DirectAccess with Microsoft UAG: A smart way to start using IPv6

John Joyner suggests one way for organizations to start using IPv6 -- by deploying a solution that allows remote workers to access IPv6-based corporate resources over the public IPv4 Internet.

The widely reported depletion of public Internet IPv4 addresses does not yet impact many businesses beyond Internet service providers (ISPs), so few organizations have deployed IPv6 technology in any fashion. Yet, IPv6 is built into Windows client and server operating systems, and is supported by Active Directory (AD). Most IT Pros recognize that a migration to IPv6 is inevitable, but there has been a lack of a business motivation to begin an IPv6 transition.

Microsoft introduced a remote worker technology based on IPv6 called DirectAccess (DA) with Windows Server 2008 R2. This solution allows computers anywhere on the Internet to access IPv6-based corporate resources over the public IPv4 Internet. By itself (that is running on only the base Windows 2008 R2 operating system) DA has limited application, in that it only works with a subset of your network servers-those running IPv6. There are also some capacity limitations, because native DA does not provide a scale-out feature.

The usefulness of DA is greatly increased by Microsoft's Forefront Unified Access Gateway 2010 (UAG) product. Forefront UAG is a compelling package because it solves the scaling limitations of native DA and adds a NAT64 gateway feature. The NAT64 gateway provides access to IPv4-only resources for DirectAccess clients; this opens up your entire private network for access by remote DA clients. With UAG-based DA, you don't have to migrate domain controllers or application servers to Windows Server 2008 R2.

There remains a key limitation: A Forefront UAG DirectAccess client must be running Windows 7 Enterprise or Windows 7 Ultimate and be joined to an Active Directory (AD) domain. If your organization can equip remote workers with these high-end Windows 7 versions, and join their computers to your domain, a UAG-based DA remote access solution could be the most popular new technology you add to your organization since virtualization.

IPv6 transition technologies

UAG-based DirectAccess bundles the management of several ways to tunnel IPv6 over IPv4 infrastructure. These methods are briefly described below:

  • 6to4 is used when your client has a public IPv4 address. 6to4 packages the data with an extra IP header and uses IPv4 protocol 41.
  • Teredo is used when your client is behind a NAT device. Teredo packages the data on UDP port 3544.
  • IP-HTTPS is also used behind a NAT device when Teredo is detected to be unavailable. IP-HTTPS packages the data in an SSL tunnel on port 443.
  • Finally, ISATAP is used to provide IPv6 connectivity to ISATAP hosts across an IPv4 intranet using a NAT64 router (such as UAG).
The settings that enable these transition technologies on the Windows 7 client are pushed by AD group policy as shown in Figure A. When you enable DA on your UAG server, the group policies needed are automatically created in your domain and linked to the appropriate security groups.

Figure A

DirectAccess clients are assigned IPv6 transition technology settings by group policy.

Always-connected remote workers

This feature of the DA solution is often the reason organizations were first interested in DA technology at all. Many organizations have been seeking a way to replace dependence on legacy Virtual Private Network (VPN) systems for remote workers. DA represents a valid way to migrate beyond VPN technology for remote workers.

DA achieves a seamless remote work experience that is unrivaled in the computer industry today. DA uses IPv6 transition technologies to provide an always-on, secure connection for remote users. DA leverages conventional Internet Protocol Security (IPSEC) policies for authentication and encryption, so there is no additional client software component.

Basically, internal network resources remain available to a DA client computer under all connection scenarios. If the computer has an Internet connection, it will be usable as if it were on the local corporate network at all times. Mapped drive letters stay mapped and available. Intranet-only web sites can be browsed to as if you were on the local network. The crowd-pleasing "wow" factor makes DA a pleasure to deploy.

Manage-out capability

Remote DA client computers continue to pull updated group policy settings from your AD domain, as long as they have an Internet connection. Likewise, many computer management applications like Microsoft's System Center Configuration Manager (SCCM), and Windows Server Update Services (WSUS) continue to work with DA clients. A nice surprise for adopters of DA technology is known as ‘manage-out', effectively keeping remote worker computers continuously secure with configuration and update management. Real-time, world-wide Internet-based asset control using your current management tools is a huge benefit for almost any organization.

Meaningful, early adoption of IPv6

Deploying DirectAccess means deploying IPv6 internally at your organization. Your AD DNS will become populated with type "AAAA" (IPv6 host) records. Your domain controllers and other key infrastructure servers will be reachable by IPv6. "Pings" and other network traffic between IPv6 enabled hosts will start using IPv6. Administrators of these networks can rightly claim they are future-proofed when it comes to the new ‘Internet Protocol version 6'.

Here are the high-level steps to get a client working in this solution (after deploying UAG):

  1. All settings needed for a DA client are in the GPO "UAG DirectAccess: Clients (DA-server-FQDN)". The GPO is applied to an AD security group you designate during UAG setup.
  2. Add prospective DA client computer accounts to the AD security group.
  3. Boot the prospective DA client computer on the corporate LAN (or via a dial-up VPN connection that lets connect your VPN before you log in).
  4. When on the LAN or VPN, pull a Computer certificate for the client.
  5. Also while on the LAN or VPN, make sure group policy is refreshed and the computer group policies are effective.
  6. The computer is now a DirectAccess client. Remove the computer from the domain and take to an Internet location, or disconnect it from the VPN.
  7. You should be able to complete the DA client validation tests, such as connecting to file shares and intranet web sites.