Packet filters for Teredo Connectivity
Updated: October 1, 2009
Applies To: Windows 7, Windows Server 2008 R2
|This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkId=179988).|
The following packet filters facilitate traffic for DirectAccess clients that use Teredo. If you do not configure these packet filters, DirectAccess clients that are behind a network address translator (NAT) will not by default be able to connect to intranet resources or be managed by intranet management servers.
The alternative is to disable the Teredo client on DirectAccess clients. However, without Teredo connectivity, DirectAccess clients that are located behind NAT will use Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) for Internet Protocol version 6 (IPv6) connectivity to the DirectAccess server. IP-HTTPS-based connections have lower performance and higher overhead than Teredo-based connections.
DirectAccess clients that are behind NATs on the Internet attempt to use Teredo for IPv6 connectivity to the DirectAccess server. DirectAccess clients are Teredo clients to the DirectAccess server, which is acting as a Teredo server and relay. To ensure that a destination is reachable, Teredo clients send an Internet Control Message Protocol for IPv6 (ICMPv6) Echo Request message and wait for an ICMPv6 Echo Reply message.
For a Teredo-based DirectAccess client to communicate with an intranet resource, that resource must accept inbound ICMPv6 Echo Request messages. Therefore, for DirectAccess clients to reach any location on the intranet, you must allow inbound ICMPv6 Echo Request messages on all of your intranet hosts. If your intranet is using a NAT64 to translate IPv6 traffic to Internet Protocol version 4 (IPv4) traffic, you must also allow inbound ICMP for IPv4 (ICMPv4) Echo Request messages on all of your intranet hosts.
For information about how to configure packet filters for ICMPv6 and ICMPv4 Echo Request traffic, see Configure Packet Filters to Allow ICMP Traffic.
If you are using Windows Firewall with Advanced Security to block unsolicited inbound traffic, you will already have a set of inbound rules that allow the traffic from your management servers. Because DirectAccess clients that are located behind NATs will use Teredo for IPv6 connectivity to the DirectAccess server, you must enable edge traversal on this set of inbound rules.
For a computer that is being managed to be reachable over Teredo, ensure that the computer has an inbound rule for ICMPv6 Echo Request messages with edge traversal enabled. The Network Shell (Netsh) command-line tool command for this rule is the following:
netsh advfirewall firewall add rule name="Inbound ICMPv6 Echo Request with Edge traversal" protocol=icmpv6:128,0 dir=in action=allow edge=yes profile=public,private