We’ve received a number of questions recently about UAG DirectAccess support for the IPv6 Internet. When thinking about the IPv6 Internet, you need to think about when the DirectAccess client is on an IPv6 Internet (or on an IPv6 only intranet) and when the UAG DirectAccess server has its external interface connected to an IPv6 Internet connection.
Part of this confusion seems to stem from a TechNet article over at:
http://technet.microsoft.com/en-us/library/ee809074.aspx
Let’s look at some of the sections that might be ambiguous or otherwise difficult to understand and try to clarify a few things.
“The DirectAccess client computer connects to the Forefront UAG DirectAccess server using IPv6 and IPsec. If a native IPv6 network isn’t available (which is most probable when the user is connected to the Internet), the client establishes an IPv6-over-IPv4 tunnel using 6to4 or Teredo. The user does not need to be logged in to complete this step…”
There are two issues that need to be clarified here:
That’s it – not too complicated but an important thing to know – that we don’t support scenarios where the UAG DirectAccess server’s external interface is connected an IPv6 Internet (that is to say, that the UAG DirectAccess server has an IPv6 address assigned to its external interface) and when the DirectAccess client is connected to an IPv6 only network (which prevents the client from being able to set up an IPv6 transition technology based connection to the UAG DirectAccess server.
Several people have asked why we decided to use this approach, and the primary reason is that there are very few scenarios where the UAG DirectAccess server is connected to an IPv6 only Internet connection and where the UAG DirectAccess client is connected to an IPv6 only network. Since these scenarios can be interpreted as “corner cases” at this time, the decision was to not design toward these scenarios and focus on what we see on networks today.
That said, Microsoft is firmly committed to IPv6 and our DirectAccess design and implementation will grow with the increasing availability of native IPv6 Internet and intranet connectivity.
HTH,
Tom
Tom Shinder tomsh@microsoft.com Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management Anywhere Access Group (AAG) The “Edge Man” blog : http://blogs.technet.com/tomshinder/default.aspx Follow me on Twitter: http://twitter.com/tshinder Facebook: http://www.facebook.com/tshinder
Visit the TechNet forums to discuss all your UAG DirectAccess issues http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/threads
Stay up-to-date with “just in time” UAG DirectAccess information on the TechNet wiki http://social.technet.microsoft.com/wiki/tags/DirectAccess/default.aspx
Thanks for the clarification Tom ;)
You bet!
Hi Tom,
currently im not sure if i should laught or whine^^
But i will tell you after some talks with my customers who have already invested a lot of time and money in DA and IPv6 deployments plannings (based on the old informations you have presented).
Made my day!
-Kai
Hi Kai,
If I had a choice, I'd prefer to laugh than cry :)
Thanks!
But it isn't funny anymore^^ Its just sad...
Once the network community and even your SE's and marketing folks saw DA as an enabler to push IPv6 into existing IPv4 only infrastructures and to speed up the world wide transition. But after your post it has become a real IPv6 deployment blocker wich does completely the opposite....
Keep in mind this refers *only* to UAG DirectAccess and makes no statement regarding Windows DirectAccess.
The article over at:
technet.microsoft.com/.../ee809062.aspx
...seems to imply that it *is* possible that the UAG server's external interface may be connected to the IPv6 Internet. There is a list of IPv6 packet filters required in just this scenario.
What am I missing?