The other day I posted some some information about the DirectAccess features of Windows 7 and Windows Server 2008 R2. DirectAccess offers some fantastic functionality for mobile workers, making remote access to corporate systems completely seamless.
When setup, DirectAccess provides simultaneous connectivity to both the Internet and the corporate network. If the client is connected to the Internet, it’s connected to the corporate network. This allows mobile workers to access the corporate resources they need and allows IT groups to better manage and support remote computers. It’s requirement for IPv6 however is a little bit scary.
I’ve never really delved into IPv6 in any detail, it’s always been one of those things that I’ll get around to later. To be honest I don’t know a whole lot more about it now, it’s a huge subject and I hadn’t appreciated just how different is was from IPv4. I don’t want to go into too much detail here as there’s tonnes of info out there already. There are a few interesting things to consider in the context of DirectAccess though.
Whilst the networks like the Internet run quite successfully on IPv4, the 32-bit address space it offers is actually pretty small. This means that most of the computers accessing the internet probably don’t have addresses that are publically addressable. Of course this could be seen as a benefit to security, but if you want to access these machines for genuine reasons (management etc.) the fact these computers aren’t globally addressable is a real problem. Oh, and the the last estimate I saw predicted that the public IPv4 address range will run out in 2 years!
The solution for these problems is IPv6. It offers a 128-bit address space, which is simply h u g e. I heard somewhere you could effectively give every grain of sand on earth an IP address or two and not worry about it. It also has IPSec security built in (existing IPv4 solutions are retrofitted from v6) to provide better, more granular, security and supports much better prioritisation of traffic.
So IPv6 sounds great… but a full implementation is a huge change for networks designed and built to run IPv4. A lot of network kit just wouldn’t work within a native IPv6 environment. So a full IPv6 implementation is more of a long term goal, fortunately there are a few transition technologies available to help IPv4 and IPv6 co-exist.
From Vista onwards, Windows has shipped with an IP stack that supports IPv6 natively. In fact, Windows now favours IPv6 and will use it to communicate with other Vista/2008/7 nodes if it can. To allow IPv6 traffic to pass thorough existing IPv4 networks, IPv6 can be encapsulated within IPv4 packets. Again, Windows will automatically encapsulate IPv6 should it determine that there is IPv4 connectivity between two IPv6 nodes (it can also be forced).
The encapsulation is done using the following technologies:
ISATAP – Used to provide unicast communication between IPv6/IPv4 hosts across an IPv4-only intranet.
6to4 – Used to provide unicast communication between IPv6/IPv4 hosts and IPv6-capable sites across the Internet (which is IPv4).
Teredo – Used to provide unicast communication between IPv6/IPv4 hosts across the IPv4 Internet, even when they have private IPv4 addresses and are located behind a NAT (Network Address Translation) device.
IP-HTTPS – Allows IPv6 to be tunnelled in using HTTP with SSL as a transport, thereby allowing connectivity even if clients are behind a restrictive proxy or firewall. This is only available in Windows 7 and Server 2008 R2
For older equipment, there are also IPv4-IPv6 gateways that can be used to provide communication to equipment not compatible with IPv6.
DirectAccess uses these technologies to provide communication between the remote Windows 7 client and the Windows Server 2008 R2 DirectAccess server. They (well ISATAP specifically) is then used to allow traffic to traverse an IPv4 Intranet from the DirectAccess Server to the resources being accessed.
The solution looks roughly like this: