Endserver requirements for Direct Access RRS feed

  • Question

  • Hi together

    I'm trying to find out, what the Server requirements are, to make DA working.

    In my environment I have many web Servers, VSphere, etc... everything works fine and can be accessed via Direct Access. But there are also other applications, like IBM Notes, SAP and other applications that don't run per default. IBM Notes now works with some settings done on the Notes Server...other applications are not supported.

    Can someone please explain me, or refer to an article where this is explained. I would like to know, why some services are Direct Access compatible and some are not. What es the problem and what is the technical behaviour?

    Thank you very much.

    Monday, May 22, 2017 11:24 AM

All replies

  • The issue you are experiencing is applications that are not IPv6 capable. DirectAccess traffic is IPv6 (even though it is usually setup in an IPv4 internal network) - but the packets that flow from the DA laptops to the DA server are always IPv6 packets, that is the core of how DirectAccess works. If a client-side application is not capable of generating IPv6 packets, that application will not work over DirectAccess.

    If you have any interest, the company where I work has developed a utility which fixes this problem for many applications. It is an agent that we can install onto the DA client computers, it intercepts the traffic stream from those non-IPv6 applications, turns the packets into IPv6, and then sends them on their way across the DirectAccess tunnels so that they can successfully connect. We are more than happy to setup a free trial for anyone looking to test this out, so reach out to me directly if you would like to test it:

    Here's an article with a little info on the utility, which is called App46:

    Thursday, May 25, 2017 8:40 PM
  • Hi Jordan

    Thank you very much for the reply.

    Now I understand better, how it works... So, from DA Client to DA Server there is always IPv6 Traffic (IPv6 over IPv4, in my case IP-HTTPS)...
    From DA Server to Backend Server is always IPv4 in a IPv4 native Network, without IPv6 configured? DA Server makes NAT64/DNS64...
    So there is no need to configure the backend Server with IPv6, neither the IPv6 Stack has to be enabled...

    What is happening, when the IPv6 stack on the backend server is enabled with a static IPv6 or Link local IPv6 address with the appropriate quad-A record?
    Does DA Server use native IPv6 or still go over NAT64?

    Your application is very interesting...i'll check this with our CIO...

    Kind regards

    Wednesday, May 31, 2017 9:31 AM
  • If the back-end server was actually connected to the network via IPv6 and had a AAAA record in DNS, then the DirectAccess server could simply send on the IPv6 packets from the client to the server without using NAT64/DNS64 - but ONLY if the DirectAccess server is also on that same IPv6 network. The automatically established link-local fe80 IPv6 networks are not a "real" IPv6 network so that is not enough, it would have had to be an intentional IPv6 network that you setup and gave the DA server as well as the endpoint server a static IPv6 address on that network, along with DNS records.

    Sounds good on App46, let me know if you ever want to trial it!

    Wednesday, May 31, 2017 8:22 PM