Microsoft Direct Access & IPv6 Transition Technologies
Posted by Brajesh Panda on December 23, 2012
- Direct Access is a completely IPv6 Technology
- DirectAccess uses IPv6 with IPsec to create a secure connection between DirectAccess client computers and the internal corporate network.
- However, DirectAccess does not necessarily require connectivity to the IPv6 Internet or native IPv6 support on internal networks.
Instead, it automatically configures and uses IPv6 transition technologies to tunnel IPv6 traffic across the IPv4 Network
- Over IPv4 INTERNET (Extranet) it can use 6to4, Teredo and IP-HTTPS
- Over IPv4 INTRANET it use any one between ISATAP, NAT64 and DNS64
These IPv6 transitioning technologies provide automatic tunneling between two Dual-Stack devices; here tunnel doesn’t mean a typical vpn like tunnel. Tunnel refers to encapsulation and they also auto assign IPv6 address to the participating hosts.
So IPv6 transitioning technologies encapsulate IPv6 packet with an IPv4 Packet Header
As per Dual Stack is concern, it refers to how IPv6 Stack is implemented in that device
Dual IP Layer – Common Transport Stack
Dual Stack Layer – Different Transport Stack
Extranet (Internet) IPv6 Transitioning Technologies
- It is an address assignment and dual stack IPv6 tunneling technology
- Used to provide Unicast IPv6 connectivity between IPv6 sites & hosts across IPv4 Internet
- It provides address assignment and automatic tunneling for unicast IPv6 connectivity across the IPv4 Internet, even when IPv6/IPv4 hosts are located behind one or multiple IPv4 NATs.
- Known as IPv4 NAT Traversal (NAT-T) for IPv6. To traverse IPv4 NATs, IPv6 packets are sent as IPv4 UDP messages.
- Due to nature of UDP Teredo provides more performance than other transition technologies.
- It is designed as last resort transition technology for IPV6. It only used where native IPv6, ISATAP or 6To4 connectivity is not possible.
- Like other extranet IPv6 transition technologies, IP-HTTPS auto assigns globally routable IPv6 address to IPv4 enabled hosts.
- IP-HTTPS establish connectivity by tunneling IPv6 packets inside an IPv4-based HTTPS session.
- IP-HTTPS is used instead of HTTP so that Web proxy servers will not attempt to examine the data stream and terminate the connection.
- On certain networks, Internet firewall settings may prevent successful client connections using the 6to4 or Teredo IPv6 transition technologies; but IP-HTTPS bring more flexibility due to HTTPS
- IP-HTTPS implementation in Windows 2012 Direct Access is different from Windows 2008 R2 Implementation.
- In Windows 2008 R2 Direct Access with Windows 7 clients also use IPSec encryption for data transfer. Resulting IPSec Encryption inside SSL Encryption tunnel. This brought more overhead & performance issues.
- Windows 2012 implementation brings more enhancement & performance to the protocol by implementing SSL with NULL encryption. Null encryption allows for authentication to take place during the SSL handshake. Once the SSL handshake has completed all messages flow without being encrypted over that socket.
- Windows 7 Direct Access deployment needs Computer Certificate for each IP-HTTPS client. But Windows 8 Direct Access deployment don’t need a Computer Certificate for IP-HTTPS client
- In Windows Server 2012, a new feature solves issues while Direct Access client is behind a proxy server. Specifically, the user can configure IP-HTTPS to work when behind a proxy that is not configured using WPAD (Proxy Discovery) and IP-HTTPS will request and provide the proxy credentials needed to IP-HTTPS request authenticated, and relay it to the DirectAccess server.
- IP-HTTPS can use a valid Public/Private SSL cert generated from CA or Self Signed Certificate.
Intranet IPv6 Transitioning Technologies
- Stands for Intra-site Automatic tunnel Addressing Protocol
- It is an address assignment and dual stack IPv6 transitioning/tunneling/encapsulating technology
- It doesn’t need any manual configuration. It can automatically assign IPv6 address using auto configuration mechanism & tunneling
- Used to provide Unicast IPv6 Connectivity between IPv6/IPv4 hosts across an IPv4 intranet
- ISATAP mostly used to provide auto IPv6 Address to intranet servers
- If we are using ISATAP and want to establish connectivity to another IPv6 subnet we need ISATAP Router
NAT64 & DNS64
- Unlike other intranet & extranet IPv6 transition technologies; NAT64 & DNS64 don’t provide encapsulation or tunneling of IPv6 packets over IPv4 packets
- Windows 2008 R2 Direct Access deployment doesn’t provide these two options out of box. And Direct Access needs these two features to work. Microsoft UAG (Unified Access Gateway) provides these two options & you have to configure little bit. If you don’t have UAG; you need a 3rd party component to deploy them.
- Windows 2012 Direct Access provides these two features out of box & you don’t need to configure anything.
- NAT64 & DNS64 work hand in hand
- NAT64 is a network translation service, which provides IPv6 to IPv4 Address Translation i.e. it translate Direct Access Clients IPv6 traffic to IPv4 to reach internal servers; not other way round i.e. it is Unidirectional. So any intranet server needing access to Direct Access Clients needs to have their own IPv6 Address using static assignment or ISATAP technology.
- DNS64 is a DNS Proxy service provides DNS service for Direct Access Clients.
- DNS64 takes DNS resolution request from IPv6 client and query to corporate dns server & return the address. In case query resulted a IPv4 address, it take help from NAT64 to generate a corresponding IPV6 address and handover to direct access client. See other article to understand how NAT64 & DNS64work hand in hand.