Choosing an Internet traffic separation design

Updated: October 21, 2010

Applies To: Unified Access Gateway

This topic describes how DirectAccess clients separate Internet and intranet traffic.

With Internet Protocol version 6 (IPv6) and the Name Resolution Policy Table (NRPT), DirectAccess clients separate their intranet and Internet traffic in the following way:

  • Domain Name System (DNS) name queries for intranet fully qualified domain names (FQDNs), and all intranet traffic is exchanged over the tunnels created with the Forefront UAG DirectAccess server or directly with intranet servers. Intranet traffic from DirectAccess clients is IPv6 traffic.

  • DNS name queries for FQDNs that correspond to exemption rules or do not match the intranet namespace, and all traffic to Internet servers is exchanged over the physical interface that is connected to the Internet. Internet traffic from DirectAccess clients is typically Internet Protocol version 4 (IPv4) traffic.

Note

This is the default and recommended operation of Forefront UAG DirectAccess.

In contrast, some remote access virtual private network (VPN) implementations, including the VPN client in Windows 7, send all of their traffic (intranet and Internet) over the remote access VPN connection. Internet-bound traffic is routed by the VPN server to intranet IPv4 Web proxy servers for access to IPv4 Internet resources. It is possible to separate the intranet and Internet traffic for remote access VPN clients using split tunneling, in which the Internet Protocol (IP) routing table is modified so that traffic to intranet locations is sent over the VPN connection, and traffic to all other locations is sent using the physical interface connected to the Internet.

You can configure DirectAccess clients to send all of their traffic through the tunnels to the Forefront UAG DirectAccess server with force tunneling. When force tunneling is configured, DirectAccess clients that detect that they are on the Internet, modify their IPv4 default route so that default route IPv4 traffic is not sent. With the exception of local subnet traffic, all traffic sent by the DirectAccess client is IPv6 traffic that goes through tunnels to the Forefront UAG DirectAccess server.

Enabling force tunneling has the following consequences:

  • DirectAccess clients use only IP-HTTPS to obtain IPv6 connectivity to the Forefront UAG DirectAccess server over the IPv4 Internet. IP-HTTPS-based connections have lower performance and higher overhead on the Forefront UAG DirectAccess server than 6to4 and Teredo-based connections.

  • The only locations that a DirectAccess client can reach by default with IPv4 traffic are those on its local subnet. All other traffic sent by the applications and services running on the DirectAccess client is IPv6 traffic sent over the DirectAccess connection. Thus, IPv4-only applications on the DirectAccess client cannot be used to reach Internet resources, except those on the local subnet.

  • Connectivity to the IPv4 Internet must be done using an intranet Web proxy server. You configure the DirectAccess client to use this intranet Web proxy server to access internet resources. The DirectAccess client communicates with the Web proxy server using IPv6-based requests. If the Web proxy server does not support IPv6, NAT64 translates the IPv6-based request to an IPv4-based request.

The following describe how to configure force tunneling:

  1. Enable force tunneling on DirectAccess clients

  2. Add an entry in the NRPT

  3. Configure IP-HTTPS to be continually enabled

  4. Block 6to4 and Teredo traffic

To enable force tunneling on DirectAccess clients

  1. To open the Group Policy Management console, on a Domain Controller click Start, click Control Panel, click Administrative Tools, and then click Group Policy Management.

  2. Create a GPO that will be applied to DirectAccess client computers. This should be a separate GPO to the UAG DirectAccess: Clients GPO created by the Forefront UAG DirectAccess Configuration Wizard.

    Note

    When linking this GPO, make sure it has a higher link order than the UAG DirectAccess: Clients GPO. The link with the higher order (with 1 being the highest order) has the higher precedence for a given site, domain, or organizational unit.

  3. In the new GPO for DirectAccess clients, navigate to Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Route all traffic through the internal network, click Edit policy setting, click Enabled, and then click OK.

To make IPv4-based Internet resources available to DirectAccess clients that use force tunneling, you must use a Web proxy server. If the Web proxy server does not support IPv6, the NAT64 feature installed on the Forefront UAG DirectAccess server, receives the IPv6-based requests for Internet resources, and translates them to requests for IPv4-based Internet resources.

To route all internet traffic to the corporate Web proxy server through the DirectAccess connection, add a rule to the NRPT for a DirectAccess client that specifies any DNS suffix and the Web proxy server host name and port.

To configure the NRPT for force tunneling

  1. Open the Group Policy Management console, right-click the newly created GPO for DirectAccess clients, and click Edit. The Group Policy Management Editor window appears.

  2. Navigate to Computer Configuration\Policies\Windows Settings\Name Resolution Policy Group Policy setting and create a rule with the following:

    • The Any suffix

    • Enable the DNS setting for DirectAccess in this rule

    • Enable Use this Web Proxy, and type the FQDN of the Intranet Web proxy server and the port. For example proxy.corp.contoso.com:8080

    With this NRPT rule, a request for a resource that does not match any of the other rules in the NRPT, is be sent to the resolved IPv6 address of the specified Web proxy server.

  3. Click Apply, and then click OK.

To configure IP-HTTPS to be continually enabled

  1. Open the Group Policy Management console, right-click the newly created GPO for DirectAccess clients, and click Edit. The Group Policy Management Editor window appears.

  2. Navigate to Computer Configuration\Policies\Administrative Templates\ Network\TCPIP Settings\IPv6 Transition Technologies.

  3. Click IP-HTTPS State, and click Edit policy setting.

  4. Click Enabled, enter the IP-HTTPS Url, and under Select Interface state from the following options, select Enabled State.

    Note

    The IP-HTTPS URL must be the same as the IP-HTTPS URL specified in the UAG DirectAccess: Clients GPO; for example https://iphttps.contoso.com:443/IPHTTPS.

    Important

    You must ensure that the IP-HTTPS URL is not reachable from within the intranet, otherwise DirectAccess clients will use IP-HTTPS even when inside the intranet. If they are successful, force tunneling will turn on and prevent normal corporate connectivity.

DirectAccess clients will now use IP-HTTPS to connect to the Forefront UAG DirectAccess server. Once IP-HTTPS is connected, force tunneling is activated and normal IPv4 internet connectivity is disabled.

To prevent malicious users from using other transition technologies (by not allowing IP-HTTPS to connect successfully), use a firewall between the Forefront UAG server and the Internet to block all transition technology traffic except IP-HTTPS. This can be done by configuring the firewall separating Forefront UAG and the Internet to block:

  • Protocol 41—6to4 traffic

  • UDP 3544—Teredo traffic

  • Native IPv6

You must allow IPv4 TCP 443 IP-HTTPS traffic.

Note

  • Due to the infrastructure requirements and reduced performance for accessing IPv4 Internet resources, it is not recommended to use force tunneling for Forefront UAG DirectAccess.

  • Force tunneling relies on modifying the IPv4 default route in the IPv4 routing table to prevent the DirectAccess client computer from sending traffic directly to IPv4 Internet locations. A user with administrative rights can modify their IPv4 default route to point to their ISP’s router on the subnet.