locked
UAG DA : mixed environment ? RRS feed

  • Question

  • I've been following the planning & design guides from:
    http://technet.microsoft.com/en-us/library/ee406191.aspx

    There is a nice piece about singular approaches and considerations for intranet IPv6 connectivity design. In my case it is a bit more complex, as there are multiple subnets, gateways, routers... and some boxes are IPv4 only, some are Native IPv6, and some use 6to4 or ISATAP.

    So far I have UAG DA configured with its immediate subnet configured for native IPv6, and that works.

    Because of how UAG handles IPv4 via NAT64 and DNS64 means that IPv4 only all those boxes on the other side of the router also work great!

    The piece I'm tripping on is how to manage the ISATAP / 6to4 devices on the other subnets so that they can properly reply to the IPv6 communications that the DA server is sending out, as I may not always have access to their DHCP servers to force the IPv6 default gateway back to the DA server.

    Any help is greatly appreciated!


    -Aaron
    Monday, May 10, 2010 10:41 PM

Answers

  • UAG DA should always know where to route traffic.

    All of the IPv6 routes should be explicitly configured on the UAG DA box.

    6to4, teredo and IP-HTTPS are automatically configured, but you should explicitly configure an IPv6 default route on the external interface of the UAG server (or simply configure a 6to4 relay, which will create a default IPv6 route using 6to4).

    Also, you need to configure routes on the internal interface for all of the IPv6 subnets in your organization (assuming you do have IPv6 in your organization, and not using the built-in ISATAP functionality of UAG DA).

    Regarding the routing in your organization, it is true that you should route all non-corp IPv6 traffic to the UAG DA server if you want to support IPv6 clients. But the suggestion is correct, and you can restrict DA clients to use only teredo and IP-HTTPS, this way you won't have to route all non-corp traffic to UAG, and route only teredo and IP-HTTPS traffic (which have very specific subnets) to UAG.

    • Marked as answer by Erez Benari Wednesday, May 19, 2010 11:42 PM
    Saturday, May 15, 2010 8:30 PM

All replies

  • I've been following the planning & design guides from:
    http://technet.microsoft.com/en-us/library/ee406191.aspx

    There is a nice piece about singular approaches and considerations for intranet IPv6 connectivity design. In my case it is a bit more complex, as there are multiple subnets, gateways, routers... and some boxes are IPv4 only, some are Native IPv6, and some use 6to4 or ISATAP.

    So far I have UAG DA configured with its immediate subnet configured for native IPv6, and that works.

    Because of how UAG handles IPv4 via NAT64 and DNS64 means that IPv4 only all those boxes on the other side of the router also work great!

    The piece I'm tripping on is how to manage the ISATAP / 6to4 devices on the other subnets so that they can properly reply to the IPv6 communications that the DA server is sending out, as I may not always have access to their DHCP servers to force the IPv6 default gateway back to the DA server.

    Any help is greatly appreciated!


    -Aaron


    Hi Aaron,

    In those cases, you'll probably need to configure static routing table entries on those hosts, if you can't control what IPv6 gateway address will be used.

    If your network routing infrastructure set up to support native IPv6? If so, why are you using ISATAP on your IPv6 capable hosts? What are you using for your ISATAP router?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, May 11, 2010 2:06 PM
  • Hi Tom,

    Thank you for the replies (a bunch of threads of mine seem to have all consolidated down to the same issue & solution).

    The issue around the IPv6 native vs ISATAP is that the native IPv6 is only available on one subnet as we test it (of which the DA server's subnet is a part), so the rest of the internal network subnets are all IPv4 based with at best tunnel protcols.

    Any recommendations on how to set up the Server 2008 r2 DA server so instead of sending the remote client address to the client system with the requst, it can use some sort of static address that will always point back to the DA server?  (Something similar to a many-to-one NAT configuration from the external to the internal I guess...)

    -Aaron
    Tuesday, May 11, 2010 8:36 PM
  • Hi Aaron,

    That's an interesting idea, but not something we can do at this time :\

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Wednesday, May 12, 2010 11:18 PM
  • This is theoretically achievable using NAT66. You can use an F5 BIGIP to NAT all IPv6 traffic from DA clients to the backend servers.

    However, it means that only DA clients can initiate communication and accessing DA clients from the intranet is not supported (just like every other NAT)

    No support or documentation exists on this subject, so you'd have to explore that territory on your own if you wish.

    Friday, May 14, 2010 2:43 PM
  • Wow, thanks Yaniv!
    I will definitly look into it a bit more from that angle.

    The other I suggestion I have received from Microsoft is to restrict traffic to IPHTTPs and Teredo protocols.

    But due to internal (impending) security policy, the Teredo & 6to4 tunnels will be collapsed as they currently pose a security risk in bypassing all IPv4 traffic monitoring we currently have in place.

    And to confirm, my understanding is that the remote clients pretty much contact the UAG DA box on boot so that they can authenticate the user credentials seemlessly?  So as long as the system is in use, UAG DA will know where to route related traffic / name lookups?

    Will be tricky to find something that supports NAT66...

    Thank you,


    -Aaron

    Friday, May 14, 2010 4:21 PM
  • UAG DA should always know where to route traffic.

    All of the IPv6 routes should be explicitly configured on the UAG DA box.

    6to4, teredo and IP-HTTPS are automatically configured, but you should explicitly configure an IPv6 default route on the external interface of the UAG server (or simply configure a 6to4 relay, which will create a default IPv6 route using 6to4).

    Also, you need to configure routes on the internal interface for all of the IPv6 subnets in your organization (assuming you do have IPv6 in your organization, and not using the built-in ISATAP functionality of UAG DA).

    Regarding the routing in your organization, it is true that you should route all non-corp IPv6 traffic to the UAG DA server if you want to support IPv6 clients. But the suggestion is correct, and you can restrict DA clients to use only teredo and IP-HTTPS, this way you won't have to route all non-corp traffic to UAG, and route only teredo and IP-HTTPS traffic (which have very specific subnets) to UAG.

    • Marked as answer by Erez Benari Wednesday, May 19, 2010 11:42 PM
    Saturday, May 15, 2010 8:30 PM
  • Wow. I never heard of NAT66 until now :)

    Thanks!

     


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, May 17, 2010 2:28 PM