none
DirectAccess IP Pool RRS feed

  • Question

  • The question is is the internal network subnet that is created when setting up DirectAccess in the UAG server unique to my network?  Also the way we do our VPN now that it gives an pool off addresses that is allowed through our firewall.  The power to be wonder if DA can do the same?

     

    Thanks

    Tuesday, March 15, 2011 1:22 PM

Answers

All replies

  • Hello,

    If I'm right for the internal subnet it's not unique and belong to your network.

    As far as I know DirectAccess don't allow to configure a pool of addresses.

    But you could recognize them :

    • It's Ipv6 addresses
    • They're formatted like : NAT64_Prefix:: /96 if I remember

    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
    Tuesday, March 15, 2011 2:13 PM
  • When using the NAT64 feature of UAG DA, all DA clients will appear to hide behind the UAG internal interface IPv4 address; so that will become the source IP...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, March 16, 2011 12:45 AM
    Moderator
  • We are gett the Teredo protocal for some reason.

     

    But what we have here is 2 firewalls in the DMZ FW A (front) and FW B (back).  We allow traffic allowed through FW A to our VPN server that hands out an IP from a pool of IPs.  We only allow IPs from the pool through the FW B and to our network.

     

    The FW Admin wants to know if we can do the same with UAG DA?

    Wednesday, March 16, 2011 2:00 PM
  • Hello, Some firewalls are not compatible with IPv6 packets and could not make filter for them. Is your firewall fully support IPv6 packets?
    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
    Wednesday, March 16, 2011 2:16 PM
  • yes our firewall support IPv6.
    Wednesday, March 16, 2011 2:29 PM
  • Hi Paul,

    Assuming you are not using NAT64 for communication from DA client to internal hosts (you need ISATAP or native IPv6 on your intranet):

    If your back firewall supports IPv6, you will be able to define DA clients using the following source IPv6 prefixes:

    2001:0:WWXX:YYZZ::/64 (Teredo)

    2002:WWXX:YYZZ:8100::/56 (IP-HTTPS)

    2002:WWXX:YYZZ::/[16+n] (6to4)

    Where WWXX:YYZZ is the colon-hex notation for your first internet IPv4 address W.X.Y.Z/n

    See here for more info: http://technet.microsoft.com/en-us/library/ee406201.aspx

    If you are using NAT64 for communication from DA clients to internal hosts (you don't have ISATAP or native IPv6 on your intranet):

    All DA client addresses will appear as the UAG DA server internal IPv4 address (or addresses if using an array). Consequently, you lose any granularity of seeing the original source IP as this is lost in the NAT64 process (just like IPv4 NAT).

    Ultimately, you cannot choose a pool of addresses for a DA client to use, apart from defining the IPv6 prefix that should be used (based upon your IPv4 address space and IPv6 subnet). The remaining element of the IPv6 address will always be randomised.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, March 16, 2011 3:05 PM
    Moderator
  • What are we not using NAT64?  is it the ISP or DSL NATting?
    Wednesday, March 16, 2011 3:23 PM
  • Thanks Jason,

     

    why would we be getting Teredo instead of 6to4 and how can we tell if we are using NAT64 or not.

     

    Thanks you have been a great help

    Wednesday, March 16, 2011 3:34 PM
  • You will get Teredo if you are using a private address behind a NAT device; 6to4 requires the client to have a public IP address.

    Some basic questions:

    Are you using UAG DIrectAccess and not Windows Server 2008 native DirectAccess? If so, how did you configure UAG DirectAccess?

    Do you have IPv6 on your internal network (intranet) with Windows Server 2008 servers?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, March 16, 2011 11:40 PM
    Moderator
  • We are testing UAG DirectAccess as we have evrything inside still using IPv4 (no real plan to move to IPv6) and need the converstion.  How we configured the UAG DirectAccess is following Test Lap Guide and with wizzard.
    Friday, March 18, 2011 2:24 PM
  • Ok, if you have IPv4 internally then you will be using the NAT64 feature of UAG. Consequently, you can follow my advice above with reference to using NAT64 (the first bit)...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Paul024 Tuesday, March 22, 2011 2:48 PM
    Friday, March 18, 2011 2:35 PM
    Moderator