locked
DirectAccess w. UAG - internal public ipv4 adresses are supported? RRS feed

  • Question

  • Hello friends,

    on technet I found nothing about directaccess uag and the support of public ipv4 addresses on the internal site?

    Where I can find an official statement?

    Can somebody give me a hint? Thanks a lot.


    Thanks, Berleg
    • Edited by Berleg Saturday, January 28, 2012 11:22 PM correction
    Saturday, January 28, 2012 11:20 PM

Answers

  • I have done this without any IPv6 or ISATAP. I suppose a requirement for this would be that your public IP addresses will need to be split into at least two different subnets. Basically, you need to separate UAG's "Internal" and "External" NICs onto separate networks. For example, maybe all of your internal servers have public IP addresses of 1.1.1.x - you could place your UAG server's internal NIC onto this subnet, but then your "external" NIC on the UAG server cannot reside in that same subnet, it would need to be in 1.1.2.x (just an example).

    If you have this option, to be able to split the internal/external NICs onto separate subnets, I have done this before with no real trouble. The only issue I ran into with this particular installation that I did was that a few of the application servers were receiving a 6to4 IPv6 address from something (I never took the time to investigate what was issuing these addresses). We simply disabled IPv6 on the NICs of those internal application servers (it was supposed to be disabled anyway, but this setting was overlooked on a handful of machines).

    • Marked as answer by Berleg Monday, January 30, 2012 9:57 PM
    Monday, January 30, 2012 6:52 PM

All replies

  • Yes, UAG DirectAccess supports the use of IPv4 addresses on the intranet by using features called NAT64 and DNS64:

    http://technet.microsoft.com/en-us/library/ee809079.aspx

    Cheers

    JJ

     


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Sunday, January 29, 2012 12:37 AM
  • Hello Jason,

    in this article I see nothing about PUBLIC IPv4 addresses on internal network.

    The question is NOT if  PRIVATE IPv4 adresses on internal network works,

    the question is if the usage off PUBLIC IPv4 addresses on the internal network is supported?

    Did you build an UAG Direct Access enviroment with public IPv4 addresses on the internal network?


    Thanks, Berleg
    Sunday, January 29, 2012 10:04 AM
  • hi

     

    You will hve routing problems, especially if your Public IPv4 addresses are usurpated from Internet. Technically, it is possible if you introduce an ISATAP router between your UAG Box and your LAN. You will have IPv6 only communications between your UAG box and ISATAP router. This solution hide your internal network from Internet. The major problem is that DNS64/NAT64 cannot be used (because no IPv4 LAN connectivity). The only solution is to have IPv6 lan ressources (ISATAP connectivity) or make them available with a UAG portal.

     

    Other problem, by default UAG portal only responf to IPv4. You will need to reconfigure IIS bindings each time you activate a new configuration.

     

    In my point of view, this is a complex scenario. In my optnion, you should focus on RFC1918 compliance.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Sunday, January 29, 2012 12:20 PM
  • Hi Benoit,

    as far as I know the public IP addresses are not usurpated. It is a college.

    Did I understand you right you say that we need an extra ISATAP router box?

    That means that just the UAG-Box is not able to connect the DirectAccess client to internal resources with PUBLIC IPv4 addresses?

    Is it documented on technet?  

     


    Thanks, Berleg
    Sunday, January 29, 2012 3:27 PM
  • I dont undenstand.

     

    You want DirectAccess clients access a ressources that does not bellong to your LAN throught DirectAccess tunnels? If yes, it might not be a problem. The UAG Box is able to connect you to any subnet as long as it's routing table provide the good information. Can you develop your scenario?

     

    If your clients need to access public ressources, they might not need to go throught DirectAccess. The split tunneling mode allow clients to connect to any ressources on Internet.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Sunday, January 29, 2012 5:17 PM
  • Sorry that my explanation is so bad:

    The whole company network internal is using PUBLIC IP addresses. That is true for all clients and all servers (resources). But they are not reachable from internet.

    I know that is not a very common scenario but that is the reason I’m asking here.  ;-)

    Question1: Is anybody out there who build a UAG Direct Access environment with PUBLIC IP addresses inside?
    Q2: Is it supported by Microsoft?  (Hello MS folks, felt free to answer  :-))
    Q3: Where it is written on technet?


    Thanks, Berleg
    Sunday, January 29, 2012 10:59 PM
  • OK now it's clear

     

    DirectAccess was designed for RFC1918 compliant networks. Because you cant yse NAT between UAG and your LAN, you will have routing problems. To avoid this, you must hide your internal network with an IPv6 interlan (between UAG and a ISATAP router)

     

    Q1 : I was involved in a similar DirectAccess project. It is technically possible but complex.

    Q2 : Not sure at all

    Q3 : No it is not written on technet

     

    The solution is to configure a UAG Direct Access configuration with a native IPV6 address on LAN interface (no IPv4 address). The ISATAP router provide an IPv6 connectivity that hide your internal network and avoid routing problems. And finally, there is a second UAG box that is configured in portal scenario that publish application and ressources. So technically possible but complex.

     

     


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Monday, January 30, 2012 6:32 AM
  • I have done this without any IPv6 or ISATAP. I suppose a requirement for this would be that your public IP addresses will need to be split into at least two different subnets. Basically, you need to separate UAG's "Internal" and "External" NICs onto separate networks. For example, maybe all of your internal servers have public IP addresses of 1.1.1.x - you could place your UAG server's internal NIC onto this subnet, but then your "external" NIC on the UAG server cannot reside in that same subnet, it would need to be in 1.1.2.x (just an example).

    If you have this option, to be able to split the internal/external NICs onto separate subnets, I have done this before with no real trouble. The only issue I ran into with this particular installation that I did was that a few of the application servers were receiving a 6to4 IPv6 address from something (I never took the time to investigate what was issuing these addresses). We simply disabled IPv6 on the NICs of those internal application servers (it was supposed to be disabled anyway, but this setting was overlooked on a handful of machines).

    • Marked as answer by Berleg Monday, January 30, 2012 9:57 PM
    Monday, January 30, 2012 6:52 PM
  • Hi

     

    In my scenario my client build it's LAN with 70000 IPv4 publics subnets. This cause a lot of routing problems.  


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Monday, January 30, 2012 7:01 PM
  • Yikes, that would be a fun routing table to populate! :)

    No wonder we're running out of public IPv4 addresses...lol

    Monday, January 30, 2012 7:12 PM
  • That why the IPv6 interlan with the ISATAP router saved me a lot of time.
    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Monday, January 30, 2012 7:18 PM
  • Thanks Benoit and Jordan for your informations.
    Thanks, Berleg
    Monday, January 30, 2012 9:59 PM