Here is the issue we encountered with VSE patch 4 and DirectAccess. Note: this problem we had is only with "Manage Out" or "Inside Out" functionality (using ISATAP on the internal IPv4 network to connect over the IPv6 over HTTPS tunnel to the DirectAccess client in the public IPv4 network).
From: MB McAfee SR Update [mailto:support_reply@McAfee.com]
Sent: Thursday, April 23, 2015 4:15 PM
To: Perkins, George
Subject: RE: McAfee Support Notification - SR #<4-9138087690> has been updated
I'm glad to hear that the test with VSE 8.8 P2, then P4 worked. Now we know it is the issue addressed by Patch 5. As far as the differences in Patch 4, the
previous versions, and now Patch 5 is as follows.
The underlying problem we are aware of is that Patch 4 (fresh install) causes an issue for IPSec due to how the product registers with ALE_AUTH_RECV_ACCEPT layer.
The registration change between Repost 2 and Repost 3/4 is because Microsoft published conflicting guidelines on how to register in the ALE layer of WFP, resulting in the issue we're seeing. This is addressed in Patch 5.
Patch 3 supported only Windows 6.2. You would have been running Patch 2 on on Windows 6.1 (and previous) nodes. The problem doesn’t occur on your Windows 6.1 nodes because the ALE layer registration wasn't changed until Patch 4.
So, if you go from Repost 2 to Patch 4, everything should be fine because the older method of ALE registration will continue forward into Patch 4. It is the Repost 4 where the Microsoft conflict is noticed because when Repost 4 makes the initial registration, it does so using the registration process based on Microsoft’s flawed documentation.
So far as I know, the ALE layer registration issue was the only networking issue we were seeing with VSE. I have not seen any issues with IPv6 spefically.
Patch 4 is the supported version of VSE you should be using for all deployments, Windows 2000 though 8.1. You can download the patch only and repost
install package both from https://secure.mcafee.com/apps/downloads/my-products/login.aspx using your grant number. The Patch 2 repost and Patch 4 update would have to be used for the issue you experienced, or you may choose to use Patch 5, which was just released to Support. The Patch 2 repost I provided you was the official version, but is no longer available for download online.
Interesting; we don't really do manage out as it is not supported in our configuration. (Multi-sites, Nat'd & load balanced, without native IPv6 internally).
Technically we could use ISATAP, manually setting our local ISATAP router as required to connect to specific DA clients; or use a smart ISATAP router that can direct to correct DA server based on target IPv6 address. But both of those are not supported by MS.
In saying that though, I do occasionally do remote support to DA clients via SCCM Remote; but it's quite cumbersome. I have to check which DA server the client is connected on (can tell by the IPv6 address, or just picking a DA server at random then checking the DA console), RDP to that DA server & run SCCM remote on the DA server, then entering the clients IPv6 address...
We've not had any trouble with this caused by VSE; wonder if it's because we're doing it directly from the DA server & not via ISATAP.