Its been noticed on several Direct access deployments that the Client IPHTTPS interface gets connected first over the Teredo interface although nothing is preventing the Teredo interface to get activated. Most of the clients won’t prefer the IPHTTPS because of its high overhead and low performance compared to Teredo or 6to4. After some investigation and consulting Microsoft esclation engineers it turned out that its a well known issue on several clients where the Teredo and IPHTTPS race together and IPHTTPS wins at the end due to timing issues. This is elaborated in details on the following Microsoft Technet article http://technet.microsoft.com/en-us/library/ee844161(WS.10).aspx
As per that attached below image extracted from the above mentioned article that this issue can occur and IPHTTPS will win and get qualified first.
To test whether my client is in this condition, i ran IPCONFIG /ALL on my client machine and i noticed that i have public addresses on both my Teredo and IPHTTPS interface as per attached.
To make sure you are using always Teredo you can implement one of the following workarounds:
- Disable IPHTTPSinterface from the Device Manager – View Hidden devices – Network adapters (unless you need IPHTTPS in locations where Teredo UDP port is blocked)
- After logging and connecting using the IPHTTPS, Restart the “IP Helper” Service.
For more information about this issue please check Tom Shinder article http://blogs.technet.com/b/tomshinder/archive/2010/08/24/why-are-both-the-teredo-and-ip-https-interfaces-active.aspx
Also its recommended to patch the UAG/Direct Access server with the latest fixes related to Direct Access, the most recent updates/fixes are as follows:
http://support.microsoft.com/kb/2686921
http://support.microsoft.com/kb/2633127
http://support.microsoft.com/kb/2680464
ok now I have hundreds of clients and lot of them are connecting via IPHTTPS instead of Teredo even that there is nothing preventing them from using it. How to fix this in domain? Any GPO ideas?
I would suggest the following (Passed by this issue before and confirmed it with Microsoft Support team):
You need to open gpmc.msc on the domain controller and perform the following steps.
1. Highlight the “UAG Direct Access : clients”
2. On the right pane, go to the settings tab.
3. View the administrative templates, go to the policy definition which says Network/TCPIP Settings/IPv6 transition technologies.
4. Right click the policy which says “IP-HTTPS state” and click on edit
5. Expand computer configuration Policies Administrative templates Network TCPIP settings IPv6 transition technologies Edit the policy IP-HTTPS state
6. Select the “Select state from the following options” under the Options window. Select the state as Disabled.