DirectAccess with Teredo Protocol requires ICMP traffic to be allowed

With Microsoft DirectAccess (DA) you have three different protocols that you can utilize, with 6To4 and Teredo being the primary ones and IPHTTPS being the fallback if both primary fail/are not configured correctly (6To4 is attempted before Teredo). One thing that is different with Teredo protocol is that the DirectAccess server will send a one-time Ping (ICMP) to any DA-configured address that the DirectAccess client is trying to connect to (link).

Example of this with Netscaler Load Balancing:
In a real-life case, a customer was load balancing internal websites on a Netscaler and wanted these websites to be accessible through DA, but it was not working for unknown reasons – until we figured out the ICMP requirement and added an exclusion to this on the Netscaler. By default when we configure a Netscaler we set it up to block most ICMP traffic (http://shouldiblockicmp.com/).

Below is an example Access-Control-List (ACL) on Netscaler that will allow ICMP traffic (by default a Netscaler will not have any ACLs configured and allow all traffic, in which case this is not needed). Replace ”192.168.50.55” with the IP of your DA server, and ensure the ACL Priority is a lower value than your Deny ACLs (if you have any).
add ns acl A-DA-ANY_ICMP ALLOW -sourceIP = 192.168.50.55 -protocol ICMP -priority 100
apply ns acls

The ICMP message is of Type 8, Code 0, which you can specify in the ACL if you want to create a more specific ACL rule. Picture taken from Wireshark trace:

In case you are not fronting your internal servers with a load balancer (such as Netscaler) and you are using Windows Firewall on your internal hosts, you might need to allow ICMP traffic in your Windows Firewall for these hosts.

Is Teredo used in my environment/scenario?
One way to check if Teredo is being utilized in your DA setup is to logon to your DA server and run below command. If there is a Teredo Interface showing, then it is at least configured, and then you can check how much, if any, traffic is being passed through it (‘Bytes In’, ‘Bytes Out’). As we see in this picture, Teredo is being utilized.

Disabling 6To4 or Teredo can be done either on the DA server or the DA clients by disabling the relevant Network Interfaces (Teredo, for example), or by disabling the DA Clients to use specific protocols using the DirectAccess GPO Settings (see link further down).

To get a better understanding of the three protocols possible with DirectAccess, and their advantages/disadvantages, I recommend below blog posts:
Richard Hicks: DirectAccess IPv6 Transition Protocols Explained
Richard Hicks: Disable 6to4 IPv6 Transition Protocol for DirectAccess Clients
Microsoft Technet: DirectAccess and Teredo Adapter Behaviour

If you have any questions or feedback on above content, feel free to email me at rasmus.kindberg@xenit.se.

Disclaimer: All information on this blog is offered "as is" with no warranty. It is strongly recommended that you verify all information and validate all scripts in isolated test environments before using them in production environments.