Share via


Designing addressing and routing for the Forefront UAG DirectAccess server

Applies To: Unified Access Gateway

The Forefront UAG DirectAccess server must be configured with addressing and routing to support the following:

  • Reachability from the Internet Protocol version 4 (IPv4) Internet

  • Reachability from your intranet for IPv4 traffic

  • If your intranet is connected to the Internet Protocol version 6 (IPv6) Internet, reachability from the IPv6 Internet for native IPv6 traffic

  • If your intranet has deployed native IPv6 connectivity, reachability from your intranet for native IPv6 traffic

The following sections describe the address and routing configuration of the Forefront UAG DirectAccess server to support these reachability requirements.

IPv4 address and routing configuration

For the Internet interface on the Forefront UAG DirectAccess server that is connected to the IPv4 Internet, manually configure the following:

  • Two, static, consecutive public IPv4 addresses with the appropriate subnet masks

  • A default gateway IPv4 address of your Internet firewall or local Internet service provider (ISP) router

  • A connection-specific Domain Name System (DNS) suffix that is different from your intranet namespace. In most cases, you can use the DNS suffix of your ISP. (Optional)

IPv4 addresses in the ranges 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 are private IPv4 addresses and cannot be used. The Forefront UAG DirectAccess server requires two consecutive public IPv4 addresses so that it can act as a Teredo server and Windows-based Teredo clients can use the Forefront UAG DirectAccess server to perform detection of the type of network address translator (NAT) that they are behind. For more information, see Teredo Overview (https://go.microsoft.com/fwlink/?Linkid=157322).

For intranet interfaces on the Forefront UAG DirectAccess server that are connected to your IPv4-based intranet, manually configure the following:

  1. An IPv4 intranet address with the appropriate subnet mask.

  2. A connection-specific DNS suffix of your intranet namespace. (Optional)

Important

Do not configure a default gateway on any intranet interfaces.

To configure the Forefront UAG DirectAccess server to reach all the locations on your intranet, do the following:

  1. List the IPv4 address spaces for all the locations on your intranet.

  2. Use the route add -p or netsh interface ipv4 add route commands to add the IPv4 address spaces as static routes in the IPv4 routing table of the Forefront UAG DirectAccess server.

Internet IPv6 connectivity

The can achieve IPv6 connectivity to the Internet as follows:

  • IPv6 connectivity to the IPv6 Internet when native IPv6 is deployed in your organization.

    For the Internet interface on the Forefront UAG DirectAccess server connected to the IPv6 Internet, you can use the auto configured address configuration provided by your ISP. Use the route print command to ensure that a default IPv6 route pointing to the ISP router exists in the IPv6 routing table. Additionally, you should manually configure a connection-specific DNS suffix that is different from your intranet namespace on the Internet interface. In most cases, you can use the DNS suffix of your ISP.

    Next, determine the following:

    • If your ISP and your intranet routers are using default router preferences as described in RFC 4191.

    • If your ISP is using a higher default router preference than your local intranet routers.

    If both of these are true, no other configuration for the default route is needed. The higher preference for the ISP router ensures that the active default IPv6 route of the Forefront UAG DirectAccess server points to the IPv6 Internet.

    Note

    Because the Forefront UAG DirectAccess server is an IPv6 router, if you have a native IPv6 infrastructure, the Internet interface can also reach the domain controllers on the intranet. In this case, add packet filters to the domain controller in the perimeter network that prevent connectivity to the IPv6 address of the Internet-facing interface of the Forefront UAG DirectAccess server.

    When there is no connectivity to the IPv6 Internet, the administrator must provide connectivity to the IPv6 Internet using a 6to4 relay.

  • A 6to4-tunneled connection to the IPv6 Internet when native IPv6 is not deployed in your organization.

    The Forefront UAG DirectAccess server forwards default IPv6 route traffic using the Microsoft 6to4 Adapter interface to a 6to4 relay on the IPv4 Internet. You can configure a Forefront UAG DirectAccess server for the IPv4 address of the Microsoft 6to4 relay on the IPv4 Internet with the following command : netsh interface ipv6 6to4 set relay name=192.88.99.1 state=enabled command.

    Note

    Use 192.88.99.1, the IPv4 anycast address of 6to4 relays on the Internet, unless your Internet service provider recommends a specific unicast IPv4 address of the 6to4 relay that they maintain.

Intranet IPv6 connectivity

Additionally, you must configure:

  • An IPv6 intranet address with the appropriate prefix designation.

  • A connection-specific DNS suffix of your intranet namespace on the intranet interface. (Optional)

Do not configure a default gateway on any of the intranet interfaces.

To configure the Forefront UAG DirectAccess server to reach all the IPv6 locations on your intranet, do the following:

  1. List the IPv6 address spaces for all the locations on your intranet.

  2. Use the netsh interface ipv6 add route command to add the IPv6 address spaces as static routes in the IPv6 routing table of the Forefront UAG DirectAccess server.