Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more ➡
Standard view
Full view
of .
Add note
Save to My Library
Sync to mobile
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Direct Access With Microsoft UAG. A smart way to start using IPv6

Direct Access With Microsoft UAG. A smart way to start using IPv6

Ratings: (0)|Views: 129|Likes:
Published by Ishmael Kargbo

More info:

Published by: Ishmael Kargbo on Jun 29, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, DOCX, TXT or read online from Scribd
See More
See less





Direct Access with Microsoft UAG: A smart way to start using IPv6
By John Joyner June 28, 2011, 12:00 PM PDTTakeaway: John Joyner suggests one way for organizations to start using IPv6 ² bydeploying a solution that allows remote workers to access IPv6-based corporate resourcesover the public IPv4 Internet.The widely reported depletion of public Internet IPv4 addresses does not yet impact many businesses beyond Internet service providers (ISPs), so few organizations have deployed IPv6technology in any fashion. Yet, IPv6 is built into Windows client and server operatingsystems, and is supported by Active Directory (AD). Most IT Pros recognize that a migrationto IPv6 is inevitable, but there has been a lack of a business motivation to begin an IPv6transition.Microsoft introduced a remote worker technology based on IPv6 called Direct Access (DA)with Windows Server 2008 R2. This solution allows computers anywhere on the Internet toaccess IPv6-based corporate resources over the public IPv4 Internet. By itself (that is runningon only the base Windows 2008 R2 operating system) DA has limited application, in that itonly works with a subset of your network servers-those running IPv6. There are also somecapacity limitations, because native DA does not provide a scale-out feature.The usefulness of DA is greatly increased by Microsoft¶s Forefront Unified Access Gateway2010 (UAG) product. Forefront UAG is a compelling package because it solves the scalinglimitations of native DA and adds a NAT64 gateway feature. The NAT64 gateway providesaccess to IPv4-only resources for Direct Access clients; this opens up your entire privatenetwork for access by remote DA clients. With UAG-based DA, you don¶t have to migratedomain controllers or application servers to Windows Server 2008 R2.There remains a key limitation: A Forefront UAG Direct Access client must be runningWindows 7 Enterprise or Windows 7 Ultimate and be joined to an Active Directory (AD)domain. If your organization can equip remote workers with these high-end Windows 7versions, and join their computers to your domain, a UAG-based DA remote access solutioncould be the most popular new technology you add to your organization since virtualization.
IPv6 transition technologies
UAG-based Direct Access bundles the management of several ways to tunnel IPv6 over IPv4infrastructure. These methods are briefly described below:
is used when your client has a public IPv4 address. 6to4 packages the data withan extra IP header and uses IPv4 protocol 41.
is used when your client is behind a NAT device. Teredo packages the dataon UDP port 3544.
is also used behind a NAT device when Teredo is detected to beunavailable. IP-HTTPS packages the data in an SSL tunnel on port 443.
is used to provide IPv6 connectivity to ISATAP hosts across anIPv4 intranet using a NAT64 router (such as UAG).The settings that enable these transition technologies on the Windows 7 client are pushed byAD group policy as shown in
Figure A
. When you enable DA on your UAG server, thegroup policies needed are automatically created in your domain and linked to the appropriatesecurity groups.
Figure A
DirectAccess clients are assigned IPv6 transition technology settings by group policy.
Always-connected remote workers
This feature of the DA solution is often the reason organizations were first interested in DAtechnology at all. Many organizations have been seeking a way to replace dependence onlegacy Virtual Private Network (VPN) systems for remote workers. DA represents a validway to migrate beyond VPN technology for remote workers.DA achieves a seamless remote work experience that is unrivaled in the computer industrytoday. DA uses IPv6 transition technologies to provide an always-on, secure connection for remote users. DA leverages conventional Internet Protocol Security (IPSEC) policies for authentication and encryption, so there is no additional client software component.Basically, internal network resources remain available to a DA client computer under allconnection scenarios. If the computer has an Internet connection, it will be usable as if it wereon the local corporate network at all times. Mapped drive letters stay mapped and available.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->