Why Do I Need Two IP Addresses on the External Interface of the UAG DirectAccess Server?

imageThis question comes up frequently when introducing admins to UAG DirectAccess. It makes sense, since public IPv4 addresses are getting more difficult to come by and in fact it’s predicted that there will be an exhaustion of the entire IPv4 address space by next month. So, why do you need two public IP addresses on the external interface of the UAG DirectAccess server?

There’s a short answer and a long answer. Let’s begin with the short answer (hat tip to Ben Ben Ari, Senior Support Engineer at Microsoft):

“When the Teredo adapter is active on the DirectAccess client, it will check the Teredo server’s public IPv4 addresses to determine what type of NAT device the client is located behind. The assessment is performed to determine which on of the follow four types of NAT are in use:

  1. One-to-one NAT, also known as Full-cone NAT
  2. Address restricted cone NAT
  3. Port-restricted cone NAT
  4. Symmetric NAT

The detection process starts with the Teredo client sending a Router Solicitation (RS) message to the Teredo server’s IP first address (the first of the two consecutive IPv4 addresses on the external interface on the UAG server used by DirectAccess). UAG then replies from the 2nd IP address. If the Teredo client receives the reply, it deduces that the NAT type is “Cone” (option 1 or 2 above). If the client does not receive this reply, then it issues a second RS message, but this time, UAG will reply from its first IP, instead of the second. If the client gets this reply, it now knows that the NAT type is either Port-restricted cone (type 3) or Symmetric (type 4) NAT. 

Next, the client sends a request to the UAG server’s second IP address (which also acts as a Teredo server), and waits for another answer. When the answer comes, if it is from the same IP as the first, this signals to the client that the NAT type is Port-restricted cone (type 3). If they are different, this means that NAT is mapping the same internal address and port number to different external addresses and port numbers, which means that this is a Symmetric NAT (type 4).”

If you want even more detail, this may help check out the Teredo Overview:




Tom Shinder
Principal Knowledge Engineer, Microsoft DAIP iX/Forefront iX 
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time):
Follow me on Twitter:

Visit the TechNet forums to discuss all your UAG DirectAccess issues

Stay up-to-date with “just in time” UAG DirectAccess information on the TechNet wiki http://social.technet.microsoft.com/wiki/tags/DirectAccess/default.aspx

Skip to main content