none
UAG 2010 DA Question Related to ICMP Echo Requests RRS feed

  • Question

  • Internal discussion here during build-out of UAG 2010 with DA. Discussion revolves around how the ICMP Echo Requests flow from DA Clients to UAG server. Will they be encapsulated in the teredo tunnel prior to or during the building of the infrastructure tunnel?

    Also, I believe that all teredo and ICMP traffic will traverse through the UAG server since it's the GW for these clients back into corpnet. Correct?

    Thanks!


    Bill

    Tuesday, June 19, 2012 10:48 PM

Answers

  • Yes all of the traffic from your DA clients will traverse the UAG server.

    All of the ICMP traffic goes outside of the IPSEC tunnel. You can read more about that here. http://blogs.technet.com/b/tomshinder/archive/2010/07/14/considerations-when-using-ping-to-troubleshoot-directaccess-connectivity-issues.aspx 

    • Marked as answer by Beachnut_ Thursday, June 21, 2012 8:21 PM
    Wednesday, June 20, 2012 1:16 PM
  • Hi,

    Teredo  uses ICMPv6 in order to create the initial teredo tunnel and to determine a teredo relay when initiating connectivity with other hosts. Basically, these ICMPv6 packets are encapsulated over IPv4 UDP 3544. So you don't have to allow IPv4 ICMP into your perimeter network, only UDP 3544.

    Regarding the DoS attack concern you've raised, the UAG DA server is configured with DoSP that limits the rate of ICMPv6 traffic that is forwarded into your internal network. You can check the rate limits using "netsh ipsecdosp show rate".

    Lastly, yeah, you can configure to protect ICMPv6 traffic with IPsec as the TechNet article mentions, however, this means Teredo will not work.

    Quoting from the article itself:

    Although these modifications address the security issues of the default configuration, Teredo discovery messages cannot pass through the Forefront UAG DirectAccess server, and DirectAccess clients cannot use Teredo as a connectivity method. If you make these changes, you must also do the following:

    1. Disable Teredo client functionality on your DirectAccess clients.

      From the Group Policy object for DirectAccess clients, set  Computer Configuration\Administrative Templates\Networking\TCPIP Settings\IPv6 Transition Technologies\Teredo State to Disabled. 
    2. Disable Teredo server and relay functionality on your Forefront UAG DirectAccess server.

      Type the  netsh interface teredo set state state=disable command from an administrator-level command prompt on your Forefront UAG DirectAccess server.
    3. Configure your Internet firewall to block UDP port 3544 traffic to and from the Forefront UAG DirectAccess server. If you previously added a port exemption for Teredo traffic, remove it.

    Without Teredo connectivity, DirectAccess clients that are located behind network address translation (NAT) devices will use IP-HTTPS for IPv6 connectivity to the Forefront UAG DirectAccess server, but be aware that IP-HTTPS-based connections have lower performance and higher overhead than Teredo-based connections.

    Thursday, June 21, 2012 2:43 PM

All replies

  • Yes all of the traffic from your DA clients will traverse the UAG server.

    All of the ICMP traffic goes outside of the IPSEC tunnel. You can read more about that here. http://blogs.technet.com/b/tomshinder/archive/2010/07/14/considerations-when-using-ping-to-troubleshoot-directaccess-connectivity-issues.aspx 

    • Marked as answer by Beachnut_ Thursday, June 21, 2012 8:21 PM
    Wednesday, June 20, 2012 1:16 PM
  • Thank you Troy. One of the concerns here is with DoS attacks if we open ICMP Echo Requests from Internet into our corporate network. Because our DA clients could be coming from any IP out there in the wild, we need to allow ICMP inbound from ANY Internet client. Isn't this a huge security hole?

    Bill

    Wednesday, June 20, 2012 6:10 PM
  • Mentioned within that article http://blogs.technet.com/b/tomshinder/archive/2010/07/14/considerations-when-using-ping-to-troubleshoot-directaccess-connectivity-issues.aspx is "The reason why we decided to do this is to make Teredo work correctly, as Teredo requires ICMP access outside the IPv6 IPsec tunnel to determine what type of NAT device the DirectAccess client might be located." So if I'm understanding correctly, Teredo is using ICMP behind the scenes to help build the Infrastructure Tunnel. And this is why it is required along with UDP 3544. Teredo just won't work at all without ICMP.'

    Also, the steps described in this Technet article http://technet.microsoft.com/en-us/library/ee809059 indicate that in order to improve security and help limit visibility of Intranet hosts to bad guys is to place the ICMP traffic within the IPsec tunnel. But doing so will prevent DA Clients from using Teredo as a tunneling method. Is the article saying to run the ICMP traffic within IPsec tunnel -AND- only use IP-HTTPS as a tunneling method for DA clients? Thats the way I read it. Correct?


    Bill

    Wednesday, June 20, 2012 7:13 PM
  • Hi,

    Teredo  uses ICMPv6 in order to create the initial teredo tunnel and to determine a teredo relay when initiating connectivity with other hosts. Basically, these ICMPv6 packets are encapsulated over IPv4 UDP 3544. So you don't have to allow IPv4 ICMP into your perimeter network, only UDP 3544.

    Regarding the DoS attack concern you've raised, the UAG DA server is configured with DoSP that limits the rate of ICMPv6 traffic that is forwarded into your internal network. You can check the rate limits using "netsh ipsecdosp show rate".

    Lastly, yeah, you can configure to protect ICMPv6 traffic with IPsec as the TechNet article mentions, however, this means Teredo will not work.

    Quoting from the article itself:

    Although these modifications address the security issues of the default configuration, Teredo discovery messages cannot pass through the Forefront UAG DirectAccess server, and DirectAccess clients cannot use Teredo as a connectivity method. If you make these changes, you must also do the following:

    1. Disable Teredo client functionality on your DirectAccess clients.

      From the Group Policy object for DirectAccess clients, set  Computer Configuration\Administrative Templates\Networking\TCPIP Settings\IPv6 Transition Technologies\Teredo State to Disabled. 
    2. Disable Teredo server and relay functionality on your Forefront UAG DirectAccess server.

      Type the  netsh interface teredo set state state=disable command from an administrator-level command prompt on your Forefront UAG DirectAccess server.
    3. Configure your Internet firewall to block UDP port 3544 traffic to and from the Forefront UAG DirectAccess server. If you previously added a port exemption for Teredo traffic, remove it.

    Without Teredo connectivity, DirectAccess clients that are located behind network address translation (NAT) devices will use IP-HTTPS for IPv6 connectivity to the Forefront UAG DirectAccess server, but be aware that IP-HTTPS-based connections have lower performance and higher overhead than Teredo-based connections.

    Thursday, June 21, 2012 2:43 PM
  • Thank you Yaniv. Exactly what I needed. We'll open 3544 at perimeter and begin testing Teredo.

    Bill

    Thursday, June 21, 2012 8:24 PM