none
Configure a new IPv6 address range in TMG RRS feed

  • Question

  • Hi,

    I am working with UAG and TMG (both RTM) on Server 2008 R2.  I have external DirectAccess clients for which I am configuring restricted access and I have been assigned the task of creating a TMG firewall rule to do this (the external clients at this time only have the machine tunnel provisioned, and not the user tunnel - we are only establishing remote management and not full intranet access over DA).  My idea is that I will create a firewall rule that allows traffic from "Anywhere (IPv6)" to a specific set of computers (domain controllers).  Since this is all going to be IPv6 traffic, I need to define the specific set of DCs by their IPv6 addresses.  However, there is no way to enter IPv6 addresses in any of the TMG GUIs that I have found - for example, when I try to create a new address range or a new computer set, there are fields to enter IPv4 addresses but not IPv6 addresses.  Anywhere (IPv6) is a built-in address range in TMG, and when I view its properties it is clearly defined as "0000:0000:0000:0000:0000:0000:0000:0000 to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff."  This tells me that TMG is capable of understanding IPv6 addresses and address ranges, so I would like to find a way to enter one myself.

    Thank you.
    Thursday, February 11, 2010 8:27 PM

Answers

  • I just tested the creation of a TMG rule that blocks Anywhere (IPv6) to a list of specific servers (specified by IPv4 address) and it worked.  Great news for us!  :-)

    Thank you for your help!

    Justin
    Friday, February 12, 2010 1:39 AM

All replies

  • Hi Justin,

    In general, TMG does not support IPv6 as discussed here:

    Issue
    : IPv6 traffic is not supported by Forefront TMG (except for DirectAccess).

    Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is blocked by default.

    Source: http://technet.microsoft.com/en-us/library/ee796231.aspx#bvdf45dsf45

    However, to support DirectAccess there is a level of supportability added as discussed here:

    http://blogs.technet.com/isablog/archive/2009/09/23/forefront-tmg-and-windows-7-directaccess.aspx

    and here:

    http://technet.microsoft.com/en-us/library/ee921439.aspx

    However, I don't think TMG LocalHost=>Corpnet rules is quite what you wanted...

    If you are only using the infrastructure tunnel, this is already limited to a subset of internal IPv6 addresses anyhow. Have a look at the "UAG DirectAccess Client - Clients Access Enabling Tunnel" connections security rule in WFAS to see the list generated by the DA wizard and applied via GPO. Admittedly this is not controlled by TMG.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    • Proposed as answer by Erez Benari Thursday, February 11, 2010 11:02 PM
    • Marked as answer by Justin J Martin Friday, February 12, 2010 1:39 AM
    • Unmarked as answer by Justin J Martin Friday, February 12, 2010 1:39 AM
    Thursday, February 11, 2010 9:00 PM
    Moderator
  • Hi Jason,

    Thank you for your response!

    I have reviewed the materials you provided and it is a tad disappointing that TMG doesn't support IPv6 yet, but good that TMG integrates with UAG DA.  Do you know of plans to support IPv6 in future releases of TMG?

    You are correct that the DA infrastructure tunnel does contain a specific list of servers (DCs and any management servers that we include in the DA wizard) to which remote DA clients will have access.  My task at this point is to figure out a way to further control access to those servers on the fly, without the need to update the GPOs via script or DA wizard and wait for replication/GP updates.  To that end, I would like to ask another question about how TMG works:  from what I have read it seems pretty clear that TMG controls both incoming and outgoing traffic on the server.  In that case, I could use "Local Host to Internal network" rules to control access, assuming the servers on the Internal network all had IPv4 addresses.  I think this would be possible because incoming packets from remote clients would hit TMG as v6, then hit the NAT64 and be converted to v4, and then hit TMG again on their way from the edge server to the intranet servers (all of our intranet servers have v4 addresses only at this time and we are relying exclusively on NAT64).  Is that correct? 

    Justin
    Thursday, February 11, 2010 11:33 PM
  • I just tested the creation of a TMG rule that blocks Anywhere (IPv6) to a list of specific servers (specified by IPv4 address) and it worked.  Great news for us!  :-)

    Thank you for your help!

    Justin
    Friday, February 12, 2010 1:39 AM
  • Cool, that makes sense! :)
    Jason Jones | Forefront MVP | Silversands Ltd
    Friday, February 12, 2010 2:47 AM
    Moderator
  • Hi Jason,

    Thank you for your response!

    I have reviewed the materials you provided and it is a tad disappointing that TMG doesn't support IPv6 yet, but good that TMG integrates with UAG DA.  Do you know of plans to support IPv6 in future releases of TMG?

    You are correct that the DA infrastructure tunnel does contain a specific list of servers (DCs and any management servers that we include in the DA wizard) to which remote DA clients will have access.  My task at this point is to figure out a way to further control access to those servers on the fly, without the need to update the GPOs via script or DA wizard and wait for replication/GP updates.  To that end, I would like to ask another question about how TMG works:  from what I have read it seems pretty clear that TMG controls both incoming and outgoing traffic on the server.  In that case, I could use "Local Host to Internal network" rules to control access, assuming the servers on the Internal network all had IPv4 addresses.  I think this would be possible because incoming packets from remote clients would hit TMG as v6, then hit the NAT64 and be converted to v4, and then hit TMG again on their way from the edge server to the intranet servers (all of our intranet servers have v4 addresses only at this time and we are relying exclusively on NAT64).  Is that correct? 

    Justin

    If you look around the GUI you will see IPv6 is very evident; I just think they ran out of time "doing the doing" after getting everything else ready ;)
    Jason Jones | Forefront MVP | Silversands Ltd
    Friday, February 12, 2010 2:49 AM
    Moderator
  • Hey guys,

    Just to be clear, supportability is going to be a very important issue for UAG DA, because there are so many moving parts that have to be working together for the solution to work correctly. For that reason, manipulation of the TMG configuration outside of that documented is going to be problematic. However, there is something that you can manipulate that is within the support boundaries. As noted by Jason at:

    http://technet.microsoft.com/en-us/library/ee921439.aspx

    RE: NAT64, TMG owns that components and DNS64 belongs to UAG.
    IPv6/IPv4 protocol translation is performed when the resource is a IPv4 resource, as determined by only an IPv4 address being returned from a DNS query.

    HTH,
    Tom
    MS ISDUA Anywhere Access Team
    Friday, February 12, 2010 12:46 PM
    Moderator