Extending DirectAccess to IPv4 Servers

 
 
By Andrew Garcia  |  Posted 2010-02-10 Email Print this article Print
 
 
 
 
 
 
 


On its own, DirectAccess makes use of IPv6 to route traffic from a remote Windows 7 client over the Internet to the DirectAccess server that bridges the traffic to a protected intranet server. As IPv6 support is incomplete throughout the Internet, DirectAccess employs transition technologies such as 6to4 and Teredo to traverse the IPv4 Internet or NAT (Network Address Translation) networks. But if the intranet server doesn't support IPv6 with a dual-layer IP stack, DirectAccess can't complete the connection.

Forefront UAG 2010 solves this problem by implementing NAT64 and DNS64 at the network edge. When a remote client tries to access an intranet server, UAG sends two DNS (Domain Name System) lookups to the intranet DNS server-one for an IPv4 A record and one for an IPv6 AAAA record. If the DNS server has both records, it will return the AAAA record to UAG and standard DirectAccess communications will be employed. If for some reason an application on the server does not support IPv6 while the server itself does, administrators should disable the IPv6 support on the server or remove that server's AAAA record from DNS to avoid complications.

If only an A record gets returned, UAG assumes the server only uses IPv4 and NAT64 must be employed. NAT64 adds a prefix to the server's IPv4 address and returns the full value (prefix plus IPv4 address) to the requesting client. When the client begins communications with the server, UAG strips off the prefix and creates a new IPv4 packet to send to the server. When the server responds through the same UAG gateway, UAG recrafts the packet for IPv6 with the prefix and sends it to the client.

To test UAG's ability to deliver DirectAccess connectivity to legacy applications and servers, I added a Windows Server 2003-based member server running Exchange 2003 to my test network. Although Windows Server 2003 does support IPv6, it has a dual-stack IP implementation that doesn't work with DirectAccess.

Through UAG, my remote client was able to access Exchange as if the machine were connected directly to the intranet. I was able to connect to Outlook Web Access, and I was also able to connect to Exchange from Outlook without needing to change any settings on the client.

I also tested UAG's DirectAccess functionality with a non-Microsoft Web application, to see whether those worked properly as well. I added an old firewall appliance that doesn't support IPv6 to the intranet and added the appropriate A record to my DNS server. Again, from my remote client, I was able to successfully access the appliance's Web-based management console via UAG DirectAccess.

For my tests, I deployed UAG DirectAccess in an end-to-edge configuration, terminating encryption and authentication at the UAG server at the network edge. For companies looking to deploy encryption end-to-end-all the way from the remote client through to the intranet server-getting UAG DirectAccess to work with non-Microsoft servers will likely be more complicated. However, third-party software maker Centrify in February will introduce DirectSecure, which promises to extend end-to-end DirectAccess connectivity and security to Unix and Linux servers.

Microsoft also claims that UAG allows DirectAccess to work in Windows 2003-based domains, although I did not test this claim.



 
 
 
 
Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel