This topic describes the options for enabling IPv4-only resources for DirectAccess clients, and describes how DirectAccess clients access IPv4-only intranet resources.
A DirectAccess client sends IPv6 only traffic to the Forefront UAG DirectAccess server. DirectAccess clients use IPv6 records (AAAA) when sending DNS name query requests across the infrastructure tunnel to the IPv6 address of an intranet DNS server. IPv4-only applications on the DirectAccess client cannot send IPv4 traffic across the Forefront UAG DirectAccess intranet tunnel. The same DirectAccess client, when directly connected to the intranet, sends DNS name queries to intranet DNS servers, and requests all records, both IPv4 and IPv6. For an IPv4-only server application, intranet DNS servers send back IPv4 records, and the client application uses IPv4 for communication.
The result is that an IPv6-capable client application on a DirectAccess client can use IPv4 to access an IPv4-only server application while connected to the intranet, but cannot reach the same server application when connected to the Internet, by default.
The following are solutions for providing connectivity for IPv6-capable applications on DirectAccess clients to IPv4-only intranet applications:
- Upgrade or update the IPv4-only intranet
application to support IPv6. This might include updating the
operating system of the server, updating the application running on
the server, or both. This is the recommended solution. For built-in
applications and system services on computers running Windows XP or
Windows Server 2003, you must upgrade Windows XP to Windows Vista
or Windows 7, and upgrade Windows Server 2003 to Windows Server
2008 or Windows Server 2008 R2.
- Use the integrated Network Address
Translator64 (NAT64) and DNS64 functionality that is provided on
the Forefront UAG DirectAccess server. NAT64 and DNS64 perform
IPv6-to-IPv4 DNS name resolution and IPv6/IPv4 traffic translation
services, for traffic between DirectAccess clients and IPv4-only
intranet application servers. For a more detailed description of
how NAT64 and DNS64 work, see How the
DirectAccess clients access IPv4-only intranet resources.
- Use a conventional remote access VPN
connection on the DirectAccess client to reach the IPv4-only
How DirectAccess clients access IPv4-only intranet resources
NAT64 and DNS64 provide DirectAccess clients access to IPv4-only aware resources on the intranet as follows:
- The DirectAccess client sends a DNS name query request to the
Forefront UAG DirectAccess server DNS64 for an address of an
application server. Because DirectAccess clients only have IPv6
connectivity to the Forefront UAG DirectAccess server, the DNS name
query is an IPv6 AAAA request.
- When the DNS64 gets the name query request, it sends two DNS
name queries, an IPv4 query (A) and an IPv6 query (AAAA), to the
corporate DNS configured on the Forefront UAG DirectAccess
- The DNS64 gets a response from the corporate DNS and decides
which address to return to the DirectAccess client.
The responses can be as follows:
- When the DNS64 receives an IPv6 address (AAAA
record) response from the corporate DNS, the application server has
IPv6 connectivity, and the IPv6 address is returned to the
- When the DNS64 receives an IPv4 address (A
record), the NAT64 acts as a bridge for the traffic. The DNS64
generates an IPv6 address by adding the NAT64 prefix configured in
the Configuring IPv6 prefix addresses page of the Forefront
UAG DirectAccess Configuration Wizard to the IPv4 address returned
for the application server. This generated NAT64 IPv6 address is
sent to the DirectAccess client.
- The DNS receives both an IPv6 (AAAA record)
and an IPv4 (A record) address. When both records are received, the
DNS64 returns only the IPv6 address directly to the DirectAccess
client in the response. In an instance where the application server
is IPv6 aware and an application is IPv4-only aware, this would
require the DirectAccess client to connect to the NAT64 IPv6
address for translation. To force the DNS64 to return the NAT64
generated IPv6 address in the IPv6 (AAAA record), you can disable
the IPv6 interface on the application server, or delete the
application server’s IPv6 record from the corporate DNS so only an
IPv4 (A record) is received by the DNS64.
- When the DNS64 receives an IPv6 address (AAAA record) response from the corporate DNS, the application server has IPv6 connectivity, and the IPv6 address is returned to the DirectAccess client.
- The DirectAccess client now has an IPv6 address for the
application server. Traffic is sent directly to the Forefront UAG
DirectAccess server and processed by NAT64 because the all IPv6
addresses including the NAT64 prefix are automatically sent to the
Forefront UAG DirectAccess server NAT64 for servicing.
- When the NAT64 receives the packet, it translates the packet to
the IPv4 address associated with the destination NAT64 IPv6 address
and transmits the data with an IPv4 header to the application
server. The packets are sent with the Forefront UAG DirectAccess
server internal IPv4 address as the source address due to the NAT
- The application server sends IPv4 response packets to the
Forefront UAG DirectAccess server IPv4 address which are processed
by NAT64 based on the initial DirectAccess client NAT mapping as