Packet filtering for Teredo connectivity
Published: January 11, 2010
Updated: February 1, 2010
Applies To: Unified Access Gateway
The following packet filters facilitate traffic for DirectAccess clients that use Teredo. If you do not configure these specific packet filters, DirectAccess clients that are behind a network address translation (NAT) device, will not be able to connect to intranet resources or be managed by intranet management servers.
Without these packet filters, it would be necessary to disable the Teredo client component on DirectAccess clients. This would require DirectAccess clients that are located behind NAT devices, to use IP-HTTPS for IPv6 connectivity to the Forefront UAG DirectAccess server, even though IP-HTTPS-based connections have lower performance and higher overhead than Teredo-based connections.
The following describes the packet filters that facilitate traffic for Teredo connectivity.
Allow inbound ICMPv6 Echo Requests on all computers
DirectAccess clients that are behind NAT devices on the Internet, use Teredo for IPv6 connectivity to the Forefront UAG DirectAccess server. The DirectAccess clients are Teredo clients to the Forefront UAG DirectAccess server, which acts as a Teredo server and relay. To ensure that a destination is reachable, Teredo clients send an ICMPv6 Echo Request message, and wait for an ICMPv6 Echo Reply message. For a Teredo-based DirectAccess client to communicate with an intranet resource, that resource must accept inbound ICMPv6 Echo Request messages. Thus, for DirectAccess clients to reach any location on the intranet, you must allow inbound ICMPv6 Echo Request messages on all of your intranet hosts.
Enable edge traversal on inbound management traffic
If you are using Windows Firewall with Advanced Security to block unsolicited inbound traffic, you already have a set of inbound rules that allow the traffic from your management servers. Because DirectAccess clients located behind NAT devices will use Teredo for IPv6 connectivity to the Forefront UAG DirectAccess server, you must enable edge traversal on this set of inbound rules.
Enable inbound ICMPv6 Echo Requests for management traffic
For a computer that is managed to be reachable over Teredo, ensure that the computer has an inbound rule for ICMPv6 Echo Request messages, with edge traversal enabled. The Netsh.exe command for this rule is as follows:
netsh advfirewall firewall add rule name="Inbound ICMPv6 Echo Request with Edge traversal" protocol=icmpv6:128,any dir=in action=allow edge=yes profile=public,private