Choose an Intranet IPv6 Connectivity Design
Applies To: Windows 7, Windows Server 2008 R2
This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkId=179988).
The combinations of intranet Internet Protocol version 6 (IPv6) connectivity prior to deploying DirectAccess are the following:
There is no existing IPv6 infrastructure
You have an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)-based IPv6 infrastructure
You have an existing native IPv6 infrastructure
In each of these combinations, you will need to ensure that the IPv6 routing infrastructure can forward packets between DirectAccess clients and intranet resources.
No existing IPv6 infrastructure
Having no existing IPv6 infrastructure is currently the most common situation. When the DirectAccess Setup Wizard detects that the DirectAccess server has no native or ISATAP-based IPv6 connectivity, it automatically derives a 6to4-based 48-bit prefix for the intranet, configures the DirectAccess server as an ISATAP router, and registers the name ISATAP with its Domain Name System (DNS) server. This feature of the DirectAccess Setup Wizard facilitates easy deployment of ISATAP-based IPv6 connectivity on your intranet, but ISATAP is not recommended as a long-term, enterprise-wide IPv6 connectivity solution. You should be planning to replace ISATAP-based IPv6 connectivity with native IPv6 over time.
By default, DNS servers running Windows Server 2008 R2 or Windows Server 2008 block the resolution of the name ISATAP with the global query block list. To enable ISATAP, you must remove the name ISATAP from the block list. For more information, see Remove ISATAP from the DNS Global Query Block List in the DirectAccess Deployment Guide.
Windows-based ISATAP hosts that can resolve the name ISATAP perform address autoconfiguration with the DirectAccess server, resulting in the automatic configuration of the following:
An ISATAP-based IPv6 address on an ISATAP tunneling interface.
A 64-bit route that provides connectivity to the other ISATAP hosts on the intranet.
A default IPv6 route that points to the DirectAccess server.
The default IPv6 route ensures that intranet ISATAP hosts can reach DirectAccess clients.
Existing ISATAP infrastructure
If you have an existing ISATAP infrastructure, the DirectAccess Setup wizard will prompt you for the 48-bit prefix of the organization and will not configure itself as an ISATAP router. To ensure that DirectAccess clients are reachable from the intranet, you will need to modify your IPv6 routing infrastructure so that default route traffic is forwarded to the DirectAccess server.
Existing native IPv6 infrastructure
If you have an existing native IPv6 infrastructure, the DirectAccess Setup wizard will prompt you for the 48-bit prefix of the organization and will not configure itself as an ISATAP router. To ensure that DirectAccess clients are reachable from the intranet, you will need to modify your IPv6 routing so that default route traffic is forwarded to the DirectAccess server.
If your intranet IPv6 address space is using something other than a single 48-bit IPv6 address prefix, you will need to modify the default connection security rules in the Group Policy objects created by the DirectAccess Setup Wizard to include the additional IPv6 address prefixes for your intranet.
If you are currently connected to the IPv6 Internet, you must configure your default route traffic so that it is forwarded to the DirectAccess server, and then configure the appropriate connections and routes on the DirectAccess server so that the default route traffic is forwarded to the router that is connected to the IPv6 Internet.
For more information, see Connect to the IPv6 Internet in the DirectAccess Deployment Guide.
If you are using IPv6 addresses that are not based on a 6to4 prefix on your intranet, a 6to4-based DirectAccess client computer that uses IP-HTTPS to connect to the DirectAccess server will not be able to reach intranet locations. To correct this condition, add a 6to4 route (2002::/16) to your intranet that points to the DirectAccess server or reconfigure the DirectAccess server to use IPv6 addresses from your intranet prefix on its Internet interface rather than 6to4 addresses and change the client and server tunnel endpoints in your DirectAccess client and server Group Policy objects to the assigned IPv6 address.