Packet filtering for intranet firewalls

Updated: February 1, 2010

Applies To: Unified Access Gateway

Some organizations use an additional intranet firewall between the perimeter network and the intranet to filter malicious traffic that gets past the Internet firewall and perimeter network servers. If you use an intranet firewall and the Forefront UAG DirectAccess server is on the IPv4 Internet, you must configure the following additional packet filters:

• All IPv4 and IPv6 traffic to and from the Forefront UAG DirectAccess server—The Forefront UAG DirectAccess server must reach and be reachable by Active Directory domain controllers, management servers, and other intranet resources. You can begin with this initial filter, and then refine the filter over time to allow the subset of traffic needed by the Forefront UAG DirectAccess server.

• Protocol 41 inbound and outbound—ISATAP encapsulates IPv6 packets with an IPv4 header. In the IPv4 header, the Protocol field is set to 41 to indicate an IPv6 packet payload. Use this packet filter if you are using ISATAP to send IPv6 traffic across your IPv4-only intranet.