none
Web App Proxy and IPv6

Answers

  • Hi Carol,

    WAP has no Firewall capabilities at all, so if you are looking to replace TMG’s firewall features then WAP isn’t the way to go.

    If you are looking to use TMG’s reverse proxy capabilities then WAP could be a good candidate but there are a few things that should be considered to determine if this is the correct solution (Type of apps published, ADFS Support , Pre-authentication and  SSO considerations, etc.).

    In regards to IPv6 this is all handled by the OS, WAP doesn’t care if IPv6 or IPv4 is used, you could  also configure this on a single.

    Regards,

    Mike


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by Carol Chisholm Thursday, October 10, 2013 8:38 AM
    Thursday, October 10, 2013 8:36 AM

All replies

  • Hi,


    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.


    Thanks for your understanding and support.


    Alex Lv

    Monday, September 23, 2013 5:48 AM
    Moderator
  • Hi,

    before deploying the IPV6 in the network, please read these articles in detail.

    How IPv6 Works

    http://technet.microsoft.com/en-us/library/cc781672(v=WS.10).aspx

    IPv6

    http://technet.microsoft.com/en-us/library/cc755011(v=WS.10).aspx

    Regards,

    Mike


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, September 23, 2013 11:22 AM

  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Regards.


    Alex Lv

    Thursday, September 26, 2013 1:38 AM
    Moderator
  • Hi Mike

    I think I understand how IPv6 works

    I am trying to understand how to configure Web Application Proxy for IPv6 and not finding anything helpful in the documentation. IPv6 does not have NAT yet. The Web Application proxy documentation and all the references I have found are talking about old IPv4.

    I am looking for an explanation of how to use it with IPv6.


    CarolChi

    Sunday, September 29, 2013 10:50 AM
  • Does the Web Application Proxy reconfigure the server as a router so it drops all local link traffic between the NICs?


    CarolChi

    Sunday, September 29, 2013 10:54 AM
  • Hi,

    i need more time to do research, i will reply to you as soon as possible.

    Regards,

    Mike


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, October 04, 2013 3:31 AM
  • I'm sure there must be something I am missing. from the IP addresses the two NICs in the same computer are on the same local link, so they will communicate.

    However concept of a proxy server is that it separates the two networks that it is connected to.

    I can see how this works in IPv4 but I cannot see how it works in IPv6, unless the Web Application Proxy somehow intercepts the local link traffic and processes it.


    CarolChi

    Friday, October 04, 2013 6:30 AM
  • Hi Carol,

    i did further research on web and our internal database.

    Unfortunately, Web App Proxy does not have any knowledge, interaction or care about IP addresses.

    As long as you have an IPv6 address on the server and your clients resolve the relevant FQDN to that IP address in DNS then WAP should just work.

    Regards,

    Mike


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, October 04, 2013 7:23 AM
  • Hi Carol,

    any update?

    Regards,

    Mike


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, October 08, 2013 6:26 AM
  • My question is not about WAP "just working" but about the network security if IPv6 "just communicates" between the networks I am trying to separate.

    I am trying to understand whether WAP does any firewalling on the IPv6 local link that seems to get created when I put 2 NICs in the same server.

    I have not had time to finish my test server - with the ADFS requirement it is not quick and easy to set up a test environment.

    Carol


    CarolChi

    Tuesday, October 08, 2013 6:51 AM
  • Hi Carol,

    it seems you want to deploy ipv6 subnet in your network.

    i found some useful links for you.

    IPV6 subnetting - how and why to subnet ipv6

    http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html

    HOWTO Subnet IPv6 for Network Links

    http://blog.phyber.com/2010/08/18/howto-subnet-ipv6-for-network-links/

    How does IPv6 subnetting work and how does it differ from IPv4 subnetting?

    Regards,

    Mike


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, October 09, 2013 11:24 AM
  • Thanks Mike, I did not have all these links.

    The serverfault one http://serverfault.com/questions/426183/how-does-ipv6-subnetting-work-and-how-does-it-differ-from-ipv4-subnetting has this information:

    ......

    The percent sign accompanies a link-local address. In IPv6, every interface has a link-local address in addition to any other IP addresses it might have. But the thing is, link-local addresses are always, without exception, in the fe80::/10 block. But if we attempt to talk to a peer using a link local address and the local host has multiple interfaces, how are we to know which interface to use to talk to this peer? Normally the routing table tells us which interface to use for a particular prefix, but here it will tell us than fe80::/10 is reachable via every interface.

    The answer is that we must tell it which interface to use using the syntax address%interface. For example, fe80::1234:5678:8765:4321%eth0................

    In a server with two NIC the two local link addresses are on the same subnet (link)

    What I am trying to understand is how Web App Proxy stops the two local links (which are on the same subnet) communicating with each other.

    It says fe80::/10 is reachable via every interface which for me means that the external interface  is reachable from the Internet on local link AND the internal interface is reachable from the LAN on the local link and since both these interfaces are on the SAME subnet they can reach each other, so effectively my LAN is connected to the Internet.

    I assume this is not the case but I want to understand the mechanics - in UAG, the TMG firewall engine was used to filter these connections. How does this work in WAP?


    CarolChi

    Wednesday, October 09, 2013 1:53 PM
  • Hi Carol,

    i got confirmation from TMG team. the TMG 2010 have not supported IPV6.

    It doesn’t.

    Not supported.

    With TMG now EOL, no longer sold, it won’t be fixed/added.

    Unsupported configurations

    ///
    Forefront TMG does not support IPv6 traffic

    Issue: IPv6 traffic is not supported by Forefront TMG (except for DirectAccess).

    Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is blocked by default.

    Solution: It is recommended that you unbind IPv6 on the Forefront TMG computer network adapters. To do so, open each network adapter’s properties, and on the Networking tab, clear the checkbox for Internet Protocol Version 6 (TCP/IPv6).

    ///

    http://technet.microsoft.com/en-us/library/ee796231.aspx

    Regards,

    Mike


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, October 10, 2013 5:56 AM
  • Thanks again Mike,

    I KNOW that TMG does not support IPv6.

    I know there is not more development of TMG.

    I am looking at WebAppProxy to replace TMG, and I am trying to find out if WebAppProxy has the firewall feaures of TMG. TMG is a firewall AND a reverse proxy.

    I am trying to understand if WebAppProxy is the same.

    It is especially the handling of the local link IP addresses which I am interested in.

    In my first post I asked about the new local link addresses in IPv6:

    If I give the server 2 NICs (as I would have done a UAG or TMG or ISA server) they both get local link addresses

    fe80::215:5dff:fe62:3734%12

    fe80::215:5dff:fe62:3735%22

    So as far as I can see the two NICs will communicate with each other on the local link, so why even have two NICs. I know the fe80 addresses should not be routed by the firewalls, but I am also curious as to how to do the IPv6 addressing: one subnet for the LAN, one for the DMZ, one for the WAN?

    I suppose (thinking aloud) that the "firewall" features of TMG and ISA are no longer included, and that the Web App Proxy really does depend on being in a DMZ created by another device.

    I still have not got an answer to my question: does WAP manage IPv6 local link  traffic (between the NICs in the server), if yes HOW is it managed, and if NO how do I manage it?


    CarolChi

    Thursday, October 10, 2013 6:19 AM
  • Hi Carol,

    WAP has no Firewall capabilities at all, so if you are looking to replace TMG’s firewall features then WAP isn’t the way to go.

    If you are looking to use TMG’s reverse proxy capabilities then WAP could be a good candidate but there are a few things that should be considered to determine if this is the correct solution (Type of apps published, ADFS Support , Pre-authentication and  SSO considerations, etc.).

    In regards to IPv6 this is all handled by the OS, WAP doesn’t care if IPv6 or IPv4 is used, you could  also configure this on a single.

    Regards,

    Mike


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by Carol Chisholm Thursday, October 10, 2013 8:38 AM
    Thursday, October 10, 2013 8:36 AM
  • Thanks

    I just with TMG would support IPv6.

    Also then WAP documentation should reflect this, if there is no firewalling feature, what is the point of having to NICs.


    CarolChi


    Thursday, October 10, 2013 8:37 AM