Resources available to Forefront UAG DirectAccess clients
Updated: October 21, 2010
Applies To: Unified Access Gateway
This topic describes the intranet resources that are available to DirectAccess clients.
You should consider the following design implications when determining how a DirectAccess client reaches all of the desired intranet resources:
IPv6 resources on your intranet
IPv4-only resources on your intranet
IPv6 resources on the IPv6 Internet
IPv6 resources on your intranet
Forefront UAG DirectAccess relies on IPv6 for end-to-end connectivity between the DirectAccess client and an intranet endpoint. DirectAccess clients send only IPv6 traffic across the connection to the Forefront UAG DirectAccess server, which means that clients can only communicate using applications that support IPv6, and connect to intranet resources that are reachable with IPv6. IPv4-only applications on the DirectAccess client cannot be used to access intranet application servers with DirectAccess.
The recommended configuration for your intranet is to have IPv6 connectivity to your intranet resources.
IPv6 connectivity requires the following:
An intranet infrastructure that supports forwarding of IPv6 traffic, which is achieved by:
Configuring your intranet infrastructure to support native IPv6 addressing and routing—Computers running Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, use IPv6 by default. Although few organizations today have a native IPv6 infrastructure, this is the preferred and recommended connectivity method; for the most seamless intranet connectivity for DirectAccess clients, organizations should deploy a native IPv6 infrastructure.
Deploying ISATAP on your intranet—Without a native IPv6 infrastructure, you can use ISATAP to make intranet application servers and applications reachable by tunneling IPv6 traffic over your IPv4-only intranet. To deploy ISATAP, you must set up one or more ISATAP routers that provide address configuration and default routing for ISATAP hosts on your intranet. Computers running Windows 7 or Windows Server 2008 R2 support ISATAP host functionality, and can be configured to act as ISATAP routers.
Note
If you do not have a native IPv6 infrastructure or ISATAP on your intranet, the Forefront UAG DirectAccess Configuration Wizard automatically configures the Forefront UAG DirectAccess server as the ISATAP router for your intranet.
IPv6-capable applications on computers that run on an operating system that supports an IPv6 protocol stack—Applications that are end-to-end reachable by DirectAccess clients must be IPv6-capable, and running on an operating system that supports an IPv6 protocol stack with native IPv6 or ISATAP host capability. For Windows-based application servers or peer computers, Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008 are highly recommended. Windows XP and Windows Server 2003 have an IPv6 protocol stack, but most built-in system services and applications for these operating systems are not IPv6-capable.
For applications running on non-Windows operating systems, verify that both the operating system and the applications support IPv6 and are reachable over native IPv6 or ISATAP.
IPv4-only resources on your intranet
Because DirectAccess clients send only IPv6 traffic to the Forefront UAG DirectAccess server, users on DirectAccess clients cannot use IPv4-only client applications to reach IPv4-only resources on your intranet.
The following are examples of IPv4-only resources:
Applications running on Windows 2000 or previous versions of Windows.
Built-in applications and system services running on Windows XP and Windows Server 2003 that are not IPv6-capable.
Note
For applications that are not built-in to Windows, check with the software vendor to ensure that the application is IPv6-capable. Applications that support only IPv4 client connections, such as Office Communications Server (OCS), cannot be used through DirectAccess.
Note
IPv6-capable applications can reach IPv4-only resources on your intranet by using an IPv6/IPv4 translation device. For the solutions for providing connectivity for DirectAccess clients to IPv4-only resources, see Choosing a solution for IPv4-only intranet resources, and Choosing an intranet IPv6 connectivity design.
IPv6 resources on the IPv6 Internet
By default, Windows 7 and Windows Server 2008 R2-based computers attempt to resolve the name 6to4.ipv6.microsoft.com to determine the IPv4 address of a 6to4 relay, and teredo.ipv6.microsoft.com to determine the IPv4 addresses of Teredo servers on the IPv4 Internet. With the 6to4 relay at 6to4.ipv6.microsoft.com and the Teredo servers at teredo.ipv6.microsoft.com, Windows 7-based clients on the IPv4 Internet can reach the IPv6 Internet. When Windows 7 and Windows Server 2008 R2-based computers are configured as DirectAccess clients, the Forefront UAG DirectAccess server becomes the 6to4 relay and the Teredo server, so that DirectAccess clients can tunnel IPv6 traffic destined for the intranet to the Forefront UAG DirectAccess server. If the Forefront UAG DirectAccess server does not forward default route traffic to the IPv6 Internet, DirectAccess clients cannot reach the IPv6 Internet.
To enable DirectAccess clients to reach the IPv6 Internet, configure the Forefront UAG DirectAccess server with one of the following:
A direct, native connection to the IPv6 Internet—In this configuration, the Forefront UAG DirectAccess server forwards default route traffic using its native connection to the IPv6 Internet. You can also use a separate router for your connection to the IPv6 Internet, and configure the Forefront UAG DirectAccess server to forward its default route traffic to the router.
A 6to4-tunneled connection to the IPv6 Internet—In this configuration, the Forefront UAG DirectAccess server forwards default route traffic using the Microsoft 6to4 Adapter interface to a 6to4 relay on the IPv4 Internet. You can configure a Forefront UAG DirectAccess server for the IPv4 address of the Microsoft 6to4 relay on the IPv4 Internet with the netsh interface ipv6 6to4 set relay name=192.88.99.1 state=enabled command. Use 192.88.99.1, the IPv4 anycast address of 6to4 relays on the Internet, unless your Internet service provider recommends a specific unicast IPv4 address of the 6to4 relay that they maintain.