none
Direct Access Clients accessing IPv4 resources NOT in DNS RRS feed

  • Question

  • Our current VPN solution is Direct Access for any and all windows 7 and windows 10 PCs. Being a network engineer I am not sold on it and find it hard to protect when the network is not IPv6 ready. 

    For me Direct Access doesn't work for what I need to do my job. When connected via direct access I still need traditional VPN to be able to access my IPv4 addresses for network devices that we do not keep in DNS, for valid reasons of security. How is there not a way to make Direct Access clients capable of connecting to IPv4 addresses with a simple task of something like SSH to 10.0.0.1? I find it hard to believe that Microsoft felt that networks were all IPv6 and all resources were in DNS when they created this solution. 

    My systems guy tells me Direct Access clients to access raw IPv4 address is not possible. Is this true?

    Thursday, September 14, 2017 2:11 PM

Answers

  • That is correct, you will never be able to contact resources via IPv4 address over DirectAccess, because the DA tunnel between the laptop and the DA server is an IPv6-only tunnel. You do not need anything inside your corp network to be IPv6-capable for DirectAccess to work, but it is important to understand that the outside part of the tunnel that flows over the internet is always IPv6. This was done for two reasons:

    1. It gets rid of the common VPN issue where your VPN subnet might be IP addressed similarly to a home subnet, causing routing issues.

    2. The level of IPsec encryption that DirectAccess uses is high, and requires IPv6 with the way that Microsoft set it up. This makes DA connections incredibly strong, though as you have experienced it means your traffic is flowing as IPv6 packets.

    IT people definitely struggle more than users in this area. Users don't care what is transporting their traffic, they just launch the application and it works. That is what DA is all about. For us IT people, we tend to memorize IP addresses for accessing everything, and working that into DirectAccess requires a change in mindset. :) Yes, DNS becomes very important for doing any work in the DA world. Technically you could start memorizing IPv6 addresses (the DNS64 addresses that the DA server is creating to translate into the IPv4 resources in your internal network) - but who's gonna memorize IPv6 addresses? lol

    Wednesday, September 20, 2017 1:21 PM
  • Thats true, you have only 2 options

    1. Enter the IPV6 address (the DNS64 address that has the original IPV4 in it)

    2. Create a DNS record for these devices with IPV4, It will be easier to remember the name instead of long IPV6 address

    Regarding the DA security, its really very powerful and when using it for long time you will think twice turning back to the old VPN solution

    Sunday, February 10, 2019 1:43 PM
    Moderator

All replies

  • That is correct, you will never be able to contact resources via IPv4 address over DirectAccess, because the DA tunnel between the laptop and the DA server is an IPv6-only tunnel. You do not need anything inside your corp network to be IPv6-capable for DirectAccess to work, but it is important to understand that the outside part of the tunnel that flows over the internet is always IPv6. This was done for two reasons:

    1. It gets rid of the common VPN issue where your VPN subnet might be IP addressed similarly to a home subnet, causing routing issues.

    2. The level of IPsec encryption that DirectAccess uses is high, and requires IPv6 with the way that Microsoft set it up. This makes DA connections incredibly strong, though as you have experienced it means your traffic is flowing as IPv6 packets.

    IT people definitely struggle more than users in this area. Users don't care what is transporting their traffic, they just launch the application and it works. That is what DA is all about. For us IT people, we tend to memorize IP addresses for accessing everything, and working that into DirectAccess requires a change in mindset. :) Yes, DNS becomes very important for doing any work in the DA world. Technically you could start memorizing IPv6 addresses (the DNS64 addresses that the DA server is creating to translate into the IPv4 resources in your internal network) - but who's gonna memorize IPv6 addresses? lol

    Wednesday, September 20, 2017 1:21 PM
  • That is not true.

    Address your IPv4 address in your IPv6 address space.

    Richard Hicks illustrates using PuTTY with this method.  It works almost the same for a web browser, except that you use square brackets around the address.

    https://directaccess.richardhicks.com/2015/11/19/ssh-administration-over-a-directaccess-connection/

    I accessed a managed switch using HTTPS over a site VPN link to our office, using my DA-connected laptop at home.

    You do not need to convert the dotted decimal to the hex.  In fact, if you ping an address first, the command prompt will show you the converted value.

    Bonus points if you stand up addresses in DNS, maybe an alt zone.. I haven't done so yet either.  Many of my nodes are either not IPv6 ready or have not been configured as such.  Given a wide WAN with a hub and spoke topology.. I'll consider it "later".

    Friday, January 4, 2019 6:12 PM
  • That scenario does make it slightly easier to punch in IP addresses on a DA-connected laptop and get to resources without requiring DNS names, but you are still typing in IPv6 addresses. 

    Typing in an IPv4 address over a DA connection will get you nowhere. Punching in your DA IPv6 prefix followed by the resource's IPv4 address can work yes, but that is still an IPv6 address, not an IPv4 address. The DA IPsec tunnels only carry IPv6 packets.

    All in all, DNS is still the best and easiest way to access any resource over DirectAccess. :)

    The original question was: My systems guy tells me Direct Access clients to access raw IPv4 address is not possible. Is this true?

    And the answer to that question is "Yes, that is true"

    Friday, January 4, 2019 9:46 PM
  • Thats true, you have only 2 options

    1. Enter the IPV6 address (the DNS64 address that has the original IPV4 in it)

    2. Create a DNS record for these devices with IPV4, It will be easier to remember the name instead of long IPV6 address

    Regarding the DA security, its really very powerful and when using it for long time you will think twice turning back to the old VPN solution

    Sunday, February 10, 2019 1:43 PM
    Moderator