Choosing a solution for IPv4-only intranet resources
Updated: October 21, 2010
Applies To: Unified Access Gateway
This topic describes the options for enabling IPv4-only resources for DirectAccess clients, and describes how DirectAccess clients access IPv4-only intranet resources.
A DirectAccess client sends IPv6 only traffic to the Forefront UAG DirectAccess server. DirectAccess clients use IPv6 records (AAAA) when sending DNS name query requests across the infrastructure tunnel to the IPv6 address of an intranet DNS server. IPv4-only applications on the DirectAccess client cannot send IPv4 traffic across the Forefront UAG DirectAccess intranet tunnel. The same DirectAccess client, when directly connected to the intranet, sends DNS name queries to intranet DNS servers, and requests all records, both IPv4 and IPv6. For an IPv4-only server application, intranet DNS servers send back IPv4 records, and the client application uses IPv4 for communication.
The result is that an IPv6-capable client application on a DirectAccess client can use IPv4 to access an IPv4-only server application while connected to the intranet, but cannot reach the same server application when connected to the Internet, by default.
The following are solutions for providing connectivity for IPv6-capable applications on DirectAccess clients to IPv4-only intranet applications:
Upgrade or update the IPv4-only intranet application to support IPv6. This might include updating the operating system of the server, updating the application running on the server, or both. This is the recommended solution. For built-in applications and system services on computers running Windows XP or Windows Server 2003, you must upgrade Windows XP to Windows Vista or Windows 7, and upgrade Windows Server 2003 to Windows Server 2008 or Windows Server 2008 R2.
Use the integrated Network Address Translator64 (NAT64) and DNS64 functionality that is provided on the Forefront UAG DirectAccess server. NAT64 and DNS64 perform IPv6-to-IPv4 DNS name resolution and IPv6/IPv4 traffic translation services, for traffic between DirectAccess clients and IPv4-only intranet application servers. For a more detailed description of how NAT64 and DNS64 work, see How DirectAccess clients access IPv4-only intranet resources.
Use a conventional remote access VPN connection on the DirectAccess client to reach the IPv4-only resource.
How DirectAccess clients access IPv4-only intranet resources
NAT64 and DNS64 provide DirectAccess clients access to IPv4-only aware resources on the intranet as follows:
The DirectAccess client sends a DNS name query request to the Forefront UAG DirectAccess server DNS64 for an address of an application server. Because DirectAccess clients only have IPv6 connectivity to the Forefront UAG DirectAccess server, the DNS name query is an IPv6 AAAA request.
When the DNS64 gets the name query request, it sends two DNS name queries, an IPv4 query (A) and an IPv6 query (AAAA), to the corporate DNS configured on the Forefront UAG DirectAccess server.
The DNS64 gets a response from the corporate DNS and decides which address to return to the DirectAccess client.
The responses can be as follows:
When the DNS64 receives an IPv6 address (AAAA record) response from the corporate DNS, the application server has IPv6 connectivity, and the IPv6 address is returned to the DirectAccess client.
When the DNS64 receives an IPv4 address (A record), the NAT64 acts as a bridge for the traffic. The DNS64 generates an IPv6 address by adding the NAT64 prefix configured in the Configuring IPv6 prefix addresses page of the Forefront UAG DirectAccess Configuration Wizard to the IPv4 address returned for the application server. This generated NAT64 IPv6 address is sent to the DirectAccess client.
The DNS receives both an IPv6 (AAAA record) and an IPv4 (A record) address. When both records are received, the DNS64 returns only the IPv6 address directly to the DirectAccess client in the response. In an instance where the application server is IPv6 aware and an application is IPv4-only aware, this would require the DirectAccess client to connect to the NAT64 IPv6 address for translation. To force the DNS64 to return the NAT64 generated IPv6 address in the IPv6 (AAAA record), you can disable the IPv6 interface on the application server, or delete the application server’s IPv6 record from the corporate DNS so only an IPv4 (A record) is received by the DNS64.
The DirectAccess client now has an IPv6 address for the application server. Traffic is sent directly to the Forefront UAG DirectAccess server and processed by NAT64 because the all IPv6 addresses including the NAT64 prefix are automatically sent to the Forefront UAG DirectAccess server NAT64 for servicing.
When the NAT64 receives the packet, it translates the packet to the IPv4 address associated with the destination NAT64 IPv6 address and transmits the data with an IPv4 header to the application server. The packets are sent with the Forefront UAG DirectAccess server internal IPv4 address as the source address due to the NAT translation.
The application server sends IPv4 response packets to the Forefront UAG DirectAccess server IPv4 address which are processed by NAT64 based on the initial DirectAccess client NAT mapping as described above.