IPv6 is the new version of the network layer of the TCP/IP protocol stack, that is designed to replace Internet Protocol version 4 (IPv4) which is widely used on intranets and the Internet. IPv6 provides an address space large enough to allow for end-to-end addressing of nodes on the IPv6 Internet, and on the IPv4 Internet with IPv6 transition technologies. Forefront UAG DirectAccess uses this capability to provide end-to-end addressing from DirectAccess clients on the IPv4 or IPv6 Internet to computers on an intranet.

Because the current Internet is IPv4-based and many organizations have not deployed native IPv6 addressing and routing on their intranets, Forefront UAG DirectAccess uses IPv6 transition technologies to provide IPv6 connectivity over these IPv4-only networks. Teredo, 6to4, Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS), and the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) are examples of IPv6 transition technologies. These technologies allow you to use IPv6 on the IPv4 Internet and your IPv4-only intranet. IPv6 transition technologies can simplify and reduce the costs of an IPv6 deployment.

IPv6 connectivity across the IPv4 Internet

IPv6 connectivity across an IPv4-only intranet

IPsec is a framework of open standards for guaranteeing private, secure communications over Internet Protocol (IP) networks by using cryptographic security services. IPsec provides aggressive protection against attacks through end-to-end security. The only computers that must know about IPsec protection are the sender and receiver in the communication. IPsec enables the protection of communication between workgroups, local area network computers, domain clients and servers, branch offices (which might be physically remote), extranets, and roaming clients.

IPsec protection can be used in two different modes: transport mode and tunnel mode. Transport mode is designed to protect an Internet Protocol (IP) packet payload. Tunnel mode is designed to protect a whole IP packet. For more information, see IPsec Protocol Types (http://go.microsoft.com/fwlink/?LinkId=169502).

Forefront UAG DirectAccess uses IPsec settings in the form of connection security rules in the Windows Firewall with Advanced Security snap-in, and the Network Shell (Netsh) command-line tool advfirewall context for peer authentication, data integrity, and data confidentiality (encryption) of DirectAccess connections. Multiple rules can be applied to a computer simultaneously, each providing a different function. The result of all these rules working together is a DirectAccess client that has protected communications with the Forefront UAG DirectAccess server and intranet servers, encrypting traffic sent over the Internet, and optionally protecting end-to-end traffic.

Note:

Windows Server 2003 and earlier versions of Windows Server do not fully support the use of IPsec with IPv6. (Other non-Windows application servers may also fall into this category). IPv6-capable resources on servers that are running Windows Server 2003 will not support IPsec transport encryption and these servers cannot be included in the optional DirectAccess end-to-end application server group. These resources will be available to DirectAccess clients using the default end-to-edge access model. IPv4-only resources on servers that are running Windows Server 2003, including most built-in applications and system services, require IPv6 to IPv4 protocol translation such as the Forefront UAG DirectAccess NAT64 feature to be available to DirectAccess clients.

Encryption

Data integrity

Data integrity allows the receiving IPsec peer to cryptographically verify that the packet was not changed in transit. When encrypting data with IPsec, data integrity is also provided. It is possible to specify data integrity without encryption. This might be helpful in order to reduce the threat of spoofing or man-in-the-middle attacks and allow you to make sure that DirectAccess clients are connecting to their intended servers.

Note:
When sensitive data is transmitted, IPsec with only data integrity should be used only when some other form of encryption is also implemented. It is possible to have end-to-end data integrity using transport mode rules while you are using end-to-edge encryption for the tunnel mode rules, which is how the specified server access model works.

Forefront UAG DirectAccess provides data integrity by using transport and tunnel mode IPsec settings. These settings can be applied to DirectAccess clients, Forefront UAG DirectAccess servers, or application servers and provide data integrity by requiring ESP-NULL (recommended). Some network infrastructure devices or traffic monitoring and inspection solutions might not be able to parse packets with an IPsec ESP or AH header. In this case, you can use authentication with null encapsulation to perform IPsec peer authentication, but no per-packet data integrity.

Windows Server 2008 R2 and Windows 7 introduced the NRPT, a new feature that enables DNS servers to be defined per DNS namespace, instead of per interface. The NRPT stores a list of rules. Each rule defines a DNS namespace and configuration settings that define the DNS client’s behavior for that namespace. When a DirectAccess client is on the Internet, each name query request is compared with the namespace rules stored in the NRPT. If a match is found, the request is processed according to the settings in the NRPT rule. The settings determine the DNS servers to which the request will be sent.

If a name query request does not match a namespace listed in the NRPT, it is sent to the DNS servers configured in the TCP/IP settings for the specified network interface. For a remote client, this is typically the Internet DNS servers as configured through the Internet service provider (ISP). For a DirectAccess client on the intranet, this is typically the intranet DNS servers as configured through the Dynamic Host Configuration Protocol (DHCP).

Single-label names, such as http://internal, will typically have configured DNS search suffixes appended to the name before they are checked against the NRPT. If no DNS search suffixes are configured, and the single-label name does not match any other single-label name rules in the NRPT, the request will be sent to the DNS servers specified in the client’s TCP/IP settings.

Namespaces, such as .internal.contoso.com, are added to the NRPT followed by the IPv6 addresses of the DNS servers to which requests matching that namespace should be directed. If an IP address is entered for the DNS server, all DNS requests will be sent directly to the DNS server over the DirectAccess connection. There is no need to specify any additional security for this configuration.

The NRPT allows DirectAccess clients to use intranet DNS servers, or the Forefront UAG DirectAccess server when integrated DNS64 is configured, for name resolution (dedicated DNS servers are not required). Forefront UAG DirectAccess is designed to prevent the exposure of your intranet namespace to the Internet.

NRPT exemptions

A network location server is an intranet network server that hosts a Secure Hypertext Transfer Protocol (HTTPS)-based uniform resource locator (URL). DirectAccess clients access this URL to determine whether they are located on the intranet. A separate, high-availability Web server is required. The Web server is not required to be dedicated as a network location server.

Because the behavior of the DirectAccess client depends on the response from the network location server, it is critical to ensure that this Web site is available from each remote branch site. Branch locations may need a separate dedicated network location Web site at each branch location, to ensure that the Web site remains accessible even in the event of a link failure.

How intranet detection works

When a DirectAccess client starts up or experiences a significant network change event (such as a change in link status or a new IP address), it is assumed that it is not on the intranet, and uses Forefront UAG DirectAccess rules in the NRPT to determine where to send DNS name queries. The DirectAccess client then attempts to resolve the fully qualified domain name (FQDN) in the URL for the network location server, which is stored in the Computer Configuration/Policies/Administrative Templates/Network/Network Connectivity Status Indicator/Domain Location Determination URL Group Policy setting. Because the NRPT is active, this FQDN should either match an exemption rule or no rules in the NRPT, so that the DirectAccess client can use interface-configured DNS servers.

After resolving the FQDN, the DirectAccess client attempts to connect to the HTTPS-based URL of the network location server, which includes a Secure Sockets Layer (SSL)-based authentication and verification of the server certificate offered by the network location server. For authenticating the DirectAccess client’s access to the URL, use anonymous authentication. Certificate verification includes validating the certificate and verifying that it was not revoked by accessing the CRL location defined in the Web server’s certificate. When the DirectAccess client successfully accesses the HTTPS-based URL of the network location server, it determines that it is on the intranet. The DirectAccess client then removes the Forefront UAG DirectAccess NRPT rules from the active table, and the DirectAccess client uses interface-configured DNS servers to resolve all names.

Note:

Just like the URL for the network location server, the FQDN in the URL or the universal naming convention (UNC) path for the CRL distribution point, should either match an exemption rule or no rules in the NRPT, so that the DirectAccess client can use interface-configured intranet DNS servers to resolve the name. If the DirectAccess client cannot resolve the FQDN for the CRL distribution point, intranet location detection fails.

Forefront UAG DirectAccess requires end-to-end IPv6 communication between DirectAccess clients and the internal resources that they connect to on the intranet. Many resources are not directly accessible over IPv6, including computers that are not capable of running IPv6, or computers with services that are not IPv6-aware (for example, a server that only supports IPv4, or a Windows 2003 server which is IPv6-capable but has services that are not IPv6-aware). When you need to connect to IPv4-only resources on your intranet, you can use the integrated NAT64 and DNS64 functionality on the Forefront UAG DirectAccess server.

NAT64 takes IPv6 traffic on one side and converts it into IPv4 traffic on the other side. The address conversion and conversation handling operate in a similar way to a traditional IPv4 NAT device. On the Forefront UAG DirectAccess server, NAT64 is used in combination with DNS64. DNS64 intercepts DNS queries and modifies the replies, so that IPv4 address answers to requests for the name of a computer, are converted into the appropriate IPv6 address answers that direct clients to the IPv6 address for the computer on the NAT64.

Forefront UAG integrates NLB functionality provided by Windows Server 2008 R2, with additional functionality that enables load balancing of Forefront UAG DirectAccess servers in a Forefront UAG array.

Network Load Balancing provides scalability and high availability to enterprise-wide TCP/IP services, and provides the following benefits:

• Scalability—Network Load Balancing scales the performance of a server-based program, such as a Forefront UAG DirectAccess, by distributing its client requests across multiple servers within the Forefront UAG array. As traffic increases, additional servers can be added to the Forefront UAG array. Forefront UAG and NLB provide load balancing for up to 8 Forefront UAG DirectAccess array members.
  
  
• High availability—Network Load Balancing provides high availability by automatically detecting the failure of a server and repartitioning client traffic among the remaining servers, providing users with continuous service.
  
  
• Stickiness—When a DirectAccess client connects to the intranet through a Forefront UAG NLB array, the NLB bidirectional affinity feature is applied. This guarantees that traffic is handled in both directions by the same array member.
  
  

Forefront UAG supports the use of external network load balancing solutions. When configuring an external load balancer, the following elements must be configured:

• The external load balancer—The Internet-facing side of the load balancer.
  
  
• The internal load balancer—The intranet facing side of the load balancer.
  
  
• The perimeter network Internet-facing side of the Forefront UAG DirectAccess server.
  
  
• The perimeter network intranet facing side of the Forefront UAG DirectAccess server.