The following procedure describes how to assign IPv4 or IPv6 addresses to the Internet-facing and internal network interfaces, on the Forefront Unified Access Gateway (UAG) DirectAccess server.
To assign IP addresses to the server interfaces
-
In the DirectAccess Server section of the wizard, on the Connectivity page, select IP addresses for the following:
Note: If a Forefront UAG array is configured, the Load balancing page of the wizard opens before the Connectivity page. - First Internet-facing IPv4 address—The
IPv4 address that services 6to4, Teredo server, Teredo relay, and
IP-HTTPS traffic.
- Second Internet facing IPv4
address—The IP address that, together with the first
Internet-facing IPv4 address, services Teredo server traffic. This
address is automatically assigned, and is the next consecutive IPv4
address; for example, when the first Internet-facing IPv4 address
is 192.0.2.18, the second IPv4 address is 192.0.2.19.
Note: - Two consecutive public IPv4 addresses are
required so that the Forefront UAG DirectAccess server can act as a
Teredo server, and the Windows-based Teredo clients can use the
Forefront UAG DirectAccess server to detect the type of network
address translator (NAT) that they are behind.
- The first and second Internet-facing IPv4
addresses are also used to generate IPv6 addresses, using the 6to4
prefix for the IPsec dynamic tunnel endpoint (DTE).
- Two consecutive public IPv4 addresses are
required so that the Forefront UAG DirectAccess server can act as a
Teredo server, and the Windows-based Teredo clients can use the
Forefront UAG DirectAccess server to detect the type of network
address translator (NAT) that they are behind.
- Internal IPv4 address—This address is
used when an Intra-Site Automatic Tunnel Addressing Protocol
(ISATAP) router is deployed on the Forefront UAG DirectAccess
server. The table below describes the actions you should take based
on the ISATAP deployment scenario in your organization.
Note: When there is no IPv6 infrastructure on your intranet, the Forefront UAG DirectAccess server is automatically configured as an ISATAP router. It automatically derives 6to4-based organization, IP-HTTPS, and NAT64 IPv6 prefixes, and skips the Prefix Configuration screen of the Forefront UAG DirectAccess Configuration Wizard. - Internal IPv6 address—The IP address
that services IPv6 internal traffic. See the following table for
the actions you should take, based on the ISATAP deployment
scenario in your organization.
# Scenario Interface to select Additional actions 1
IPv6 is not deployed in your organization, and no ISATAP deployment is required.
Internal IP6 address
Create a fictitious internal IPv6 address and assign it to the internal network facing card before starting the Forefront UAG DirectAccess configuration.
2
IPv6 is deployed in your organization, and no ISATAP deployment is required.
Internal IP6 address
None
3
ISATAP is deployed on the Forefront UAG DirectAccess server in an IPv4 only environment (for single and multiple Active Directory domain organizations).
Internal IPv4 address
Note: No IPv6 address can be configured on the internal facing network adapter in this scenario. - After activating Forefront UAG, register
ISATAP in a DNS server within each domain using the internal IPv4
address (for example, ISATAP.corp.contoso.com).
- When configured as an NLB array, add each
array member's internal IPv4 DIP (in addition to the internal IPv4
VIP) to the ISATAP DNS record.
- Remove ISATAP from the global query block
list. For more information, see see Remove ISATAP from the DNS Global Query Block List
(http://go.microsoft.com/fwlink/?LinkId=168593).
Note: Install the Windows NLB Hotfix (KB977342) (http://go.microsoft.com/fwlink/?LinkId=178582), on all Forefront UAG DirectAccess array members to provide ISATAP connectivity when integrated Windows Network Load Balancing is configured. 4
An external ISATAP is deployed in your organization, and the Forefront UAG DirectAccess server connects to the internal network using Native IPv6.
Internal IPv6 address
None
5
IPv6 is already deployed in your organization, but the Forefront UAG DirectAccess server has no native IPv6 connectivity to the IPv6 cloud. A Link-local (LL) 6to4 tunnel is used to connect the Forefront UAG DirectAccess server to the IPv6 cloud (or the external ISATAP router).
Internal IPv6 address
Do the following:
- Create a fictitious internal IPv6 address and assign it to the
internal network facing card.
- Create a tunnel between the Forefront UAG DirectAccess server
and the external ISATAP router. To create a tunnel, from the
command prompt, type netsh int ipv6 add v6v4tunnel. This
command must be run on both the Forefront UAG DirectAccess server,
and the ISATAP router interface.
- Add a route, so that the routers on the internal network route
native IPv6 and IPv6 transition traffic (6to4, Teredo client, and
IP-HTTPS) back through the Forefront UAG DirectAccess server.
- Enable forwarding on the link-local interface.
- Create a published route between the ISATAP router and the
link-local of the Forefront UAG DirectAccess server, and enable
forwarding.
- Create a default route, so that all the servers on the
ISATAP-enabled IPv4 cloud use the ISATAP router for routing non
ISATAP traffic; in particular Teredo and IP-HTTPS.
6
An external ISATAP is deployed in your organization and the Forefront UAG DirectAccess server is a client of the ISATAP router.
Note: This scenario is unsupported, and may cause asymmetric routing and connectivity problems. It is recommended that customers in this configuration consider deploying native IPv6. Internal IPv6 address (the address you select is a link-local ISATAP generated address).
Note: No IPv6 address can be configured on the internal facing network adapter in this scenario. - In addition to the existing ISATAP record,
register ISATAP in a DNS server within each domain using the
internal IPv4 address of the Forefront UAG DirectAccess server (for
example, ISATAP.corp.contoso.com).
- When configured as an NLB array, add each
array member's internal IPv4 DIP to the ISATAP DNS record.
Note: Install the Windows NLB Hotfix (KB977342) (http://go.microsoft.com/fwlink/?LinkId=178582), on all Forefront UAG DirectAccess array members to provide ISATAP connectivity when integrated Windows Network Load Balancing is configured. Note: When adding and starting an additional node to an NLB array in scenarios 3 and 6, the node cannot function as a Forefront UAG DirectAccess server until the following conditions have been met: - The IPv4 DIP of the node has been registered
to the ISATAP DNS record.
- The ISATAP DNS record has been updated in all
the intranet DNS servers.
You can check if ISATAP has finished replicating on a specific DNS server by running from a command prompt window; nslookup isatap <DNSServerIPAddress>.
- The backend server's cache has expired and is
updated with the new ISATAP DNS record.
Note: When ISATAP is deployed on the Forefront UAG DirectAccess server (scenario 3 above), and you want to deploy an external ISATAP router (scenario 6 above) instead, do the following: - Configure a fictitious IPv6 address on the internal facing
interface of the Forefront UAG DirectAccess server.
- In the Connectivity page of the Forefront UAG DirectAccess
Configuration Wizard, for the Internal IPv6 address, select
the fictitious address created in the step above.
- Complete the wizard.
Important: Do not generate policies. - In the Forefront UAG Management console, click the Activate
configuration icon, and then on the Activate
Configuration dialog box, click Activate to activate the
configuration.
- In your DNS server, edit the ISATAP entry to point to the new
ISATAP router.
- On the Forefront UAG DirectAccess server, from the Windows
command prompt, type ipconfig /flushdns. This clears the
cached ISATAP address.
- Remove the fictitious address from the internal facing
interface of the Forefront UAG DirectAccess server.
- Configure external ISATAP as described in the table above.
- After completing the Wizard, click Apply Policy, click
Apply Now, and then Activate as in step d. For more
information, see Applying or exporting
the Forefront UAG DirectAccess configuration in SP1.
- First Internet-facing IPv4 address—The
IPv4 address that services 6to4, Teredo server, Teredo relay, and
IP-HTTPS traffic.
-
Click Next. The IP-HTTPS Certificate page appears.