We’ve received a number of questions recently about UAG DirectAccess support for the IPv6 Internet. When thinking about the IPv6 Internet, you need to think about when the DirectAccess client is on an IPv6 Internet (or on an IPv6 only intranet) and when the UAG DirectAccess server has its external interface connected to an IPv6 Internet connection.
Let’s look at some of the sections that might be ambiguous or otherwise difficult to understand and try to clarify a few things.
“The DirectAccess client computer connects to the Forefront UAG DirectAccess server using IPv6 and IPsec. If a native IPv6 network isn’t available (which is most probable when the user is connected to the Internet), the client establishes an IPv6-over-IPv4 tunnel using 6to4 or Teredo. The user does not need to be logged in to complete this step…”
There are two issues that need to be clarified here:
- First, the DirectAccess client always connects to the UAG DirectAccess server using IPv6 and IPsec. The IPv6 packets are protected by IPsec (with the exception of ICMPv6, which is not protected by IPsec by default). However, the IPsec protected IPv6 packets are always going to be encapsulated by an IPv4 header, using Teredo, 6to4 or IP-HTTPS (which was left out of the statement above)
- Second, if an IPv6 network is unavailable… If an IPv6 network is unavailable, then the DirectAccess client will try to use an IPv6 transition technology to connect to the UAG DirectAccess server. If an IPv6 network is available, then the machine will not be able to connect to the UAG DirectAccess server. And if somehow it does, this is not a supported scenario (I’m not saying that it can or it can’t – but I am saying that this is not a supported scenario).
That’s it – not too complicated but an important thing to know – that we don’t support scenarios where the UAG DirectAccess server’s external interface is connected an IPv6 Internet (that is to say, that the UAG DirectAccess server has an IPv6 address assigned to its external interface) and when the DirectAccess client is connected to an IPv6 only network (which prevents the client from being able to set up an IPv6 transition technology based connection to the UAG DirectAccess server.
Several people have asked why we decided to use this approach, and the primary reason is that there are very few scenarios where the UAG DirectAccess server is connected to an IPv6 only Internet connection and where the UAG DirectAccess client is connected to an IPv6 only network. Since these scenarios can be interpreted as “corner cases” at this time, the decision was to not design toward these scenarios and focus on what we see on networks today.
That said, Microsoft is firmly committed to IPv6 and our DirectAccess design and implementation will grow with the increasing availability of native IPv6 Internet and intranet connectivity.
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The “Edge Man” blog : http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: https://twitter.com/tshinder
Visit the TechNet forums to discuss all your UAG DirectAccess issues
Stay up-to-date with “just in time” UAG DirectAccess information on the TechNet wiki http://social.technet.microsoft.com/wiki/tags/DirectAccess/default.aspx