Choose Solutions for IPv4-only Intranet Resources
Applies To: Windows 7, Windows Server 2008 R2
This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkId=179988).
A DirectAccess client sends only Internet Protocol version 6 (IPv6) traffic to the DirectAccess server. When DirectAccess clients send Domain Name System (DNS) name query requests across the infrastructure tunnel to the IPv6 address of an intranet DNS server, they request only IPv6 records (AAAA DNS records). Internet Protocol version 4 (IPv4)-only applications on the DirectAccess client will never send IPv4 traffic across the DirectAccess intranet tunnel. The same DirectAccess client, when directly connected to the intranet, sends DNS name queries to intranet DNS servers and requests all records, both IPv4 and IPv6. For an IPv4-only server application, intranet DNS servers send back IPv4 records and the client application uses IPv4 to communicate.
The end result is that an IPv6-capable client application on a DirectAccess client can use IPv4 to access an IPv4-only server application while connected to the intranet, but cannot by default reach the same server application when connected to the Internet.
The solutions for providing connectivity for IPv6-capable applications on DirectAccess clients to IPv4-only intranet applications are the following:
Upgrade or update the IPv4-only intranet application to support IPv6. This update might include updating the operating system of the server, updating the application running on the server, or both. This is the recommended solution. For built-in applications and system services on computers running Windows XP or Windows Server 2003, you must upgrade Windows XP to Windows 7 or Windows Vista and upgrade Windows Server 2003 to Windows Server 2008 R2 or Windows Server 2008.
Use a conventional remote access virtual private network (VPN) connection on the DirectAccess client to reach the IPv4-only application.
Use an IPv6/IPv4 translator and IPv6/IPv4 DNS gateway, which perform IPv6/IPv4 traffic translation and IPv6-to-IPv4 DNS name resolution services for traffic between DirectAccess clients and IPv4-only intranet application servers. A combination of IPv6/IPv4 translator with IPv6/IPv4 DNS gateway is a NAT64 with DNS64.
The types of DirectAccess connectivity that are possible for IPv6-capable and IPv4-only client and server applications are summarized in the following:
IPv6-capable client application on the DirectAccess client with an IPv6-capable server application on the intranet
End-to-end connectivity for DirectAccess clients.
IPv6-capable client application on the DirectAccess client with an IPv4-only server application on the intranet
Translated connectivity for DirectAccess clients only with an IPv6/IPv4 translator and IPv6/IPv4 DNS gateway.
IPv4-only client application on the DirectAccess client with either an IPv6-capable or IPv4-only server application on the intranet
No connectivity for DirectAccess clients.
When you deploy an IPv6/IPv4 translator and IPv6/IPv4 DNS gateway, you typically configure it to provide coverage for specific portions of your intranet DNS namespace. Once deployed, the IPv6/IPv4 translator and IPv6/IPv4 DNS gateway will make the necessary DNS resolutions and IPv6/IPv4 traffic translations, allowing IPv6-capable applications on DirectAccess clients to access IPv4-only resources located within that portion of the DNS namespace.
The following figure shows an example of using a separate NAT64 and DNS64 device to provide IPv6/IPv4 traffic translation and access to IPv4-only application servers on an intranet.
If you are using an IPv6/IPv4 translator and IPv6/IPv4 DNS gateway in your DirectAccess deployment, you must identify the portions of your intranet namespace that contain IPv4-only application servers and add them to the Name Resolution Policy Table (NRPT) of your DirectAccess clients with the IPv6 addresses of your IPv6/IPv4 DNS gateway. For more information, see Configure the NRPT for an IPv6/IPv4 DNS Gateway in the DirectAccess Deployment Guide.
Because Windows Server 2008 R2 does not provide IPv6/IPv4 translator or IPv6/IPv4 DNS gateway functionality, the configuration of these devices is beyond the scope of this design guide. Microsoft Forefront Unified Access Gateway (UAG) includes NAT64 and DNS64 functionality and can be used in conjunction with a DirectAccess deployment. For more information, see UAG and DirectAccess (http://go.microsoft.com/fwlink/?LinkId=159955). IPv6/IPv4 translator and IPv6/IPv4 DNS gateway devices are also available from Layer 2 and Layer 3 switch and router vendors.