Recognizing IPv6 Address Types on Windows Systems in Support of DirectAccess – Part 1: Overview of IPv6 and DirectAccess

If you would like to reat the next part in this article series please go to Recognizing IPv6 Address Types on Windows Systems in Support of DirectAccess – Part 2: A Detailed Look at IPv6 Transition Technologies.

Introduction

For the last ten years we have been hearing that we are going to have to learn about IPv6. During that time they have been telling us that “we’re running out of IPv4 addresses” and that “the Internet is coming to an end!” and “your refrigerator needs its own IP address so we must implement IPv6” or other such canards. So what has happened in the last decade? Take a look at your own network – are you using IPv6? Are you planning to start using IPv6 in the coming year? Some of you will answer “yes,” but many will answer “no.”  If you are like most IT professionals, IPv6 is part of the background noise in the IT tech media, and you are probably mildly curious about it, but it is not something that keeps you awake at night.

IPv6 certainly offers some advantages over the still-dominant IPv4. It provides an address space that is orders of magnitude larger. It supports new features such as stateless address auto-configuration that should make IP addressing easier. It is designed to be more secure, with IPsec integrated into the protocol. Why, then, has this wondrous next-generation version of the Internet Protocol not been more widely adopted by now? The mostly likely reason is that companies have not found a compelling reason to undergo the expense and learning curve required to make the transition.

And IT pros are not eager to take on a whole new way of looking at IP. IPv6 addresses appear “foreign” to those who are not used to them. If you think back to when you learned about IPv4, you probably remember that it was not easy and it took a lot of study to master the dotted quad system. Now you are comfortable with it and it works for you. You are not running out of IP addresses, and you do not feel any kind of lock in with IPv4. Bottom line: Despite its theoretical benefits, IPv6 really does not seem to offer anything to you on a practical level, other than more complexity and something else you do not have time to learn.

For a long time, I felt the same way. But Windows 7 and Windows Server 2008 R2 changed my mind when it comes to IPv6. Why? Because this powerful client and server combination brings a new technology to the table that promises to change the remote access game, enable teleworkers to be productive from anywhere in the world and make it possible for IT administrators to manage teleworkers’ computers in the same way they manage machines located on the corpnet. This new technology is called DirectAccess. I first wrote about DirectAccess in Death of the VPN back in August 2009. Now, in this three-part series, I will delve deeper into how DirectAccess works and specifically, how it relies on IPv6.

What DirectAccess Does For You

DirectAccess enables domain member computers to be located anywhere on the Internet:

  • DirectAccess clients can be connected to the Internet directly with a public IP address
  • DirectAccess clients can be behind a NAT or NAT firewall with a private IP address
  • DirectAccess clients can even be locked in behind a Web proxy

In all of these scenarios, the DirectAccess client will be able to connect to the corporate network and connect to the domain. The big benefit here is that DirectAccess client experience is the same as the corpnet client experience. Users will notice no difference at all, regardless of their locations. And most important from the end user viewpoint, the user doesn’t have to initiate the DirectAccess connection; the connection is established when the machine starts, even before the user logs on. At this point IT management applications have access to the DirectAccess client, so that desired configurations, patches, and security software updates can be applied. This eliminates the delta we’re used to seeing between the corpnet and remote access client security states. Now, all domain members, regardless of location, can have the same level of management and security.

DirectAccess is important because an increasing number of business computer users are working from home or connecting to the company network while on the road. Previously this meant that you had to deploy various remote access solutions such as VPN servers, Terminal Services Gateway servers, or application edge servers (for example, OWA on Microsoft Exchange). These solutions work, but are not seamless for users. VPNs require that the user connect to the Internet and then connect to the VPN, and the user experience may suffer, while administration of VPN-connected computers is more difficult because the administrator has to depend on the user to connect to the VPN. Terminal Services requires extra administrative effort, as well. OWA – at least prior to Exchange 2010 – doesn’t provide the same rich user experience as the Outlook client.

DirectAccess solves these problems and allows the DirectAccess clients to access resources on the internal network directly, and to have access to both the intranet and Internet without the administrative problems of split tunneling. And because DirectAccess uses IPsec for authentication and encryption of the traffic, you know the connection will be secure.

With all this in mind, you can easily understand that there is a huge groundswell of interest in DirectAccess in the IT community. Being a little bit of a skeptic, I thought DirectAccess was too good to be true when I first read about it. Surely there would be a hitch, a catch, a hidden “gotcha” that would turn this IT dream into a nightmare – because we all know that if something sounds too good to be true, it probably is.

IPv6 turned out to be that catch. The days of thinking that IPv6 was nothing more than novelty or something that the Chinese are using to build out their communications infrastructure came to an end. IPv6 now was going to be required reading, because DirectAccess is entirely dependent on IPv6.

Why didn’t Microsoft make DirectAccess work with IPv4?  The problem with that is that with IPv4 addressing, you often have systems on two different networks that are using the same private IP addresses. There just aren’t enough available IPv4 addresses for every computer to have a globally unique address. This creates a conflict if we want to communicate between them. However, with IPv6, all computers have unique IPv6 addresses.

The role of IPv6

There is nothing optional about it; the DirectAccess client uses only IPv6 to communicate with the DirectAccess Server, which runs on Windows Server 2008 R2 only. There are tricks that you can use, and will use, to get it to work over an IPv4 network infrastructure, but the bottom line is that you need to be familiar with IPv6 in order to get DirectAccess to work properly.

Now for the good news: this does not mean you are going to have to switch your entire network over to IPv6. You do not even have to have a connection to the IPv6 Internet. I can’t call myself a DirectAccess expert (I will leave that job to my husband, who is working exclusively on DirectAccess for Microsoft these days), but I know enough now to get it working on our office network and I have discovered that while I need to know some things about IPv6, I definitely do not need to be an IPv6 Pro in order to get it to work.

Before you get too excited, though, I am not saying that you do not need to know anything about IPv6 and IPv6 related technologies. As I said earlier, DirectAccess clients are IPv6 clients and they use only IPv6 to communicate with the DirectAccess server. But after they connect to the DirectAccess server, the communications may continue as IPv6 communications, or they might be translated to IPv4 communications using an IPv6/IPv4 gateway (Microsoft Unified Access Gateway is an example of an IPv6/IPv4 protocol transition gateway, using the DNS64/NAT64 technologies).

Taking the tunnel

The problem is that almost all of us are still living in an IPv4 infrastructure. Our DNS servers, DHCP servers, and routers are all IPv4 centric, and most do not support IPv6 at this time. In order to get DirectAccess to work, we need to take advantage of IPv6 transition technologies. IPv6 transition technologies allow you to tunnel IPv6 packets inside of IPv4 packets. Messages are routed based on their external IPv4 header, and when they reach their destination, the IPv4 header is removed and the IPv6 packet is exposed to the destination applications.

This type of tunneling is not anything new. Think about VPN connections that use familiar protocols such as PPTP, L2TP/IPsec and SSTP. Each of these network layer VPN technologies allow you to tunnel point to point connections over the Internet using the VPN protocol to encapsulate the virtual link layer connection. DirectAccess works in a similar way, except that we are not encapsulating a link layer connection, we are encapsulating an IPv6 network layer connection.

There are several IPv6 transition technologies that you’ll work with when deploying DirectAccess. These include:

  • ISATAP (Intra Site Automatic Tunnel Addressing Protocol)
  • Teredo
  • 6to4
  • IP-HTTPS

In part two of this series, we will take a look at each of these technologies in detail.

Summary

In this first of a three-part series, we have discussed the high points of DirectAccess, IPv6, and why the former is dependent on the latter. This overview forms the foundation for Part 2, where we will take a deeper dive into the details of the four IPv6 transition technologies, how each works and in what circumstances each is appropriate. Then in Part 3, we will discuss the different types of IPv6 addresses, how they are created, and how you can recognize each type.  By the time we complete this series, I hope you will see that IPv6 is not really as scary, boring, or as much work as you might have thought.  – Deb S.

If you would like to reat the next part in this article series please go to Recognizing IPv6 Address Types on Windows Systems in Support of DirectAccess – Part 2: A Detailed Look at IPv6 Transition Technologies.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top