Choose an Internet Traffic Separation Design
Applies To: Windows 7, Windows Server 2008 R2
This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkId=179988).
With Internet Protocol version 6 (IPv6) and the Name Resolution Policy Table (NRPT), DirectAccess clients by default separate their intranet and Internet traffic in the following way:
Domain Name System (DNS) name queries for intranet fully qualified domain names (FQDNs) and all intranet traffic is exchanged over the tunnels created with the DirectAccess server or directly with intranet servers. Intranet traffic from DirectAccess clients is IPv6 traffic.
DNS name queries for FQDNs that correspond to exemption rules or do not match the intranet namespace and all traffic to Internet servers is exchanged over the physical interface that is connected to the Internet. Internet traffic from DirectAccess clients is typically Internet Protocol version 4 (IPv4) traffic.
This is the default and recommended operation of DirectAccess.
In contrast, some remote access virtual private network (VPN) implementations, including the VPN client in Windows 7, by default send all of their traffic—both intranet and Internet—over the remote access VPN connection. Internet-bound traffic is routed by the VPN server to intranet IPv4 Web proxy servers for access to IPv4 Internet resources. It is possible to separate the intranet and Internet traffic for remote access VPN clients using split tunneling, in which you configure the Internet Protocol (IP) routing table on VPN clients so that traffic to intranet locations is sent over the VPN connection and traffic to all other locations is sent using the physical interface connected to the Internet.
You can configure DirectAccess clients to send all of their traffic through the tunnels to the DirectAccess server with force tunneling. When force tunneling is configured, DirectAccess clients that detect that they are on the Internet modify their IPv4 default route so that default route IPv4 traffic is not sent. With the exception of local subnet traffic, all traffic sent by the DirectAccess client is IPv6 traffic that goes through tunnels to the DirectAccess server.
Enabling force tunneling has the following consequences:
DirectAccess clients use only Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) to obtain IPv6 connectivity to the DirectAccess server over the IPv4 Internet. IP-HTTPS-based connections have lower performance and higher overhead on the DirectAccess server than 6to4 and Teredo-based connections.
The only locations that a DirectAccess client can reach by default with IPv4 traffic are those on its local subnet. All other traffic sent by the applications and services running on the DirectAccess client is IPv6 traffic sent over the DirectAccess connection. Therefore, IPv4-only applications on the DirectAccess client cannot be used to reach Internet resources, except those on the local subnet.
Connectivity to the IPv4 Internet must be done through servers and devices on the intranet that translate the IPv6 traffic from DirectAccess clients to IPv4 traffic for the IPv4 Internet. If you do not have the appropriate servers or translators, your DirectAccess clients will not have access to IPv4 Internet resources, even though they are directly connected to the IPv4 Internet.
To configure force tunneling, you must do the following:
Configure IPv4 Internet access for your DirectAccess clients
Enable force tunneling on DirectAccess clients
Add a special entry in the NRPT on DirectAccess clients
Configure your DirectAccess clients to always use the IP-HTTPS transition technology
Configure your Internet firewall filters to allow only inbound and outbound Secure Sockets Layer (SSL) traffic to and from the DirectAccess server
The following sections describe these elements of configuration in more detail. For more information about configuring the settings for DirectAccess clients, see Configure Force Tunneling for DirectAccess Clients in the DirectAccess Deployment Guide.
Due to the infrastructure requirements and reduced performance for accessing IPv4 Internet resources, Microsoft does not recommend the use of force tunneling for DirectAccess.
Force tunneling relies on modifying the IPv4 default route in the IPv4 routing table to prevent the DirectAccess client computer from sending traffic directly to IPv4 Internet locations. A user with administrative rights can modify their IPv4 default route to point to their Internet service provider’s router on the subnet.
Configure IPv4 Internet access
To make IPv4-based Internet resources available to DirectAccess clients that use force tunneling, you can do one of the following:
Use a dual protocol (IPv4 and IPv6) proxy server, which can receive IPv6-based requests for Internet resources and translate them to requests for IPv4-based Internet resources.
Place an IPv6/IPv4 translator (NAT64) and IPv6/IPv4 DNS gateway (DNS64) in front of your IPv4-based proxy server. The NAT64/DNS64 will translate IPv6-based proxy requests to IPv4-based requests before they are serviced by your IPv4-based proxy server.
Enable force tunneling
You enable force tunneling on DirectAccess clients with the Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Route all traffic through the internal network setting in the Group Policy object for DirectAccess clients.
Modify the NRPT
To route DNS name resolution and connection traffic to these servers or devices for translation and forwarding to the IPv4 Internet, you must add a rule to the NRPT for DirectAccess clients that specifies any DNS suffix and the IPv6 address of the DNS64.
If you are configuring the NRPT through the DirectAccess Setup Wizard, add a rule for the following:
Name suffix is set to “.”
DNS server IPv4 or IPv6 addresses are set to the static IPv4 or IPv6 addresses of the dual-protocol proxy server or DNS64
If you are configuring the NRPT through the Computer Configuration\Policies\Windows Settings\Name Resolution Policy Group Policy setting, create a rule with the following:
The Any suffix
Enabled for DirectAccess
For DNS servers, add the static IPv6 addresses of the dual-protocol proxy server or IPv6/IPv4 DNS gateway
With this NRPT rule, a DirectAccess client sends DNS name queries that do not match any of the other rules in the NRPT to the IPv6 address of the dual-protocol proxy server or DNS64.
Configure the use of IP-HTTPS
To configure DirectAccess clients so that they always use IP-HTTPS, do the following for the Group Policy object for DirectAccess clients:
Disable the 6to4 transition technology with the Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\6to4 State Group Policy setting.
Disable the Teredo transition technology with the Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\Teredo State Group Policy setting.
Enable the IP-HTTPS transition technology with the Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\IP-HTTPS State Group Policy setting.
Modify Internet firewall settings
If you followed the directions in Packet Filters for Your Internet Firewall, you configured your Internet firewall to allow the following traffic for the DirectAccess server:
Protocol 41 inbound and outbound for 6to4 traffic
User Datagram Protocol (UDP) destination port 3544 inbound and UDP source port 3544 outbound for Teredo traffic
Transmission Control Protocol (TCP) destination port 443 inbound and TCP source port 443 outbound for IP-HTTPS traffic
Because a force tunneling deployment only uses IP-HTTPS traffic, you should remove the following packet filters for the DirectAccess server on your Internet router:
Protocol 41 inbound and outbound
UDP destination port 3544 inbound and UDP source port 3544 outbound
If your DirectAccess server is directly attached to the Internet, use the following commands at an administrator-level Command Prompt:
netsh advfirewall firewall set rule dir=in name=”Core Networking – Teredo (UDP-In)” enable=no
This command blocks inbound Teredo traffic.
netsh advfirewall firewall add rule name=”Protocol 41 (6to4)” dir=in action=block profile=public,private protocol=41
This command blocks 6to4 traffic on the Internet interface.