Share via


Assigning IP addresses to the server interfaces in SP1

Updated: February 1, 2011

Applies To: Unified Access Gateway

The following procedure describes how to assign IPv4 or IPv6 addresses to the Internet-facing and internal network interfaces, on the Forefront Unified Access Gateway (UAG) DirectAccess server.

To assign IP addresses to the server interfaces

  1. In the DirectAccess Server section of the wizard, on the Connectivity page, select IP addresses for the following:

    Note

    If a Forefront UAG array is configured, the Load balancing page of the wizard opens before the Connectivity page.

    • First Internet-facing IPv4 address—The IPv4 address that services 6to4, Teredo server, Teredo relay, and IP-HTTPS traffic.

    • Second Internet facing IPv4 address—The IP address that, together with the first Internet-facing IPv4 address, services Teredo server traffic. This address is automatically assigned, and is the next consecutive IPv4 address; for example, when the first Internet-facing IPv4 address is 192.0.2.18, the second IPv4 address is 192.0.2.19.

      Note

      • Two consecutive public IPv4 addresses are required so that the Forefront UAG DirectAccess server can act as a Teredo server, and the Windows-based Teredo clients can use the Forefront UAG DirectAccess server to detect the type of network address translator (NAT) that they are behind.

      • The first and second Internet-facing IPv4 addresses are also used to generate IPv6 addresses, using the 6to4 prefix for the IPsec dynamic tunnel endpoint (DTE).

    • Internal IPv4 address—This address is used when an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router is deployed on the Forefront UAG DirectAccess server. The table below describes the actions you should take based on the ISATAP deployment scenario in your organization.

      Note

      When there is no IPv6 infrastructure on your intranet, the Forefront UAG DirectAccess server is automatically configured as an ISATAP router. It automatically derives 6to4-based organization, IP-HTTPS, and NAT64 IPv6 prefixes, and skips the Prefix Configuration screen of the Forefront UAG DirectAccess Configuration Wizard.

    • Internal IPv6 address—The IP address that services IPv6 internal traffic. See the following table for the actions you should take, based on the ISATAP deployment scenario in your organization.

    # Scenario Interface to select Additional actions

    1

    IPv6 is not deployed in your organization, and no ISATAP deployment is required.

    Internal IP6 address

    Create a fictitious internal IPv6 address and assign it to the internal network facing card before starting the Forefront UAG DirectAccess configuration.

    2

    IPv6 is deployed in your organization, and no ISATAP deployment is required.

    Internal IP6 address

    None

    3

    ISATAP is deployed on the Forefront UAG DirectAccess server in an IPv4 only environment (for single and multiple Active Directory domain organizations).

    Internal IPv4 address

    Note

    No IPv6 address can be configured on the internal facing network adapter in this scenario.

    • After activating Forefront UAG, register ISATAP in a DNS server within each domain using the internal IPv4 address (for example, ISATAP.corp.contoso.com).

    • When configured as an NLB array, add each array member's internal IPv4 DIP (in addition to the internal IPv4 VIP) to the ISATAP DNS record.

    • Remove ISATAP from the global query block list. For more information, see see Remove ISATAP from the DNS Global Query Block List (https://go.microsoft.com/fwlink/?LinkId=168593).

    Note

    Install the Windows NLB Hotfix (KB977342) (https://go.microsoft.com/fwlink/?LinkId=178582), on all Forefront UAG DirectAccess array members to provide ISATAP connectivity when integrated Windows Network Load Balancing is configured.

    4

    An external ISATAP is deployed in your organization, and the Forefront UAG DirectAccess server connects to the internal network using Native IPv6.

    Internal IPv6 address

    None

    5

    IPv6 is already deployed in your organization, but the Forefront UAG DirectAccess server has no native IPv6 connectivity to the IPv6 cloud. A Link-local (LL) 6to4 tunnel is used to connect the Forefront UAG DirectAccess server to the IPv6 cloud (or the external ISATAP router).

    Internal IPv6 address

    Do the following:

    1. Create a fictitious internal IPv6 address and assign it to the internal network facing card.

    2. Create a tunnel between the Forefront UAG DirectAccess server and the external ISATAP router. To create a tunnel, from the command prompt, type netsh int ipv6 add v6v4tunnel. This command must be run on both the Forefront UAG DirectAccess server, and the ISATAP router interface.

    3. Add a route, so that the routers on the internal network route native IPv6 and IPv6 transition traffic (6to4, Teredo client, and IP-HTTPS) back through the Forefront UAG DirectAccess server.

    4. Enable forwarding on the link-local interface.

    5. Create a published route between the ISATAP router and the link-local of the Forefront UAG DirectAccess server, and enable forwarding.

    6. Create a default route, so that all the servers on the ISATAP-enabled IPv4 cloud use the ISATAP router for routing non ISATAP traffic; in particular Teredo and IP-HTTPS.

    6

    An external ISATAP is deployed in your organization and the Forefront UAG DirectAccess server is a client of the ISATAP router.

    Note

    This scenario is unsupported, and may cause asymmetric routing and connectivity problems. It is recommended that customers in this configuration consider deploying native IPv6.

    Internal IPv6 address (the address you select is a link-local ISATAP generated address).

    Note

    No IPv6 address can be configured on the internal facing network adapter in this scenario.

    • In addition to the existing ISATAP record, register ISATAP in a DNS server within each domain using the internal IPv4 address of the Forefront UAG DirectAccess server (for example, ISATAP.corp.contoso.com).

    • When configured as an NLB array, add each array member's internal IPv4 DIP to the ISATAP DNS record.

    Note

    Install the Windows NLB Hotfix (KB977342) (https://go.microsoft.com/fwlink/?LinkId=178582), on all Forefront UAG DirectAccess array members to provide ISATAP connectivity when integrated Windows Network Load Balancing is configured.

    Note

    When adding and starting an additional node to an NLB array in scenarios 3 and 6, the node cannot function as a Forefront UAG DirectAccess server until the following conditions have been met:

    • The IPv4 DIP of the node has been registered to the ISATAP DNS record.

    • The ISATAP DNS record has been updated in all the intranet DNS servers.

      You can check if ISATAP has finished replicating on a specific DNS server by running from a command prompt window; nslookup isatap <DNSServerIPAddress>.

    • The backend server's cache has expired and is updated with the new ISATAP DNS record.

    It is recommended that you make the additions to the ISATAP DNS record, in the planning stages of the array, so that the above conditions are met when you start the new node in NLB.

    If you start NLB on a node whose IPv4 DIP has not been registered to the ISATAP DNS record, and does not meet the other conditions as described above, traffic from DirectAccess clients will be dropped when forwarded by this node to Windows Server 2008 R2 or to Windows 7 application servers.

    noteNote:
    When ISATAP is deployed on the Forefront UAG DirectAccess server (scenario 3 above), and you want to deploy an external ISATAP router (scenario 6 above) instead, do the following:

    1. Configure a fictitious IPv6 address on the internal facing interface of the Forefront UAG DirectAccess server.

    2. In the Connectivity page of the Forefront UAG DirectAccess Configuration Wizard, for the Internal IPv6 address, select the fictitious address created in the step above.

    3. Complete the wizard.

      Important

      Do not generate policies.

    4. In the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate to activate the configuration.

    5. In your DNS server, edit the ISATAP entry to point to the new ISATAP router.

    6. On the Forefront UAG DirectAccess server, from the Windows command prompt, type ipconfig /flushdns. This clears the cached ISATAP address.

    7. Remove the fictitious address from the internal facing interface of the Forefront UAG DirectAccess server.

    8. Configure external ISATAP as described in the table above.

    9. After completing the Wizard, click Apply Policy, click Apply Now, and then Activate as in step d. For more information, see Applying or exporting the Forefront UAG DirectAccess configuration in SP1.

  2. Click Next. The IP-HTTPS Certificate page appears.