none
UAG DirectAccess - IPv6 Turned Off on DCs RRS feed

  • Question

  • While on a con-call with our internal Windows Admin Team today, we were talking about the planned rollout of UAG DA in our environment. The Windows team informed us that IPv6 was turned off on all the DCs (nobody knows why ...). I mentioned that IPv6 is a key component of DA Clients communicating inbound to the corporate network - even if it is primarily IPv4.

    Can we proceed with DA rollout not having IPv6 turned on internally? Will the UAG servers DNS64 and NAT64 handle all the communications back and forth between the DA Clients out on the Internet and the IPv4 resources internally? Thanks in advance!


    Bill

    Friday, April 27, 2012 8:31 PM

Answers

  • Hi

    yes you can have Windows 2008/2008 R2 domain controllers with IPv6 disabled. DNS64 and NAT64 will handle the problem. ICMPV4 will be your only requirement for DNS64/NAT64. On LAN you need IPV6 wor the following scenarios :

    -Helpdesk team to take control of DirectAccess computers connected on Internet

    -SCCM server that need to contact SCCM agents installed on DirectAccess clients

    -DirectAccess clients accessiing servers configured for the Selected end to edge Scenarios

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by Beachnut_ Monday, April 30, 2012 9:57 PM
    Saturday, April 28, 2012 8:36 AM
  • BenoitS is right, with UAG you will not need IPv6 internally as NAT64/DNS64 will take care of the traffic originating from your DirectAccess clients that is destined for your internal reources.  The only time you need some from of IPv6 internally (Native or ISATAP) is when an internal resource needs to initiate communications with a DirectAccess client.  Your domain controllers should never be "pushing" content to your clients.  The clients will "pull" information such as Group Policy, time sync, etc from the DCs just like any other client on your domain already does.


    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide

    • Marked as answer by Beachnut_ Monday, April 30, 2012 9:57 PM
    Sunday, April 29, 2012 4:12 AM

All replies

  • Hi

    yes you can have Windows 2008/2008 R2 domain controllers with IPv6 disabled. DNS64 and NAT64 will handle the problem. ICMPV4 will be your only requirement for DNS64/NAT64. On LAN you need IPV6 wor the following scenarios :

    -Helpdesk team to take control of DirectAccess computers connected on Internet

    -SCCM server that need to contact SCCM agents installed on DirectAccess clients

    -DirectAccess clients accessiing servers configured for the Selected end to edge Scenarios

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by Beachnut_ Monday, April 30, 2012 9:57 PM
    Saturday, April 28, 2012 8:36 AM
  • BenoitS is right, with UAG you will not need IPv6 internally as NAT64/DNS64 will take care of the traffic originating from your DirectAccess clients that is destined for your internal reources.  The only time you need some from of IPv6 internally (Native or ISATAP) is when an internal resource needs to initiate communications with a DirectAccess client.  Your domain controllers should never be "pushing" content to your clients.  The clients will "pull" information such as Group Policy, time sync, etc from the DCs just like any other client on your domain already does.


    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide

    • Marked as answer by Beachnut_ Monday, April 30, 2012 9:57 PM
    Sunday, April 29, 2012 4:12 AM
  • Hey thanks guys ... this is exactly what I was thinking. Thanks for confirmation.

    Bill

    Monday, April 30, 2012 9:57 PM