Packet Filters for Your Internet Firewall
Applies To: Windows 7, Windows Server 2008 R2
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (https://go.microsoft.com/fwlink/?LinkId=179988).
Most organizations use an Internet firewall between the Internet and the computers on their perimeter network. This firewall is typically configured with packet filters that only allow specific types of traffic to and from the perimeter network computers. When you add a DirectAccess server to your perimeter network, you must configure additional packet filters to allow the traffic to and from the DirectAccess server for all of the types of traffic that a DirectAccess client uses to obtain Internet Protocol version 6 (IPv6) connectivity to the DirectAccess server.
If your DirectAccess server is on the Internet Protocol version 4 (IPv4) Internet, the DirectAccess server must have two consecutive, public IPv4 addresses and your Internet firewall must pass the traffic to the DirectAccess server without translating addresses or port numbers. Configure packet filters on your Internet firewall to allow the following types of IPv4 traffic for the DirectAccess server:
Protocol 41 inbound and outbound
For DirectAccess clients that use the 6to4 IPv6 transition technology to encapsulate IPv6 packets with an IPv4 header. In the IPv4 header, the Protocol field is set to 41 to indicate an IPv6 packet payload.
User Datagram Protocol (UDP) destination port 3544 inbound and UDP source port 3544 outbound
For DirectAccess clients that use the Teredo IPv6 transition technology to encapsulate IPv6 packets with an IPv4 and UDP header. The DirectAccess server is listening on UDP port 3544 for traffic from Teredo-based DirectAccess clients.
Transmission Control Protocol (TCP) destination port 443 inbound and TCP source port 443 outbound
For DirectAccess clients that use Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) to encapsulate IPv6 packets within an IPv4-based HTTPS session. The DirectAccess server is listening on TCP port 443 for traffic from IP-HTTPS-based DirectAccess clients.
If your DirectAccess server is on the IPv6 Internet, you must configure packet filters on your Internet firewall to allow the following types of IPv6 traffic for the DirectAccess server:
Protocol 50
DirectAccess on the IPv6 Internet uses the Internet Protocol security (IPsec) Encapsulating Security Payload (ESP) to protect the packets to and from the DirectAccess server without the encapsulation headers required for IPv6 transition technologies. In the IPv6 header, the Protocol field is set to 50 to indicate an ESP-protected payload.
UDP destination port 500 inbound and UDP source port 500 outbound
DirectAccess on the IPv6 Internet uses the Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) protocols to negotiate IPsec security settings. The DirectAccess server is listening on UDP port 500 for incoming IKE and AuthIP traffic.
UDP destination port 4500 inbound and UDP source port 4500 outbound
To support IPsec NAT-Traversal (NAT-T) for translated IPv6 clients on the IPv6 Internet, the DirectAccess server is listening on UDP port 4500 for incoming IPsec NAT-T traffic.
All Internet Control Message Protocol for IPv6 (ICMPv6) traffic inbound and outbound