been applied to UAG1. Close the Internet Explorer window.

  7. Click Start, enter Firewall in the Search box, and press ENTER.

  8. In the Windows Firewall with Advanced Security console, note that the middle pane displays Domain Profile is Active and Public Profile is Active. It is important that the Windows Firewall is enabled and that both the Domain and Public Profiles are active. If the Windows Firewall with Advanced Security is disabled, or if Domain or Public profiles are disabled, DirectAccess will not work correctly.

  9. In the left pane of the Windows Firewall with Advanced Security Console, click the Connection Security Rules node. Note that in the middle pane of the console are two connection security rules; UAG DirectAccess Gateway – Clients Access Enabling Tunnel – All and UAG DirectAccess Gateway – Clients Corp Tunnel. The first rule is used for the infrastructure tunnel and the second rule is used to establish the intranet tunnel. Both of these rules are delivered to UAG1 using Group Policy.

  10. Close the Windows Firewall with Advanced Security console.

I. Confirm IPv6 settings on UAG1

For the DirectAccess solution to function, the IPv6 settings on Forefront UAG must be correct. The following steps confirm these settings on UAG1.

To confirm IPv6 settings on UAG1

  1. On UAG1, click Start, right-click the command prompt, and click Run as administrator. Click Yes in the User Account Control dialog box.

  2. In the command prompt window, enter ipconfig /all and press ENTER.

  3. The ipconfig /all display shows information related to the UAG1 networking configuration. There are several sections of interest. The Tunnel adapter 6TO4 Adapter section shows information that includes the Global IPv6 address used by UAG1 on its external interface. The Tunnel adapter isatap.corp.contoso.com section shows information regarding UAG1’s ISATAP interface; here you find the ISATAP address for UAG1. In the Tunnel adapter IPHTTPSInterface section, you’ll see information regarding the IP-HTTPS interface. If you are using the IP addressing scheme used in this lab, you should see the following addresses:

    • 6TO4 Adapter: 2002:836b:2::836b:2 and 2002:836b:2::836b:3

    • ISATAP: 2002:836b:2:8000:0:5efe:10.0.0.2

    • IPHTTPS: 2002:836b:2:8100:c887:6a74:6ef0:bf

      Note

      The “debolded” values will vary due to the way in which the IP-HTTPS address is generated.

  4. To see information regarding the Teredo interface on UAG1, enter netsh interface Teredo show state and press ENTER. The output should include an entry State: online.

J. Update IPv6 settings on DC1

DC1 is capable of being an ISATAP host. However, this functionality might not be immediately available. You can expedite DC1 setting itself up as an ISATAP host by updating its IPv6 configuration.

To update IPv6 settings on DC1

  1. On DC1, click Start, and then right-click the command prompt icon. Click Run as administrator.

  2. In the command prompt window, enter sc control iphlpsvc paramchange and press ENTER.

  3. Close the command prompt window after the command completes.

K. Update IPv6 settings on APP1

APP1 is capable of being an ISATAP host. However, this functionality might not be immediately available. You can expedite DC1 setting itself up as an ISATAP host by updating its IPv6 configuration.

To update IPv6 settings on APP1

  1. On APP1, click Start and then right-click the command prompt icon. Click Run as administrator.

  2. In the command prompt window, enter sc control iphlpsvc paramchange and press ENTER.

  3. Close the command prompt window after the command completes.

L. Confirm IPv6 address registration in DNS

IPv6-capable hosts can communicate with one another over an IPv4 network with IPv6 using their ISATAP adapters. However, they must be able to resolve the destination host to an IPv6 address to use this capability. The following steps confirm that the IPv6 ISATAP addresses are registered in DNS.

To confirm IPv6 address registration in DNS

  1. On DC1, click Start, point to Administrative Tools and click DNS.

  2. In the DNS Manager, expand the server name, then expand the Forward Lookup Zones node in the left pane of the console. Click corp.contoso.com.

  3. Click the Name column in the right pane of the console so that computer names are listed alphabetically. For APP1, DC1 and UAG1, there should be an IPv4 address and IPv6 address. If there is no IPv6 address, return to the machine that does not have an IPv6 address and open an elevated command prompt. At the elevated command prompt, enter ipconfig /registerdns. Then, return to the DNS console on DC1 and confirm that the IPv6 address is registered in DNS. If the IPv6 address does not appear in the console, refresh the console view.

Note

The ISATAP addresses listed in the DNS resource records do not use the dotted decimal format for the last 32 bits of the IPv6 address, that you see when using ipconfig to view IP addressing information on the hosts. However, these addresses represent the same information; the only difference is that the last 32 bits are represented in HEX instead of dotted decimal format.

M. Confirm IPv6 connectivity between DC1/APP1/UAG1

After activating the IPv6 settings on DC1, APP1 and UAG1, test IPv6 connectivity by using the ping utility

To confirm IPv6 connectivity between DC1/APP1/UAG1

  1. On DC1, click Start, right-click the command prompt icon, and click Run as administrator.

  2. In the command prompt window, enter ipconfig /flushdns to remove IPv4 address entries that might already be in the DNS client cache.

  3. In the command prompt window, enter ping UAG1 and press ENTER. You should see the ISATAP address of UAG1 in the reply, which is 2002:836b:2:8000:0:5efe:10.0.0.2.

  4. In the command prompt windows, enter ping APP1 and press ENTER. You should see the ISATAP address of DC2 in the reply, which is 2002:836b:2:8000:0:5efe:10.0.0.3. Close the command prompt window.

  5. On UAG1, use an elevated command prompt window to ping DC1 and APP1 and confirm that the responses are from the ISATAP addresses of those servers. The close the command prompt window

Next Steps

Step 5: Configure CLIENT1