4. Configuring DirectAccess Client Settings for IPv6
Manually
Although DirectAccess clients normally are configured
automatically when you run the DirectAccess Setup wizard on the
DirectAccess server, you can configure client IPv6 settings manually to help resolve
connectivity problems. Use the information in Table 1 to configure
remote clients with the proper IPv6 transition technology: Teredo,
6to4, or IP-HTTPS.
Table 1. Manual IPv6 Configuration for DirectAccess Clients
|
PURPOSE |
COMMAND |
GROUP POLICY SETTING |
|---|
|
Configure the Teredo client as an enterprise
client and configure the IPv4 address of the Teredo server
(the DirectAccess server). |
netsh interface teredo set state
type=enterpriseclient servername= FirstPublicIPv4
AddressOfDirectAccessServer |
Computer Configuration\Policies\Administrative
Templates\Network\TCPIP Settings\IPv6 Transition
Technologies\Teredo State=Enterprise Client and Computer
Configuration\Policies\Administrative Templates\Network\TCPIP
Settings\Ipv6 transition Technologies\Teredo Server
Name=FirstPublicIPv4AddressOfDirectAccessServer |
|
Configure the public IPv4 address of the 6to4
relay (the DirectAccess server). |
netsh interface 6to4 set relay
name=FirstPublicIPv4 AddressOfDirect
AccessServer |
Computer Configuration\Policies\Administrative
Templates\Network\TCPIP Settings\Ipv6 transition
Technologies\6to4 Relay
Name=FirstPublicIPv4AddressOfDirectAccessServer |
|
Enable the IP-HTTPS client and configure the
IP-HTTPS Uniform Resource Locator (URL). |
netsh interface httpstunnel add
interface client https://FQDNofDirectAccess
Server/IPHTTPS |
Computer Configuration\Policies\Administrative
Templates\Network\TCPIP Settings\Ipv6 transition
Technologies\IP-HTTPS State set to Enabled and the IP-HTTPS
URL of
https://SubjectOfIP-HPPTSCertificate:
443/IPHTTPS |
5. Configuring IPv6 Internet Features on the DirectAccess Server
Manually
For troubleshooting purposes, you can configure your
DirectAccess server manually for Teredo, 6to4, and IP-HTTPS. Use the
features listed in Table 2 to help you
perform these steps.
Table 2. Configuring DirectAccess Internet Features
|
FEATURE |
PURPOSE |
COMMAND |
|---|
|
Teredo server |
Configure Teredo with the name or IPv4 address of
the Teredo server |
netsh interface ipv6 set teredo server
FirstIPv4AddressOfDirectAccessServer |
|
IPv6 interfaces |
Configure the IPv6 interfaces for the correct
forwarding and advertising behavior |
Run the following command for the 6to4 and Teredo
interfaces:
netsh interface ipv6 set
interface InterfaceIndex
forwarding=enabled
If a LAN
interface is present with a native IPv6 address, run the
following command:
netsh interface ipv6
set interface InterfaceIndex
forwarding=enabled
For the
IP-HTTPS interface, run the following command:
netsh interface ipv6 set interface IPHTTPSInterface
forwarding=enabled advertise=enabled
|
|
6to4 |
Enable 6to4 |
netsh interface 6to4 set state
enabled |
|
SSL certificates for IP-HTTPS
connections |
Configure the certificate binding |
Install the Secure Sockets Layer (SSL)
certificate using manual enrollment.
Use the
netsh http add sslcert command to
configure the certificate binding. |
|
IP-HTTPS interface |
Configure the IP-HTTPS interface |
netsh interface httpstunnel add
interface server
https://PublicIPv4AddressOrFQDN:443/iphttps
enabled certificates |
|
IP-HTTPS routing |
Configure IPv6 routing for the IP-HTTPS
interface |
netsh interface ipv6 add route
IP-HTTPSPrefix ::/64 IPHTTPSInterface publish=yes
where IP-HTTPSPrefix is one
of the following:
-
6to4-basedPrefix :2 if you
are using a 6to4-based prefix based on the first public
IPv4 address assigned to the Internet interface of the
DirectAccess server. -
NativePrefix :5555 if you are
using a 48-bit native IPv6 prefix. 5555 is the Subnet ID
value chosen by the DirectAccess Setup Wizard.
|
6. Understanding the DirectAccess Connection Process
A DirectAccess connection to a target intranet resource is
initiated when the DirectAccess client connects to the DirectAccess
server through IPv6. IPSec is then negotiated between the client and
server. Finally, the connection is established between the
DirectAccess client and the target resource.
This general process can be broken down into the following
specific steps:
-
The DirectAccess client computer running Windows 7 detects
that it is connected to a network.
-
The DirectAccess client computer attempts to connect to the
network location server. If the network location server is
available, the DirectAccess client determines that it is already
connected to the intranet, and the DirectAccess connection process stops. If the network location
server is not available, the DirectAccess client determines that
it is connected to the Internet and the DirectAccess connection
process continues.
-
The DirectAccess client computer connects to the
DirectAccess server using IPv6 and IPSec. If a native IPv6 network
isn't available, the client establishes an IPv6-over-IPv4 tunnel
using 6to4 or Teredo. The user does not have to be logged in for
this step to complete.
-
If a firewall or proxy server prevents the client computer
using 6to4 or Teredo from connecting to the DirectAccess server,
the client automatically attempts to connect using the IP-HTTPS
protocol, which uses a SSL connection to ensure
connectivity.
-
As part of establishing the IPSec session, the DirectAccess
client and server authenticate each other using computer
certificates for authentication.
-
By validating AD DS group memberships, the DirectAccess
server verifies that the computer and user are authorized to
connect using DirectAccess.
-
If NAP is enabled and configured for health validation, the
DirectAccess client obtains a health certificate from a Health
Registration Authority (HRA) located on the Internet prior to
connecting to the DirectAccess server. The HRA forwards the
DirectAccess client's health status information to a NAP health
policy server. The NAP health policy server processes the policies
defined within the NPS and determines whether the client is
compliant with system health requirements. If so, the HRA obtains
a health certificate for the DirectAccess client. When the
DirectAccess client connects to the DirectAccess server, it
submits its health certificate for authentication.
-
The DirectAccess server begins forwarding traffic from the
DirectAccess client to the intranet resources to which the user
has been granted access.
