Configuring IPv6 prefixes in SP1
Updated: February 1, 2011
Applies To: Unified Access Gateway
This topic describes how to configure the different types of IPv6 prefixes in Forefront Unified Access Gateway (UAG) DirectAccess. The Forefront UAG DirectAccess server must be aware of the 48-bit organization prefix, and differentiate between the different types of IPv6 transition traffic. This means you must assign different IPv6 prefixes for different types of traffic and clients. Your organization requires one 48-bit IPv6 prefix for organizational IPv6 addresses. This prefix can be allocated by IANA or an ISP. Alternately, it can be generated using a public IPv4 address of your Forefront UAG DirectAccess server, and by using 6to4.
For more information on 6to4, see IPv6 Transition Technologies (https://go.microsoft.com/fwlink/?LinkId=154382).
Note
A 48-bit organization prefix is the most common organization prefix assigned by IANA, or by an ISP. In Forefront UAG DirectAccess, you can use any organization prefix length, as long as it is smaller than the IP-HTTPS prefix. For example, if the IP-HTTPS prefix length is /56, an organization prefix of /50 is valid. In multiple organization prefix scenarios, at least one of the organization prefixes must be smaller than the IP-HTTPS prefix.
To configure IPv6 prefix addresses
In the DirectAccess Server section of the wizard, on the Prefix Configuration page, enter the following IPv6 prefixes:
Organization IPv6 prefix—The 48-bit IPv6 prefix that your internal network uses. You can configure Forefront UAG DirectAccess with single or multiple Organization IPv6 prefixes:
For a single Organization IPv6 prefix, enter the 48-bit IPv6 prefix that your internal network uses.
Multiple Organization IPv6 prefixes:
Click Multiple prefixes.
To add an additional prefix, click Click here to add, and enter the new prefix.
To delete one of the multiple prefixes, select prefix record and press DELETE.
Note
To return to using a single prefix, click Single prefix.
Note
The IP-HTTPS (/56) and NAT64 (/96) prefixes can be subsets of any of the multiple prefixes.
IPv6 prefix for addresses assigned to remote client computers connecting using IP-HTTPS (/56 to /64)—The prefix that is used by computers connecting using IP-HTTPS. You can use any prefix within the range /56 to /64, depending on the number of array members you want to configure. This prefix must be a subset of the 48-bit Organization IPv6 prefix.
The IP-HTTPS prefix is also used to configure the number of array members that can be used by Forefront UAG DirectAccess.
The following table lists the number of array members available for each prefix. Forefront UAG DirectAccess currently supports up to eight array members.
Prefix No of array members available /64
1
/63
2
/62
3 or 4
/61
5 - 8
Note
The IP-HTTPS prefix is defined as a route on a Forefront UAG DirectAccess server. To view the IP-HTTPS prefix assigned to a node in an array, from the command prompt, run netsh int ipv6 show route, or route print. In the resulting table, you should see a record with: Publish=Yes, Interface Name contains the string iphttps, and a Prefix of /64. The IP-HTTPS prefix of the node appears before the /64 suffix. The route associated with the IP-HTTPS network interface is set to a 64-bit prefix and is published to the clients connected to this node.
IPv6 prefix for addresses assigned for IPv4-only internal network resources using NAT64 and DNS64 (/96)—The prefix used by the NAT64 to assign IPv6 prefixes to computers that only support IPv4. You must use a 96-bit prefix which is a subset of the 48-bit Organization prefix.
Note
When using external NAT64 and DNS64, enter their 96-bit prefix.
Click Next. The IPsec Certificate Authentication page appears.