This topic describes how to choose an intranet IPv6 connectivity design.
The following types of IPv6 infrastructure may be available on your intranet:
- No existing IPv6
infrastructure
- An existing ISATAP-based
IPv6 infrastructure
- A native IPv6
infrastructure
In each of these scenarios, you must ensure that the IPv6 routing infrastructure can forward packets between DirectAccess clients and intranet resources.
No existing IPv6 infrastructure
This is currently the most common situation. When the Forefront UAG DirectAccess Configuration Wizard detects that the Forefront UAG DirectAccess server has no native or ISATAP-based IPv6 connectivity, it automatically derives a 6to4-based 49-bit prefix for the intranet, configures the Forefront UAG DirectAccess server as an ISATAP router, and moves to the next step of the Forefront UAG DirectAccess Configuration Wizard.
ISATAP, defined in RFC 4214, is an IPv6 transition technology that provides IPv6 connectivity between IPv6/IPv4 hosts across an IPv4-only intranet. ISATAP can be used for Forefront UAG DirectAccess to provide IPv6 connectivity to ISATAP hosts across your intranet. For more information on ISATAP, see IPv6 Transition Technologies (http://go.microsoft.com/fwlink/?LinkId=154382).
Note: |
---|
|
Windows-based ISATAP hosts that can resolve the name ISATAP, perform address auto configuration with the Forefront UAG DirectAccess server, resulting in the automatic configuration of the following:
- An ISATAP-based IPv6 address on an ISATAP
tunneling interface.
- A 64-bit route that provides connectivity to
the other ISATAP hosts on the intranet.
- A default IPv6 route that points to the
Forefront UAG DirectAccess server.
Note: The default IPv6 route ensures that intranet ISATAP hosts can reach DirectAccess clients.
When your Windows-based ISATAP hosts obtain an ISATAP-based IPv6 address, they begin to use ISATAP-encapsulated traffic to communicate, if the destination is also an ISATAP host. Because ISATAP uses a single 64-bit subnet for the entire intranet, your communication goes from a segmented, multi-subnet IPv4 model of communication, to a flat, single subnet communication model with IPv6. This can affect the way that some Active Directory Domain Services (AD DS), and other applications that rely on your Active Directory Sites and Services configuration, behave. For example, if you used the Active Directory Sites and Services snap-in to configure sites, IPv4-based subnets, and inter-site transports for forwarding of requests to servers within sites, this configuration is not used by ISATAP hosts.
To configure Active Directory sites and services for forwarding within sites for ISATAP hosts, for each IPv4 subnet object, you must configure an equivalent IPv6 subnet object, in which the IPv6 address prefix for the subnet expresses the same range of ISATAP host addresses as the IPv4 subnet. For example, for the IPv4 subnet 192.168.99.0/24 and the 64-bit ISATAP address prefix 2002:836b:1:8000::/64, the equivalent IPv6 address prefix for the IPv6 subnet object is 2002:836b:1:8000:0:5efe:192.168.99.0/120. For an arbitrary IPv4 prefix length (set to 24 in the example), you can determine the corresponding IPv6 prefix length from the formula: 96 + IPv4PrefixLength.
For the IPv6 addresses of DirectAccess clients, add the following:
- An IPv6 subnet for the range
2001:0:WWXX:YYZZ::/64, in which WWXX:YYZZ is the colon-hexadecimal
version of the selected First Internet-facing IPv4 address
of the Forefront UAG DirectAccess server. This IPv6 prefix is for
Teredo-based DirectAccess clients.
- An IPv6 subnet for the range
2002:WWXX:YYZZ:8100::/56, in which WWXX:YYZZ is the
colon-hexadecimal version of the selected First Internet-facing
IPv4 address (w.x.y.z) of the Forefront UAG DirectAccess
server. This IPv6 prefix is for IP-HTTPS-based DirectAccess
clients.
- A series of 6to4-based IPv6 prefixes that
begin with 2002: and represent the regional, public IPv4 address
prefixes that are administered by Internet Assigned Numbers
Authority (IANA) and regional registries. The 6to4-based prefix for
a public IPv4 address prefix w.x.y.z/n is 2002:WWXX:YYZZ::/[16+n],
in which WWXX:YYZZ is the colon-hexadecimal version of w.x.y.z.
For example, the 7.0.0.0/8 range is administered by American Registry for Internet Numbers (ARIN) for North America. The corresponding 6to4-based prefix for this public IPv6 address range is 2002:700::/24. For information about the IPv4 public address space, see IANA IPv4 Address Space Registry (http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml). These IPv6 prefixes are for 6to4-based DirectAccess clients.
An existing ISATAP-based IPv6 infrastructure
If you have an existing ISATAP infrastructure, the Forefront UAG DirectAccess Configuration Wizard prompts you for the 48-bit prefix of the organization and does not configure itself as an ISATAP router. To ensure that DirectAccess clients are reachable from the intranet, you must modify your IPv6 routing infrastructure so that default route traffic is forwarded to the Forefront UAG DirectAccess server. For more information on how to configure an existing ISATAP deployment, see Assigning IP addresses to the server interfaces.
A native IPv6 infrastructure
If you have an existing native IPv6 infrastructure, the Forefront UAG DirectAccess Configuration Wizard prompts you for the 48-bit prefix of the organization, and does not configure itself as an ISATAP router. To ensure that DirectAccess clients are reachable from the intranet, you must modify your IPv6 routing so that default route traffic is forwarded to the Forefront UAG DirectAccess server.
If your intranet IPv6 address space is using something other than a single 48-bit IPv6 address prefix, you must enter the relevant organization IPv6 prefix in the Configuring IPv6 prefix addresses page of the Forefront UAG DirectAccess Configuration Wizard, or modify the UAGDA_PREFIX_CORP parameter in the script generated at the end of the Forefront UAG DirectAccess Configuration Wizard, and run the new script.
If you are currently connected to the IPv6 Internet, you must configure your default route traffic so that it is forwarded to the Forefront UAG DirectAccess server, and then configure the appropriate connections and routes on the Forefront UAG DirectAccess server, so that the default route traffic is forwarded to the device that is connected to the IPv6 Internet.
Note: |
---|
If you already have some native IPv6 segments in your organization, and the Forefront UAG DirectAccess server has no native IPv6 connectivity to the IPv6 cloud, an ISATAP router should not be deployed on the Forefront UAG DirectAccess server. For more information, see Assigning IP addresses to the server interfaces. |