DirectAccess clients that are behind NAT devices on the Internet, use Teredo for IPv6 connectivity to the Forefront UAG DirectAccess server. The DirectAccess clients are Teredo clients to the Forefront UAG DirectAccess server, which acts as a Teredo server and relay. To ensure that a destination is reachable, Teredo clients send an ICMPv6 Echo Request message, and wait for an ICMPv6 Echo Reply message. For a Teredo-based DirectAccess client to communicate with an intranet resource, that resource must accept inbound ICMPv6 Echo Request messages. Thus, for DirectAccess clients to reach any location on the intranet, you must allow inbound ICMPv6 Echo Request messages on all of your intranet hosts.

If you are using Windows Firewall with Advanced Security to block unsolicited inbound traffic, you already have a set of inbound rules that allow the traffic from your management servers. Because DirectAccess clients located behind NAT devices will use Teredo for IPv6 connectivity to the Forefront UAG DirectAccess server, you must enable edge traversal on this set of inbound rules.

For a computer that is managed to be reachable over Teredo, ensure that the computer has an inbound rule for ICMPv6 Echo Request messages, with edge traversal enabled. The Netsh.exe command for this rule is as follows:

• netsh advfirewall firewall add rule name="Inbound ICMPv6 Echo Request with Edge traversal" protocol=icmpv6:128,any dir=in action=allow edge=yes profile=public,private