Confining ICMPv6 traffic to the intranet

Updated: February 1, 2010

Applies To: Unified Access Gateway

By default, the Forefront UAG DirectAccess Configuration Wizard creates Group Policy objects for DirectAccess clients and servers when:

• ICMP traffic, for both IPv4 and IPv6, is exempted from IPsec protection.

• Teredo discovery traffic does not travel within the IPsec tunnels between DirectAccess clients and Forefront UAG DirectAccess servers.

These default settings allow Teredo-based DirectAccess clients to perform Teredo discovery of intranet resources, but they also allow the following security risks:

• Any computer with a Teredo or 6to4 client can send ICMPv6 traffic to intranet locations through the Forefront UAG DirectAccess server to probe for valid intranet destination IPv6 addresses. The volume of this traffic is limited by the Denial of Service Protection (DoSP) component of the Forefront UAG DirectAccess server.

• A malicious user on the same subnet as a Teredo-based DirectAccess client can determine the IPv6 addresses of intranet servers by capturing ICMPv6 Echo Request and Echo Reply message exchanges.

To prevent these possible security issues, you can modify some default configuration settings, as follows:

1. Configure the global IPsec settings for the Group Policy object for DirectAccess clients to not exempt ICMP traffic from IPsec protection (on the IPsec Settings tab for the properties of the Windows Firewall with Advanced Security snap-in).

2. Configure the global IPsec settings for the Group Policy object for the Forefront UAG DirectAccess server to not exempt ICMP traffic from IPsec protection (on the IPsec Settings tab for the properties of the Windows Firewall with Advanced Security snap-in).

3. For the Group Policy object for the Forefront UAG DirectAccess server, create a new connection security rule that exempts ICMPv6 traffic when it is tunneled from the Forefront UAG DirectAccess server.

4. For the Group Policy object for DirectAccess clients, create a new connection security rule that exempts ICMPv6 traffic when it is tunneled to the Forefront UAG DirectAccess server.

With these modifications:

• All ICMPv6 traffic sent through the Forefront UAG DirectAccess server must be sent using a tunnel. Only DirectAccess clients can send ICMPv6 traffic to intranet locations.

• Malicious users on the same subnet as the DirectAccess client will only be able to determine the IPv6 addresses of the DirectAccess client and the Forefront UAG DirectAccess server. Intranet IPv6 addresses will be tunneled and protected with IPsec encryption.

Although these modifications address the security issues of the default configuration, Teredo discovery messages cannot pass through the Forefront UAG DirectAccess server, and DirectAccess clients cannot use Teredo as a connectivity method. If you make these changes, you must also do the following:

1. Disable Teredo client functionality on your DirectAccess clients.

   From the Group Policy object for DirectAccess clients, set Computer Configuration\Administrative Templates\Networking\TCPIP Settings\IPv6 Transition Technologies\Teredo State to Disabled.

2. Disable Teredo server and relay functionality on your Forefront UAG DirectAccess server.

   Type the netsh interface teredo set state state=disable command from an administrator-level command prompt on your Forefront UAG DirectAccess server.

3. Configure your Internet firewall to block UDP port 3544 traffic to and from the Forefront UAG DirectAccess server. If you previously added a port exemption for Teredo traffic, remove it.

Without Teredo connectivity, DirectAccess clients that are located behind network address translation (NAT) devices will use IP-HTTPS for IPv6 connectivity to the Forefront UAG DirectAccess server, but be aware that IP-HTTPS-based connections have lower performance and higher overhead than Teredo-based connections.