Some organizations use an additional intranet firewall between the perimeter network and the intranet to filter malicious traffic that gets past the Internet firewall and perimeter network servers. If you use an intranet firewall and the Forefront UAG DirectAccess server is on the IPv4 Internet, you must configure the following additional packet filters:
- All IPv4 and IPv6 traffic to and from the
Forefront UAG DirectAccess server—The Forefront UAG
DirectAccess server must reach and be reachable by Active Directory
domain controllers, management servers, and other intranet
resources. You can begin with this initial filter, and then refine
the filter over time to allow the subset of traffic needed by the
Forefront UAG DirectAccess server.
- Protocol 41 inbound and
outbound—ISATAP encapsulates IPv6 packets with an IPv4 header.
In the IPv4 header, the Protocol field is set to 41 to indicate an
IPv6 packet payload. Use this packet filter if you are using ISATAP
to send IPv6 traffic across your IPv4-only intranet.