Thursday, October 7, 2010

Direct Access - UAG - 2003 File Cluster Access

At a customer who has deployed DA, we have a strange problem.
The clients using DA suddenly got disconnected from the networks share on a 2003 FileCluster.
This could be only seconds after they connected, that they got a red cross on the network drive. when accessing the drive, they either got an error saying it could not connect, or it connected as normal. If the error message was thrown, they tried again, and got connected.

After a lot of troubleshooting, the explanation was found. When one user is connected to the fileshare over DA its OK, when a new user connects to the fileshare, the new connection resets the old one. This is because the UAG server is using NAT64 the UAG server is responsible for terminating the DA sessions and transalating them to Ipv4. More info here: http://blogs.technet.com/b/edgeaccessblog/archive/2009/09/08/deep-dive-into-directaccess-nat64-and-dns64-in-action.aspx.

If the fileserver had been 2008 servere this would not have been an issue, since DA would not use NAT64, and IPv6 could have been used for the entire session.

Due to NAT64 the UAG server needs to create a sessions for each DA user to the 2003 file cluster share. This is not supported in  SMB1 http://support.microsoft.com/kb/301673,
but is supported in SMB2.
Microsoft gives you 2 option, block port 445 and use Netbios, or upgrade the file cluster to 2008, which support SMB2.


*************UPDATE*****************
Microsoft has confirmed this issue, and are working on a hotfix KB2444558 that will fix this issue.

This issue can also affect the authentication between DA and 2003 domain controllers, since this also uses SMB. 
The expected release date is week 48.
*******************************************

No comments: