Microsoft introduced DirectAccess technology in Windows server 2008R2 wherein we can connect directly to our corporate resources without the need of any VPN software. Particularly, DirectAccess configuration is pushed to the client machines through a set of group policies. Once these group policies have been applied on all Windows 7 domain joined machines, these machines can then connect remotely to the corporate network without dialing in to any VPN server.

Although, it sounds a great solution from the description it’s not easy to deploy though. The major requirement for DirectAccess is the IPv6 connectivity within the internal network. DirectAccess require IPv6 addresses on the internal client machines to have a successful connection from the DirectAccess enabled client machines. Now, this can be achieved by two ways;
  1. Native IPv6 connectivity in which you will assign an IPv6 address to the internal servers/machines directly through TCP/IP properties.
  2. Use ISATAP technology to assign IPv6 addresses to client machines and servers which are capable of IPv6

Note: Windows XP and 2003 are both not capable of communicating on IPv6.

Once you have identified the way you want to assign IPv6 addresses to the client machines, that’s when you can bring in DirectAccess server to provide seem less remote connectivity.
Now, the question is, what do we do in case you don’t have machines which are IPv6 capable sitting inside the internal network?
Well, the answer is Microsoft Unified Access Gateway (UAG) 2010. Although, IPv6 is required on the DirectAccess client machines connecting from internet irrespective of the UAG or Windows Server 2008 R2 based DirectAccess but you can still have internal machines on IPv4. How? Let’s see.
Microsoft UAG 2010 has inbuilt functionalities called NAT64 and DNS64 which provides the capability for translating the IPv4 addresses to IPv6 and vice versa.
When a client machine requests a connection to a resource on the internal network it sends a quad AAAA DNS query to the internal DNS Server through the DirectAccess server (In this case it’s UAG). UAG server intercepts the request and proxies that request as a Host “A” record to the internal DNS. The same process is reversed when server replies back. UAG server receives the internal IPv4 address of the machine and then hashes the IP address to create an IPv6 address. This IPv6 address is then sent to the client machine which then creates another request using this IPv6 address as the destination.
When UAG server gets this request, it then coverts the IPv6 into an IPv4 address by reversing the hash process and then forwards the request to the internal server which has that IPv4 address.
So, by using the Microsoft UAG server and enabling DirectAccess through that we can provide access to our IPv4 resources.
Cheers !!
Category: