Direct Access and public IPv6 instead of IPv4 ?

François Miermont 1 Reputation point
2022-04-07T07:55:56.207+00:00

Hello,

we are using DirectAccess for many years without issue, accessing it with an IPv4 public IP from our ISP.
IPv6 is here, we do have a public IPv6 assigned (with prefix delegation) by our ISP, so we want to be able to access our DA using IPv6.

It seems that installing DA on the Windows 2022 server assign a private IPv6 address on the NIC, so my server does not have my IPv6 assign from my router.

Is it even possible to access DA using IPv6 ? I can't find anything about it. Any help appreciated :)

Regards,

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,404 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,041 Reputation points
    2022-04-13T11:27:05.83+00:00

    Hi Fmiermont,

    It is most certainly possible to use DirectAccess over IPv6. Interestingly, from a client perspective, DirectAccess is an IPv6-only solution. The DirectAccess client communicates with the DirectAccess server exclusively using IPv6. However, IPv6 is not widely deployed, so the most common scenario will find your DirectAccess clients and servers on the IPv4 Internet, as you have done.

    You may need to perform some additional planning and implementation in order for it to work in your environment. Please see the Microsoft document below:

    https://learn.microsoft.com/en-us/windows-server/remote/remote-access/directaccess/single-server-wizard/da-basic-plan-s1-infrastructure

    To support the 6to4 and Teredo IPv6 transition protocols, the DirectAccess server must be configured with two network interfaces; one internal and one external. The DirectAccess server must have public IPv4 addresses assigned to its external network interface. For Teredo in particular, the DirectAccess server requires two consecutive public IPv4 addresses. Beginning with Windows Server 2012, DirectAccess provides support for DMZ/perimeter network deployment behind a NAT device using RFC1918 private IPv4 addresses with either one or two network interfaces. In this deployment scenario, the DirectAccess server only supports the use of the IP-HTTPS IPv6 transition protocol. 6to4 and Teredo are not available when the DirectAccess server is located behind a NAT device and these IPv6 transition protocols should be disabled on all DirectAccess clients.

    I hope this answers your question.

    -----------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments