UAG DirectAccess and the IPv6 Internet

imageWe’ve received a number of questions recently about UAG DirectAccess support for the IPv6 Internet. When thinking about the IPv6 Internet, you need to think about when the DirectAccess client is on an IPv6 Internet (or on an IPv6 only intranet) and when the UAG DirectAccess server has its external interface connected to an IPv6 Internet connection.

imagePart of this confusion seems to stem from a TechNet article over at:

Let’s look at some of the sections that might be ambiguous or otherwise difficult to understand and try to clarify a few things.

“The DirectAccess client computer connects to the Forefront UAG DirectAccess server using IPv6 and IPsec. If a native IPv6 network isn’t available (which is most probable when the user is connected to the Internet), the client establishes an IPv6-over-IPv4 tunnel using 6to4 or Teredo. The user does not need to be logged in to complete this step…”

There are two issues that need to be clarified here:

  • First, the DirectAccess client always connects to the UAG DirectAccess server using IPv6 and IPsec. The IPv6 packets are protected by IPsec (with the exception of ICMPv6, which is not protected by IPsec by default). However, the IPsec protected IPv6 packets are always going to be encapsulated by an IPv4 header, using Teredo, 6to4 or IP-HTTPS (which was left out of the statement above)
  • Second, if an IPv6 network is unavailable… If an IPv6 network is unavailable, then the DirectAccess client will try to use an IPv6 transition technology to connect to the UAG DirectAccess server. If an IPv6 network is available, then the machine will not be able to connect to the UAG DirectAccess server. And if somehow it does, this is not a supported scenario (I’m not saying that it can or it can’t – but I am saying that this is not a supported scenario).

That’s it – not too complicated but an important thing to know – that we don’t support scenarios where the UAG DirectAccess server’s external interface is connected an IPv6 Internet (that is to say, that the UAG DirectAccess server has an IPv6 address assigned to its external interface) and when the DirectAccess client is connected to an IPv6 only network (which prevents the client from being able to set up an IPv6 transition technology based connection to the UAG DirectAccess server.

Several people  have asked why we decided to use this approach, and the primary reason is that there are very few scenarios where the UAG DirectAccess server is connected to an IPv6 only Internet connection and where the UAG DirectAccess client is connected to an IPv6 only network. Since these scenarios can be interpreted as “corner cases” at this time, the decision was to not design toward these scenarios and focus on what we see on networks today.

That said, Microsoft is firmly committed to IPv6 and our DirectAccess design and implementation will grow with the increasing availability of native IPv6 Internet and intranet connectivity.



Tom Shinder
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The “Edge Man” blog :
Follow me on Twitter:

Visit the TechNet forums to discuss all your UAG DirectAccess issues

Stay up-to-date with “just in time” UAG DirectAccess information on the TechNet wiki

Comments (7)

  1. Anonymous says:

    Hi Kai,

    Keep in mind this refers *only* to UAG DirectAccess and makes no statement regarding Windows DirectAccess.


  2. Anonymous says:

    Hi Kai,

    If I had a choice, I'd prefer to laugh than cry 🙂



  3. Anonymous says:

    You bet!


  4. Jason Jones says:

    Thanks for the clarification Tom 😉

  5. KaiWilke says:

    Hi Tom,

    currently im not sure if i should laught or whine^^

    But i will tell you after some talks with my customers who have already invested a lot of time and money in DA and IPv6 deployments plannings (based on the old informations you have presented).

    Made my day!


  6. KaiWilke says:

    But it isn't funny anymore^^ Its just sad…

    Once the network community and even your SE's and marketing folks saw DA as an enabler to push IPv6 into existing IPv4 only infrastructures and to speed up the world wide transition. But after your post it has become a real IPv6 deployment blocker wich does completely the opposite….


  7. Simon Hill says:

    The article over at:…/ee809062.aspx

    …seems to imply that it *is* possible that the UAG server's external interface may be connected to the IPv6 Internet.  There is a list of IPv6 packet filters required in just this scenario.

    What am I missing?

Skip to main content