Choosing an intranet IPv6 connectivity design

Updated: February 1, 2010

Applies To: Unified Access Gateway

This topic describes how to choose an intranet IPv6 connectivity design.

The following types of IPv6 infrastructure may be available on your intranet:

  • No existing IPv6 infrastructure

  • An existing ISATAP-based IPv6 infrastructure

  • A native IPv6 infrastructure

In each of these scenarios, you must ensure that the IPv6 routing infrastructure can forward packets between DirectAccess clients and intranet resources.

No existing IPv6 infrastructure

This is currently the most common situation. When the Forefront UAG DirectAccess Configuration Wizard detects that the Forefront UAG DirectAccess server has no native or ISATAP-based IPv6 connectivity, it automatically derives a 6to4-based 49-bit prefix for the intranet, configures the Forefront UAG DirectAccess server as an ISATAP router, and moves to the next step of the Forefront UAG DirectAccess Configuration Wizard.

ISATAP, defined in RFC 4214, is an IPv6 transition technology that provides IPv6 connectivity between IPv6/IPv4 hosts across an IPv4-only intranet. ISATAP can be used for Forefront UAG DirectAccess to provide IPv6 connectivity to ISATAP hosts across your intranet. For more information on ISATAP, see IPv6 Transition Technologies (https://go.microsoft.com/fwlink/?LinkId=154382).

Note

  • To connect to your corporate machines using ISATAP-based IPv6 connectivity, register the name ISATAP on a domain DNS server for each domain on which you want to enable ISATAP based connectivity, so that the ISATAP name is resolvable by the internal DNS server to the internal IPv4 address of the Forefront UAG DirectAccess server. You can also do this after you have finished your deployment.

    In the case of an NLB array, add the internal IPv4 VIP, and each array member's internal IPv4 DIP. It is recommended that you make the additions to the ISATAP DNS record before your deployment.

  • By default, DNS servers running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2, block the resolution of the name ISATAP with the global query block list. To enable ISATAP, you must remove the name ISATAP from the block list. For more information on how to remove the name ISATAP from the block list, see Remove ISATAP from the DNS Global Query Block List (https://go.microsoft.com/fwlink/?LinkId=168593).

  • Install the Windows NLB Hotfix (KB977342) (https://go.microsoft.com/fwlink/?LinkId=178582), on all Forefront UAG DirectAccess array members to provide ISATAP connectivity when integrated Windows Network Load Balancing is configured.

Windows-based ISATAP hosts that can resolve the name ISATAP, perform address auto configuration with the Forefront UAG DirectAccess server, resulting in the automatic configuration of the following:

  • An ISATAP-based IPv6 address on an ISATAP tunneling interface.

  • A 64-bit route that provides connectivity to the other ISATAP hosts on the intranet.

  • A default IPv6 route that points to the Forefront UAG DirectAccess server.

    Note

    The default IPv6 route ensures that intranet ISATAP hosts can reach DirectAccess clients.

When your Windows-based ISATAP hosts obtain an ISATAP-based IPv6 address, they begin to use ISATAP-encapsulated traffic to communicate, if the destination is also an ISATAP host. Because ISATAP uses a single 64-bit subnet for the entire intranet, your communication goes from a segmented, multi-subnet IPv4 model of communication, to a flat, single subnet communication model with IPv6. This can affect the way that some Active Directory Domain Services (AD DS), and other applications that rely on your Active Directory Sites and Services configuration, behave. For example, if you used the Active Directory Sites and Services snap-in to configure sites, IPv4-based subnets, and inter-site transports for forwarding of requests to servers within sites, this configuration is not used by ISATAP hosts.

To configure Active Directory sites and services for forwarding within sites for ISATAP hosts, for each IPv4 subnet object, you must configure an equivalent IPv6 subnet object, in which the IPv6 address prefix for the subnet expresses the same range of ISATAP host addresses as the IPv4 subnet. For example, for the IPv4 subnet 192.168.99.0/24 and the 64-bit ISATAP address prefix 2002:836b:1:8000::/64, the equivalent IPv6 address prefix for the IPv6 subnet object is 2002:836b:1:8000:0:5efe:192.168.99.0/120. For an arbitrary IPv4 prefix length (set to 24 in the example), you can determine the corresponding IPv6 prefix length from the formula: 96 + IPv4PrefixLength.

For the IPv6 addresses of DirectAccess clients, add the following:

  • An IPv6 subnet for the range 2001:0:WWXX:YYZZ::/64, in which WWXX:YYZZ is the colon-hexadecimal version of the selected First Internet-facing IPv4 address of the Forefront UAG DirectAccess server. This IPv6 prefix is for Teredo-based DirectAccess clients.

  • An IPv6 subnet for the range 2002:WWXX:YYZZ:8100::/56, in which WWXX:YYZZ is the colon-hexadecimal version of the selected First Internet-facing IPv4 address (w.x.y.z) of the Forefront UAG DirectAccess server. This IPv6 prefix is for IP-HTTPS-based DirectAccess clients.

  • A series of 6to4-based IPv6 prefixes that begin with 2002: and represent the regional, public IPv4 address prefixes that are administered by Internet Assigned Numbers Authority (IANA) and regional registries. The 6to4-based prefix for a public IPv4 address prefix w.x.y.z/n is 2002:WWXX:YYZZ::/[16+n], in which WWXX:YYZZ is the colon-hexadecimal version of w.x.y.z.

    For example, the 7.0.0.0/8 range is administered by American Registry for Internet Numbers (ARIN) for North America. The corresponding 6to4-based prefix for this public IPv6 address range is 2002:700::/24. For information about the IPv4 public address space, see IANA IPv4 Address Space Registry (https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml). These IPv6 prefixes are for 6to4-based DirectAccess clients.

An existing ISATAP-based IPv6 infrastructure

If you have an existing ISATAP infrastructure, the Forefront UAG DirectAccess Configuration Wizard prompts you for the 48-bit prefix of the organization and does not configure itself as an ISATAP router. To ensure that DirectAccess clients are reachable from the intranet, you must modify your IPv6 routing infrastructure so that default route traffic is forwarded to the Forefront UAG DirectAccess server. For more information on how to configure an existing ISATAP deployment, see Assigning IP addresses to the server interfaces.

A native IPv6 infrastructure

If you have an existing native IPv6 infrastructure, the Forefront UAG DirectAccess Configuration Wizard prompts you for the 48-bit prefix of the organization, and does not configure itself as an ISATAP router. To ensure that DirectAccess clients are reachable from the intranet, you must modify your IPv6 routing so that default route traffic is forwarded to the Forefront UAG DirectAccess server.

If your intranet IPv6 address space is using something other than a single 48-bit IPv6 address prefix, you must enter the relevant organization IPv6 prefix in the Configuring IPv6 prefix addresses page of the Forefront UAG DirectAccess Configuration Wizard, or modify the UAGDA_PREFIX_CORP parameter in the script generated at the end of the Forefront UAG DirectAccess Configuration Wizard, and run the new script.

If you are currently connected to the IPv6 Internet, you must configure your default route traffic so that it is forwarded to the Forefront UAG DirectAccess server, and then configure the appropriate connections and routes on the Forefront UAG DirectAccess server, so that the default route traffic is forwarded to the device that is connected to the IPv6 Internet.

Note

If you already have some native IPv6 segments in your organization, and the Forefront UAG DirectAccess server has no native IPv6 connectivity to the IPv6 cloud, an ISATAP router should not be deployed on the Forefront UAG DirectAccess server. For more information, see Assigning IP addresses to the server interfaces.