By default, the Forefront UAG DirectAccess Configuration Wizard creates Group Policy objects for DirectAccess clients and servers when:

These default settings allow Teredo-based DirectAccess clients to perform Teredo discovery of intranet resources, but they also allow the following security risks:

To prevent these possible security issues, you can modify some default configuration settings, as follows:

  1. Configure the global IPsec settings for the Group Policy object for DirectAccess clients to not exempt ICMP traffic from IPsec protection (on the IPsec Settings tab for the properties of the Windows Firewall with Advanced Security snap-in).

  2. Configure the global IPsec settings for the Group Policy object for the Forefront UAG DirectAccess server to not exempt ICMP traffic from IPsec protection (on the IPsec Settings tab for the properties of the Windows Firewall with Advanced Security snap-in).

  3. For the Group Policy object for the Forefront UAG DirectAccess server, create a new connection security rule that exempts ICMPv6 traffic when it is tunneled from the Forefront UAG DirectAccess server.

  4. For the Group Policy object for DirectAccess clients, create a new connection security rule that exempts ICMPv6 traffic when it is tunneled to the Forefront UAG DirectAccess server.

With these modifications:

Although these modifications address the security issues of the default configuration, Teredo discovery messages cannot pass through the Forefront UAG DirectAccess server, and DirectAccess clients cannot use Teredo as a connectivity method. If you make these changes, you must also do the following:

  1. Disable Teredo client functionality on your DirectAccess clients.

    From the Group Policy object for DirectAccess clients, set Computer Configuration\Administrative Templates\Networking\TCPIP Settings\IPv6 Transition Technologies\Teredo State to Disabled.

  2. Disable Teredo server and relay functionality on your Forefront UAG DirectAccess server.

    Type the netsh interface teredo set state state=disable command from an administrator-level command prompt on your Forefront UAG DirectAccess server.

  3. Configure your Internet firewall to block UDP port 3544 traffic to and from the Forefront UAG DirectAccess server. If you previously added a port exemption for Teredo traffic, remove it.

Without Teredo connectivity, DirectAccess clients that are located behind network address translation (NAT) devices will use IP-HTTPS for IPv6 connectivity to the Forefront UAG DirectAccess server, but be aware that IP-HTTPS-based connections have lower performance and higher overhead than Teredo-based connections.

508 Resource Limit Is Reached

Resource Limit Is Reached

The website is temporarily unable to service your request as it exceeded resource limit. Please try again later.