This topic provides the planning information required for Forefront Unified Access Gateway (UAG) DirectAccess client configuration and deployment.

Overview

The Forefront UAG DirectAccess server must be reachable from:

  • The IPv6 Internet and IPv6 intranet─Your organization has deployed native IPv6 connectivity and the Forefront UAG DirectAccess server is connected to the IPv6 Internet through an IPv6-capable ISP.

  • Internal IPv4 resources and IPv6 resources

Network configuration and address requirements for each scenario are summarized in the following table:

Requirements

Adapter and routing requirements

Internet adapter Internal adapter Routing requirements

IPv4 intranet and IPv4 Internet

Configure the following:

  1. Two, static, consecutive public IPv4 addresses with the appropriate subnet masks.

  2. A default gateway IPv4 address of your Internet firewall or local Internet service provider (ISP) router.

  3. A connection-specific Domain Name System (DNS) suffix that is different from your intranet namespace. In most cases, you can use the DNS suffix of your ISP.

Note the following:

  1. IPv4 addresses in the ranges 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 are private IPv4 addresses and cannot be used.

  2. The Forefront UAG DirectAccess server requires two consecutive public IPv4 addresses so that it can act as a Teredo server and Windows-based Teredo clients can use the DirectAccess server to perform detection of the type of network address translator (NAT) that they are behind.

Configure the following:

  1. An IPv4 intranet address with the appropriate subnet mask.

  2. A connection-specific DNS suffix of your intranet namespace.

  3. Do not configure a default gateway on any intranet interfaces.

To configure the Forefront UAG DirectAccess server to reach all subnets on the internal IPv4 network do the following:

  1. List the IPv4 address spaces for all the locations on your intranet.

  2. Use the route add -p or netsh interface ipv4 add route commands to add the IPv4 address spaces as static routes in the IPv4 routing table of the Forefront UAG DirectAccess server.

IPv6 Internet and IPv6 intranet

Configure the following:

  1. Use the autoconfigured address configuration provided by your ISP.

  2. Use the route print command to ensure that a default IPv6 route pointing to the ISP router exists in the IPv6 routing table.

  3. Manually configure a connection-specific DNS suffix that is different from your intranet namespace on the Internet interface. In most cases, you can use the DNS suffix of your ISP.

  4. Determine whether the ISP and intranet routers are using default router preferences described in RFC 4191, and using a higher default preference than your local intranet routers. If both of these are true, no other configuration for the default route is required. The higher preference for the ISP router ensures that the active default IPv6 route of the DirectAccess server points to the IPv6 Internet.

Because the Forefront UAG DirectAccess server is an IPv6 router, if you have a native IPv6 infrastructure, the Internet interface can also reach the domain controllers on the intranet. In this case, add packet filters to the domain controller in the perimeter network that prevent connectivity to the IPv6 address of the Internet-facing interface of the Forefront UAG DirectAccess server.

Configure the following:

  1. If you are not using default preference levels, configure your intranet interfaces with the netsh interface ipv6 set InterfaceIndex ignoredefaultroutes=enabled command. This command ensures that additional default routes pointing to intranet routers will not be added to the IPv6 routing table. You can obtain the InterfaceIndex of your intranet interfaces from the display of the netsh interface show interface command.

If you have an IPv6 intranet, to configure the Forefront UAG DirectAccess server to reach all of the IPv6 locations, do the following:

  1. List the IPv6 address spaces for all the locations on your intranet.

  2. Use the netsh interface ipv6 add route command to add the IPv6 address spaces as static routes in the IPv6 routing table of the DirectAccess server.

IPv6 Internet and IPv4 intranet

The Forefront UAG DirectAccess server forwards default IPv6 route traffic using the Microsoft 6to4 Adapter interface to a 6to4 relay on the IPv4 Internet. You can configure a Forefront UAG DirectAccess server for the IPv4 address of the Microsoft 6to4 relay on the IPv4 Internet with the following command : netsh interface ipv6 6to4 set relay name=192.88.99.1 state=enabled command.

ISATAP requirements

ISATAP deployment Requirements

Existing native IPv6 intranet

With an existing native IPv6 infrastructure, you specify the 48-bit prefix of the organization during DirectAccess deployment, and the Forefront UAG DirectAccess server does not configure itself as an ISATAP router. Do the following:

  1. To ensure that DirectAccess clients are reachable from the intranet, you must modify your IPv6 routing so that default route traffic is forwarded to the Forefront UAG DirectAccess server. If your intranet IPv6 address space uses something other than a single 48-bit IPv6 address prefix, you must specify the relevant organization IPv6 prefix during DirectAccess deployment.

  2. If you are currently connected to the IPv6 Internet, you must configure your default route traffic so that it is forwarded to the Forefront UAG DirectAccess server, and then configure the appropriate connections and routes on the Forefront UAG DirectAccess server, so that the default route traffic is forwarded to the device that is connected to the IPv6 Internet.

  3. If you already have some native IPv6 segments in your organization, and the Forefront UAG DirectAccess server has no native IPv6 connectivity to the IPv6 Internet, an ISATAP router should not be deployed on the Forefront UAG DirectAccess server.

Existing ISATAP deployment

If you have an existing ISATAP infrastructure, during deployment you are prompted for the 48-bit prefix of the organization and the Forefront UAG DirectAccess server does not configure itself as an ISATAP router. To ensure that DirectAccess clients are reachable from the intranet, you must modify your IPv6 routing infrastructure so that default route traffic is forwarded to the Forefront UAG DirectAccess server.

Native or ISATAP-based IPv6 connectivity

When the Forefront UAG DirectAccess Configuration Wizard detects that the Forefront UAG DirectAccess server has no native or ISATAP-based IPv6 connectivity, it automatically derives a 6to4-based 49-bit prefix for the intranet, and configures the Forefront UAG DirectAccess server as an ISATAP router, in order to provide IPv6 connectivity to ISATAP hosts across your intranet. To use ISATAP do the following:

  1. Register the name ISATAP on a domain DNS server for each domain on which you want to enable ISATAP based connectivity, so that the ISATAP name is resolvable by the internal DNS server to the internal IPv4 address of the Forefront UAG DirectAccess server.

  2. In the case of an NLB array, add the internal IPv4 VIP, and each array member's internal IPv4 DIP. It is recommended that you make the additions to the ISATAP DNS record before your deployment.

  3. By default, DNS servers running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2, block the resolution of the name ISATAP with the global query block list. To enable ISATAP, you must remove the name ISATAP from the block list. For more information on how to remove the name ISATAP from the block list, see Remove ISATAP from the DNS Global Query Block List (http://go.microsoft.com/fwlink/?LinkId=168593).

  4. Install the Windows NLB Hotfix (KB977342) (http://go.microsoft.com/fwlink/?LinkId=178582), on all Forefront UAG DirectAccess array members to provide ISATAP connectivity when integrated Windows Network Load Balancing is configured.

Windows-based ISATAP hosts that can resolve the name ISATAP, perform address auto configuration with the Forefront UAG DirectAccess server, resulting in the automatic configuration of the following:

  1. An ISATAP-based IPv6 address on an ISATAP tunneling interface.

  2. A 64-bit route that provides connectivity to the other ISATAP hosts on the intranet.

  3. A default IPv6 route that points to the Forefront UAG DirectAccess server. The default route ensures that intranet ISATAP hosts can reach DirectAccess clients.

  4. If you have an existing ISATAP infrastructure, the Forefront UAG DirectAccess Configuration Wizard prompts you for the 48-bit prefix of the organization and does not configure itself as an ISATAP router. To ensure that DirectAccess clients are reachable from the intranet, you must modify your IPv6 routing infrastructure so that default route traffic is forwarded to the Forefront UAG DirectAccess server. For more information on how to configure an existing ISATAP deployment, see Assigning IP addresses to the server interfaces.

When your Windows-based ISATAP hosts obtain an ISATAP-based IPv6 address, they begin to use ISATAP-encapsulated traffic to communicate, if the destination is also an ISATAP host. Because ISATAP uses a single 64-bit subnet for the entire intranet, your communication goes from a segmented, multi-subnet IPv4 model of communication, to a flat, single subnet communication model with IPv6. This can affect the way that some Active Directory Domain Services (AD DS), and other applications that rely on your Active Directory Sites and Services configuration, behave. For example, if you used the Active Directory Sites and Services snap-in to configure sites, IPv4-based subnets, and inter-site transports for forwarding of requests to servers within sites, this configuration is not used by ISATAP hosts.

  1. To configure Active Directory sites and services for forwarding within sites for ISATAP hosts, for each IPv4 subnet object, you must configure an equivalent IPv6 subnet object, in which the IPv6 address prefix for the subnet expresses the same range of ISATAP host addresses as the IPv4 subnet. For example, for the IPv4 subnet 192.168.99.0/24 and the 64-bit ISATAP address prefix 2002:836b:1:8000::/64, the equivalent IPv6 address prefix for the IPv6 subnet object is 2002:836b:1:8000:0:5efe:192.168.99.0/120. For an arbitrary IPv4 prefix length (set to 24 in the example), you can determine the corresponding IPv6 prefix length from the formula: 96 + IPv4PrefixLength.

  2. For the IPv6 addresses of DirectAccess clients, add the following:

    1. An IPv6 subnet for the range 2001:0:WWXX:YYZZ::/64, in which WWXX:YYZZ is the colon-hexadecimal version of the selected First Internet-facing IPv4 address of the Forefront UAG DirectAccess server. This IPv6 prefix is for Teredo-based DirectAccess clients.

    2. An IPv6 subnet for the range 2002:WWXX:YYZZ:8100::/56, in which WWXX:YYZZ is the colon-hexadecimal version of the selected First Internet-facing IPv4 address (w.x.y.z) of the Forefront UAG DirectAccess server. This IPv6 prefix is for IP-HTTPS-based DirectAccess clients.

    3. A series of 6to4-based IPv6 prefixes that begin with 2002: and represent the regional, public IPv4 address prefixes that are administered by Internet Assigned Numbers Authority (IANA) and regional registries. The 6to4-based prefix for a public IPv4 address prefix w.x.y.z/n is 2002:WWXX:YYZZ::/[16+n], in which WWXX:YYZZ is the colon-hexadecimal version of w.x.y.z.

      For example, the 7.0.0.0/8 range is administered by American Registry for Internet Numbers (ARIN) for North America. The corresponding 6to4-based prefix for this public IPv6 address range is 2002:700::/24. For information about the IPv4 public address space, see IANA IPv4 Address Space Registry (http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml). These IPv6 prefixes are for 6to4-based DirectAccess clients.