none
DirectAccess UAG over IPv6 Internet RRS feed

  • Question

  • Hi all.

    I'm trying to find any information at all about DirectAccess in a UAG environment where the LAN and the DA server all run on native IPv6.

    I've been trying to get this to work for some time but as far as I can tell the DA wizard doesn't seem to care that the DA server have v6 on the WAN side, it still configures everything to run over 6to4. The few lines in the Design and Deployment Guide about native v6 doesn't really say anything. Can anybody suggest any good information sources on this?

    Monday, April 12, 2010 1:08 PM

Answers

  • Hi Fredrik,

    I understand. I'll get this on the documentation list so that it doesn't get lost in the shuffle. No promises, but hopefully we can get this done before the end of the year.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Wednesday, April 14, 2010 12:25 AM
    Tuesday, April 13, 2010 7:46 PM
    Moderator

All replies

  • Hi F,

    Are you connecting from an IPv6 Internet?

    This is what we hope to see in the future, but I'm checking on our current supportability statement re: IPv6. I'll let you know.

    Thanks!

    Tom

     


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, April 12, 2010 1:47 PM
    Moderator
  • Yes, we're running native IPv6 all the way from the client on the IPv6 Internet to the application server on the corpnet.

     

    Thanks for looking into it!

     

    / Fredrik

    Monday, April 12, 2010 4:48 PM
  • I assume you have seen this? http://technet.microsoft.com/en-us/library/ee406201.aspx#NATIVE

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    Monday, April 12, 2010 4:56 PM
    Moderator
  • Yes I've seen that, thanks.

    I think my IPv6 configuration is working as it should. I can ping the native IPv6 address on the WAN interface of the DA server from the IPv6 Internet and I can reach both external and internal v6 resources from the server, but my DA clients still connect to the server's 6to4 address using 6to4 or IPHTTPS (never Teredo for some reson) and the server still publishes it's 6to4 address as the DNS64 address. I don't really see the reason for the server to use 6to4 at all when it's on native IPv6, is this by design?

    Tuesday, April 13, 2010 5:24 AM
  • So you have a globally routable IPv6 address on both the external and internal UAG interfaces?

    Are you using globally routable IPv6 addresses on your corpnet too?


    Jason Jones | Forefront MVP | Silversands Ltd
    Tuesday, April 13, 2010 10:23 AM
    Moderator
  • So you have a globally routable IPv6 address on both the external and internal UAG interfaces?

    Are you using globally routable IPv6 addresses on your corpnet too?


    Jason Jones | Forefront MVP | Silversands Ltd

    Yes, that is correct.
    Tuesday, April 13, 2010 10:49 AM
  • I assume therefore that you have not enabled NAT64/DNS64?

    It is my understanding that native IPv6 DA clients are supported and the transition technoligies are only added for people not using native IPv6 internet connectivity (a majority I would imagine).

    What results do you get from the DCA tool when using diagnostic logging?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    Tuesday, April 13, 2010 11:11 AM
    Moderator
  • I assume therefore that you have not enabled NAT64/DNS64?

    It is my understanding that native IPv6 DA clients are supported and the transition technoligies are only added for people not using native IPv6 internet connectivity (a majority I would imagine).

    What results do you get from the DCA tool when using diagnostic logging?

    Sorry, I should have given you a more detailed answer. I do have NAT64/DNS64 enabled since we need to be able to access a few v4 only servers outside of my control (but still on the corpnet side).

    The DCA tool tells me everything is fine, but all communication flows over 6to4 or IPHTTPS to the 6to4 address on the DA server even though the client is on the IPv6 Internet.

    I've been trying to manually edit the UAGDirectAccess_GroupPolicy.ps1 script to change the UAGDA_DTE_ACCESS and UAGDA_DTE_CORP variables to the native IPv6 address instead of the 6to4 address, but I only succeded in breaking DA.

    Tuesday, April 13, 2010 11:31 AM
  • Hi,

    Is this your actual production environment, or a test lab?

    Native IPv6 on the corpnet is not a problem (that's how I use it) but having full native IPv6 Internet connectivity is pretty rare, especially for the clients.

    I believe the suggested solution (although probably not ideal) is to have the traffic go from the IPv6 internet client through a 6to4 router to the 6to4 adapter on the UAG…

    Are you experiencing problems using 6to4 or IP-HTTPS?

    Cheers

    JJ 


    Jason Jones | Forefront MVP | Silversands Ltd
    Tuesday, April 13, 2010 2:27 PM
    Moderator
  • This is a supported scenario, so it will work. However, we haven't documented how to configure UAG to support connectivity from the IPv6 Internet, mainly because this seems to be a "corner case" and time taken to doc that out isn't available to other projects. Do you think it's worth doc'ing this out sooner rather than later? Are you on the IPv6 Internet now?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, April 13, 2010 3:41 PM
    Moderator
  • This is a supported scenario, so it will work. However, we haven't documented how to configure UAG to support connectivity from the IPv6 Internet, mainly because this seems to be a "corner case" and time taken to doc that out isn't available to other projects. Do you think it's worth doc'ing this out sooner rather than later? Are you on the IPv6 Internet now?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team

    Thanks Tom - did you connect with Ben on this? ;)
    Jason Jones | Forefront MVP | Silversands Ltd
    Tuesday, April 13, 2010 4:12 PM
    Moderator
  • This is a supported scenario, so it will work. However, we haven't documented how to configure UAG to support connectivity from the IPv6 Internet, mainly because this seems to be a "corner case" and time taken to doc that out isn't available to other projects. Do you think it's worth doc'ing this out sooner rather than later? Are you on the IPv6 Internet now?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team

    Thanks to you both for you attention on this. I'll take a shot at answering you both in one post.

    First, Jason.

    Yes, this is my actual production environment.

    If I let the client connect using 6to4 or IPHTTPS nearly everything works as it should. I do however get some routing problems when the client tries to access a resource on the IPv6 Internet. The traffic from the client (IPHTTPS with an adress in the 2xxx:xxxx:5500::/64 span for example) reaches the DA server which pushes it out on the Internet over it's 6to4 inteface. However, the response gets routed through the regular firewall since it's in our /48, which promptly drops it since the original connection didn't go through it. If I screw around with the default routes on the DA sever I usually end up in a situation where nothing at all works anymore. It might be possible to live with this since there's not all that much out there on the IPv6 Internet at the moment, but this will become a problem.

    Except for that, well it's definitely something I can live with but it grates a bit having to tunnel the traffic when I have native v6 at both ends.

    For some reason I can't get Teredo to work, but that might be related to some routing weirdness as well. The client connects the tunnel and negotiates IPsec, but then never uses the tunnel. It creates a new IPHTTPS tunnel instead and use that. It might work itself out if I remove the v6 address on the WAN interface, I'll have to try that.

     

    Tom,

    I'd love to get some documentation on how to do this. I realize that it probably is a corner case at the moment just as you said, but on the other hand we do want people to move to v6, right? ;) Yes, our corpnet is on the IPv6 Internet right now. A few of my remote clients as well.

     

    Thanks guys.

    Tuesday, April 13, 2010 6:26 PM
  • :-P

    Actually, we we're working out this issue a couple of months ago. Billy Price from CSS got it working.

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, April 13, 2010 7:37 PM
    Moderator
  • Hi Fredrik,

    I understand. I'll get this on the documentation list so that it doesn't get lost in the shuffle. No promises, but hopefully we can get this done before the end of the year.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Wednesday, April 14, 2010 12:25 AM
    Tuesday, April 13, 2010 7:46 PM
    Moderator