Configuring NAT64 and DNS64

  • Article

Updated: February 1, 2011

Applies To: Unified Access Gateway

This topic describes how to configure Forefront UAG DirectAccess to enable DirectAccess clients to connect to IPv4-only resources on the intranet, by using the integrated NAT64 and DNS64 functionality on the Forefront UAG DirectAccess server.

Forefront UAG DirectAccess requires end-to-end IPv6 communication between DirectAccess clients and the internal resources that they connect to on the intranet. Many resources are not directly accessible over IPv6, including computers that are not capable of running IPv6, or computers with services that are not IPv6-aware (for example, a server that only supports IPv4, or a Windows 2003 server which is IPv6-capable but has services that are not IPv6-aware). When you need to connect to IPv4-only resources on your intranet, you can use the integrated NAT64 and DNS64 functionality on the Forefront UAG DirectAccess server. NAT64 takes IPv6 traffic on one side and converts it into IPv4 traffic on the other side. The address conversion and conversation handling operate in a similar way to a traditional IPv4 NAT device. On the Forefront UAG DirectAccess server, NAT64 is used in combination with DNS64. DNS64 intercepts DNS queries and modifies the replies, so that requests for the name of a computer have their IPv4 address answers converted into the appropriate IPv6 address answers that direct clients to the IPv6 address for the computer on the NAT64.

For more information on NAT64 and DNS64, see Choosing a solution for IPv4-only intranet resources.

To configure NAT64 and DNS64

  1. In the DirectAccess Server section of the wizard, on the Managing DirectAccess Services page, refer to the following table to see what actions (if any) need to be taken based on the NAT64 and DNS64 scenario you are deploying.

    Scenario Forefront UAG DirectAccess Configuration Wizard Additional actions Example

    Use Forefront UAG DirectAccess NAT64 and DNS64.

    Do the following:

    1. Use the default settings.

    2. Use the Forefront UAG DNS64 IP address when adding DNS suffixes to the NRPT. See Identifying DNS servers.

    None

    Use Forefront UAG DirectAccess NAT64 and an external DNS64

    Do the following:

    1. Clear the Enable UAG DirectAccess DNS64 check box.

    2. Use the external DNS64 address when adding DNS suffixes to the NRPT.

    3. Ensure that the correct NAT64 and DNS64 IPv6 prefix (/96) is configured on the Connectivity page of the wizard.

    None

    Use Forefront UAG DirectAccess DNS64 and an external NAT64.

    Do the following:

    1. Clear the Enable UAG DirectAccess NAT64 check box.

    2. Ensure that the correct NAT64 and DNS64 IPv6 prefix (/96) is configured on the Connectivity page of the wizard.

    Do the following:

    1. Create a route on the Forefront UAG DirectAccess server with a prefix of the NAT64, and where the next hop is the external NAT64.

    2. Create a route on the external NAT64 with a prefix that has the IPv6 default route (::/0), and where the next hop is the Forefront UAG DirectAccess server.

    3. Ensure that forwarding is enabled on the DAS and the external NAT64.

    Following are example routes:

    • Netsh int ipv6 add route <Nat64Prefix> <IfIndex> <NextHop>

    • Netsh int ipv6 add route <Non-CorpPrefix> <IfIndex> <NextHop>

    • Netsh int ipv6 set int <IfIndex> forwarding=enabled

      Note

      This command should be run on the Forefront UAG DirectAccess server and the external NAT64.

    Use an external NAT64 and an external DNS64.

    Do the following:

    1. Clear the Enable UAG DirectAccess NAT64 and the Enable UAG DirectAccess DNS64 check boxes.

    2. Ensure that the correct NAT64 and DNS64 IPv6 prefix (/96) is configured on the Connectivity page of the wizard.

    3. Use the external DNS64 address when adding DNS suffixes to the NRPT.

    Do the following:

    1. Create a route on the Forefront UAG DirectAccess server with a prefix of the NAT64, and where the next hop is the external NAT64.

    2. Create a route on the external NAT64, with a prefix of the transition technologies, and where the next hop is the Forefront UAG DirectAccess server.

    3. Ensure that forwarding is enabled on the DAS and the external NAT64.

    Following are example routes:

    • Netsh int ipv6 add route <Nat64Prefix> <IfIndex> <NextHop>

    • Netsh int ipv6 add route <Non-CorpPrefix> <IfIndex> <NextHop>

    • Netsh int ipv6 set int <IfIndex> forwarding=enabled

      Note

      This command should be run on the Forefront UAG DirectAccess server and the external NAT64.

  2. Click Next.

    When there is no IPv6 infrastructure on your intranet, the Forefront UAG DirectAccess server is automatically configured as an ISATAP router. It derives 6to4-based organization, IP-HTTPS and NAT64 IPv6 prefixes, and skips to the Configuring authentication options page in the wizard. See Configuring authentication options.

    When there is an existing IPv6 infrastructure on your intranet, the next step of the wizard opens, enabling you to configure the different types of IPv6 prefixes. See Configuring IPv6 prefix addresses.