DirectAccess Technical Drilldown Part 1 IPv6 & Transition Technologies<br />John Craddock<br />Infrastructure & Security A...
DirectAccess – Simple?<br />Internet<br />Corporate intranet<br />When a DirectAccess client connects to the Internet it i...
A VPN on Steroids<br />Corporate Network<br />Pre log on<br />Patch management, health check and GPOs<br />Always On<br />...
No Gain Without Pain<br />Challenge 1<br />Uses end-to-end IPv6<br />Requires transition technologies for the Internet and...
Simple? May Be Not<br />Internet<br />Corporate intranet<br />Tunnelling technologies for the Internet and Intranet to sup...
Don’t Give Up Now<br />Part 1<br />IPv6 Intro<br />Transition Technologies<br />End-to-end connectivity<br />Part 2<br />I...
Demo Environment<br />EX1<br />DC1<br />DNS<br />DC, DNS,CA<br />WIN7<br />NAT1<br />DA1<br />Home<br />Corporate intranet...
IPv6<br />IPv6 natively supports many of the extensions that have been added to IPv4<br />IPSec<br />QoS<br />IPv6 adds<br...
Drawbacks<br />Requires a new routing infrastructure to support native IPv6<br />IPv6 can be used across IPv4 networks usi...
Layer 2<br />Link layer header<br />IPv6 header<br />Payload<br />Link layer trailer<br />IPv6 packet<br />Link layer fram...
Address Notation<br />2009:0adb:0001:56af:0321:000d:98fe:dbfe<br />Leading zeros can be removed<br />2009:adb:1:56af:321:d...
Compressing Zeros<br />2009:0000:0000:0000:0321:000d:98fe:dbfe<br />2009::0321:000d:98fe:dbfe<br />2009:0000:0000:0321:000...
IPv6 Prefix<br />/48<br />/64<br />2009:0adb:0001:56af:0321:000d:98fe:dbfe<br />The IPv6 prefix identifies the number of b...
IPv6 Addressing<br />Network Identifier<br />Host Identifier<br />64-bits<br />64-bits<br />The host component can be deri...
Link Local Address<br />Zone IDs eliminate ambiguity when more than one interface is connected to a network <br />Fe80::Ho...
Unicast Addresses<br />Unique Local address (Similar to IPv4 private address ranges)<br />FD hex<br />Routing betweenLANs ...
Host Configuration<br />Auto configure link-local address<br />DHCPv6<br />Manual configuration of otheraddresses possible...
Routing (simplified)<br />Advertise:<br />A ::/64 on link<br />::/0 next hop A:1<br />Network B<br />B:1<br />A:1<br />Adv...
IPv4<br />IPv6<br />Transition Technologies<br />IPv6 over IPv4<br />IPv6<br />Layer 7Applications<br />Router to router t...
Tunnelling <br />IPv4<br />IPv4<br />IPv6<br />IPv6<br />Tunnel<br />The tunnel end may be a single host or IPv6 network<b...
6to4 Network	<br />The 6to4 Network is an Internet based public IPv6 network<br />Addresses start with the 2002::/16 prefi...
Native IPv6 network and addressing<br />6to4 Components<br />6to4Router<br />6to4Relay<br />IPv4 Internet<br />Tunnel<br /...
6to4 Addressing<br />Host configured with a public IPv4 address <br />6to4 interface automatically enabled and assigned a ...
6to4 Host/Router to 6to4 Host<br />IPv4<br />6to4 tunnel <br />Use me to get to 2002::/16 on-link<br />IPv4 packet encapsu...
6to4 Host/Router to Native Host<br />IPv4<br />Use me to get to default gateway,  next hop 6to4 Relay<br />6to4 tunnel <br...
6to4 Configuration (reference)<br />6to4Host/Router<br />:: Set name of 6to4 relay<br />netsh interface 6to4 set relay cor...
Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)<br />ISATAP is similar to 6to4 as it tunnels IPv6 within an IPv4 ...
ISATAP Components<br />NativeIPv6 Host<br />ISATAPHost<br />Native IPv6Intranet<br />ISATAP Router<br />IPv4 Intranet<br /...
ISATAP Host Configuration<br />0:5efe for a private IPv4 address<br />200:5efe for a public IPv4 address<br />The ISATAP i...
ISATAP Host Configuration<br />The host can either be configured with the address of the ISATAP router or it can resolve i...
ISATAP Host to ISATAP Host<br />IPv4<br />Use me to get to fd00:9999:0:1::/64<br />On link<br />ISATAP tunnel <br />Tunnel...
ISATAP Host to Native IPv6 Host<br />IPv4<br />Use me to get to ::/0Next hop ISATAP router<br />ISATAP tunnel <br />Tunnel...
ISATAP Configuration (reference)<br />ISATAPHost<br />No Client configuration, ISATAP interface automatically configured w...
Supporting IPv4 Only Hosts<br />For connections between IPv6 hosts and hosts that only support IPv4<br />NAT-PT and DNS-AL...
IPv4 Internet<br />IPv4 private<br />Teredo<br />NAT Device<br />Teredoserver & relay<br />TeredoHost<br />Private IPv4 ad...
Teredo Components<br />IPv6 Host<br />TeredoHost<br />NAT Device<br />IPv6Intranet<br />Tunnel<br />Teredoserver & relay<b...
IPv4 Outbound Packet translation<br />IPv4 Internet<br />IPv4 private<br />NAT Device<br />Teredoserver & relay<br />Tered...
Inbound traffic<br />IPv4 Internet<br />IPv4 private<br />NAT Device<br />Teredoserver & relay<br />TeredoHost<br />P200<b...
The Challenge	<br />NAT normally allows inbound traffic as a response to an outbound request<br />To allow any host to ini...
Initial Negotiation<br />The Teredo host connects to the Teredo server<br />The server performs tests to determine the typ...
Teredo Host Address<br />2001:0:9013:a:346b:a79:6fe6:37fe<br />IPv4 Internet<br />IPv4 private<br />NAT Device<br />Teredo...
Teredo Configuration (reference)<br />TeredoHost<br />::Enable client for Teredo<br />netsh interface ipv6 set teredoenter...
IPHTTPS<br />IPHTTPS can be used if a host behind NAT cannot tunnel using Teredo<br />Firewall blocking port 3544 <br />IP...
IPHTTPS Components<br />Web server with CRL<br />X<br />X<br />X<br />IPv6 Host<br />IPHTTPSserver<br />NAT Device<br />IP...
IPHTTPS Configuration (reference)<br />netsh interface httpstunnel add interface client <br />	https://DA1.example.com:443...
Don’t Like Netsh?<br />
Summary: Internet to Intranet <br />6to4Host/Router<br />6to4Relay<br />NAT Device<br />Teredoserver & relay<br />TeredoHo...
Summary: IPv6/IPv4 Intranet<br />IPv6<br />ISATAP Router<br />Native IPv6<br />IPv6<br />NAT-PTor NAT64<br />IPv4<br />IPv...
Don’t Give Up Now<br />Part 1<br />IPv6 Intro<br />Transition Technologies<br />End-to-end connectivity<br />Part 2<br />I...
Required Slide<br />Speakers, <br />TechEd 2009 is not producing <br />a DVD. Please announce that <br />attendees can acc...
Related Content<br />Required Slide<br />Speakers, <br />please list the Breakout Sessions, TLC Interactive Theaters and L...
My Sessions at TechEd<br />Required Slide<br />Speakers, <br />please list the Breakout Sessions, TLC Interactive Theaters...
Required Slide<br />Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!<br />
Required Slide<br />© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product...
Upcoming SlideShare
Loading in …5
×

SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition technologies.

3,755 views

Published on

Take a sprinkling of Windows 7, add Windows Server 2008 R2, IPv6 and IPsec and you have a solution that will allow direct access to your corporate network without the need for VPNs. Come to these demo-rich sessions and learn how to integrate DirectAccess into your environment. In Part 1 learn about IPv6 addressing, host configuration and transitioning technologies including 6to4, ISATAP, Teredo and IPHTTPS. Through a series of demos learn how to build an IPv6 Network and interoperate with IPv4 networks and hosts. In Part 2 we add the details of IPSec, and components that are only available with Windows 7 and Windows Server 2008 R2 to build the DirectAccess infrastructure. Learn how to control access to corporate resources and manage Internet connected PCs through group policy. Part 1 is highly recommended as a prerequisite for Part 2.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,755
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
91
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition technologies.

  1. 1.
  2. 2. DirectAccess Technical Drilldown Part 1 IPv6 & Transition Technologies<br />John Craddock<br />Infrastructure & Security Architect<br />XTSeminars Ltd<br />Session Code: SVR401<br />
  3. 3. DirectAccess – Simple?<br />Internet<br />Corporate intranet<br />When a DirectAccess client connects to the Internet it is automatically connected to the corporate Intranet<br />No user action required<br />
  4. 4. A VPN on Steroids<br />Corporate Network<br />Pre log on<br />Patch management, health check and GPOs<br />Always On<br />Network level computer/user authentication and encryption<br />Automatically<br />connects throughNAT and firewalls<br />VPNs connect the user to the network<br />DirectAccess extends the network to the remote computer and user<br />
  5. 5. No Gain Without Pain<br />Challenge 1<br />Uses end-to-end IPv6<br />Requires transition technologies for the Internet and intranet<br />DirectAccess apps must be IPv6 capable<br />Challenge 2<br />Secure encrypted communications using IPsec<br />End-to-end, end-to-edge<br />Network authentication: computer/user<br />Requires PKI to support for certificates <br />
  6. 6. Simple? May Be Not<br />Internet<br />Corporate intranet<br />Tunnelling technologies for the Internet and Intranet to support IPv6 over IPv4<br />Internet tunnelling selection based on client location – Internet, NAT, firewall<br />Encryption/authentication of Internet traffic (end-to-edge/end-to-end)<br />PKI required <br />Client location detection: Internet or corporate intranet <br />
  7. 7. Don’t Give Up Now<br />Part 1<br />IPv6 Intro<br />Transition Technologies<br />End-to-end connectivity<br />Part 2<br />IPsec<br />Configuring Direct Access<br />Network location and name resolution policies<br />It all works – just like that!<br />
  8. 8. Demo Environment<br />EX1<br />DC1<br />DNS<br />DC, DNS,CA<br />WIN7<br />NAT1<br />DA1<br />Home<br />Corporate intranet<br />Internet<br />IIS for CRLdistribution<br />APP1<br />WIN7<br />RT1<br />WIN7<br />Branch<br />All servers Windows 2008 R2<br />WIN7<br />8<br />
  9. 9. IPv6<br />IPv6 natively supports many of the extensions that have been added to IPv4<br />IPSec<br />QoS<br />IPv6 adds<br />An enormous address space (128-bits)<br />340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses<br />An efficient routing hierarchy<br />Automatic configuration (DHCP may not be required)<br />New protocol for interaction with neighbouring nodes<br />
  10. 10. Drawbacks<br />Requires a new routing infrastructure to support native IPv6<br />IPv6 can be used across IPv4 networks using transition technologies, 6to4, ISATAP and Teredo<br />Most IPv6 addresses are not easy (impossible) to memorise!<br />Will require the use of host names for all references<br />Not all applications will be IPv6 compatible <br />
  11. 11. Layer 2<br />Link layer header<br />IPv6 header<br />Payload<br />Link layer trailer<br />IPv6 packet<br />Link layer frame<br />Layer-2 remains the same<br />No need to replace layer-2 appliances<br />
  12. 12. Address Notation<br />2009:0adb:0001:56af:0321:000d:98fe:dbfe<br />Leading zeros can be removed<br />2009:adb:1:56af:321:d:98fe:dbfe<br />The 128 bit number is split into eight 16-bit blocks<br />The value of each 16-bit block is written as four hex digits<br />Each block is separated by a colon <br />
  13. 13. Compressing Zeros<br />2009:0000:0000:0000:0321:000d:98fe:dbfe<br />2009::0321:000d:98fe:dbfe<br />2009:0000:0000:0321:0000:0000:dbfe<br />2009::0321::dbfe<br />Invalid<br />Contiguous 16-bit blocks containing zeros can be compressed<br />Known as double colon notation<br />Only one set of blocks can be compressed<br />
  14. 14. IPv6 Prefix<br />/48<br />/64<br />2009:0adb:0001:56af:0321:000d:98fe:dbfe<br />The IPv6 prefix identifies the number of bits identifying the network<br />IPv6 does not support the IPv4 style subnet mask<br />
  15. 15. IPv6 Addressing<br />Network Identifier<br />Host Identifier<br />64-bits<br />64-bits<br />The host component can be derived from the MAC address of the card<br />Computers could be tracked by their MAC as they move between LANs <br />Windows Server 2008 and Windows 7 use a permanent interface identifier that is randomly generated<br />Can be disabled via: netsh interface ipv6 set global randomizeidentifiers=disabled<br />
  16. 16. Link Local Address<br />Zone IDs eliminate ambiguity when more than one interface is connected to a network <br />Fe80::HostID2%9<br />Fe80::HostID3%10<br />InterfaceID 4<br />InterfaceID 6<br />InterfaceID 9<br />InterfaceID 10<br />Fe80::HostID1%4<br />Fe80::HostID4%6<br />Fe80::<host ID> , automatically assigned and only accessible on local network segment<br />All hosts have a link local address even if they have a global address<br />
  17. 17. Unicast Addresses<br />Unique Local address (Similar to IPv4 private address ranges)<br />FD hex<br />Routing betweenLANs within a site<br />Private routing between sites<br />Site-local addresses prefixed fec0::/10 where depreciated in RFC 3879<br />Global address (Internet registered)<br />Private routing<br />Public routing<br />
  18. 18. Host Configuration<br />Auto configure link-local address<br />DHCPv6<br />Manual configuration of otheraddresses possible but unlikely<br />Stateless<br />Stateful<br />Router Solicitation (multicast)<br />DHCP query if router does not reply orrouter instructs host to query DHCP<br />Returns IPv6 configuration<br />DHCP can supply complete configuration orjust additional options<br />
  19. 19. Routing (simplified)<br />Advertise:<br />A ::/64 on link<br />::/0 next hop A:1<br />Network B<br />B:1<br />A:1<br />Advertise:<br />C::/64 next hop A:2<br />Network C<br />C:1<br />A:2<br />Interface 15<br />IP address: A: hostID<br />Default gateway<br />
  20. 20. IPv4<br />IPv6<br />Transition Technologies<br />IPv6 over IPv4<br />IPv6<br />Layer 7Applications<br />Router to router tunnelling<br />Layer 4TCP/UDP<br />IPv6 over IPv4<br />Layer 3IPv4<br />Layer 3IPv6<br />IPv4<br />IPv6<br />Layer 2Ethernet etc…<br />IPv4/IPv6<br />IPv6<br />Host to router , router to host<br />Dual IP architecture<br />IPv6 over IPv4<br />IPv4<br />IPv6<br />IPv6<br />Host to host<br />
  21. 21. Tunnelling <br />IPv4<br />IPv4<br />IPv6<br />IPv6<br />Tunnel<br />The tunnel end may be a single host or IPv6 network<br />IPv6 Traffic can be tunnelled in IPv4 as <br />IP (used by 6to4 and ISATAP)<br />UDP (used by Teredo)<br />HTTPS (used by IPHTTPS)<br />
  22. 22. 6to4 Network <br />The 6to4 Network is an Internet based public IPv6 network<br />Addresses start with the 2002::/16 prefix<br />IPv6 traffic is tunnelled in IPv4 between 6to4 routers and relays<br />
  23. 23. Native IPv6 network and addressing<br />6to4 Components<br />6to4Router<br />6to4Relay<br />IPv4 Internet<br />Tunnel<br />Native IPv6host 6to4 subnets<br />Tunnel<br />Tunnel<br />6to4Host/Router<br />6to4Host/Router<br />6to4Router<br />Tunnel<br />Tunnel<br />Native IPv6host 6to4 subnets<br />
  24. 24. 6to4 Addressing<br />Host configured with a public IPv4 address <br />6to4 interface automatically enabled and assigned a unique global (public) IPv6 address<br />Interface assigned IPv6 address: 2002:wwxx:yyzz:0:0:0:wwxx:yyzz<br />wwxx:yyzz is the hexadecimal representation of the host’s IPv4 address<br />144.19.200.2 translates to 9013:c802<br />Corresponding 6to4 address<br />2002: 9013:c802:0:0:0:9013:c802<br />
  25. 25. 6to4 Host/Router to 6to4 Host<br />IPv4<br />6to4 tunnel <br />Use me to get to 2002::/16 on-link<br />IPv4 packet encapsulates IPv6<br />Send through6to4 tunnel<br />2002:9013:c802:0:0:0:9013:c802<br />144.19.200.2<br />Ping 2002:9b0f:1b08:0:0:0:9b0f:1b08<br />physical<br />
  26. 26. 6to4 Host/Router to Native Host<br />IPv4<br />Use me to get to default gateway, next hop 6to4 Relay<br />6to4 tunnel <br />Tunnel IPv6<br />Send through6to4 tunnel<br />2002:9013:c802:0:0:0:9013:c802<br />144.19.200.2<br />Ping fd00:9999:0:1::10<br />physical<br />
  27. 27. 6to4 Configuration (reference)<br />6to4Host/Router<br />:: Set name of 6to4 relay<br />netsh interface 6to4 set relay corprelay.example.com<br />:: host must be able to resolve FQDN<br />::Enable 6to4 Interface<br />netsh interface 6to4 set state enabled<br />::Enable forwarding on 6to4 interface<br />netsh interface ipv6 set interface “6to4 Adapter” forwarding=enabled<br />::Set fixed IP for DAcorp interface<br />netsh interface ipv6 set address dacorp fd00:9999:0:1::200/64<br />::Enable forwarding and advertising on DACorp interface<br />netsh interface ipv6 set interface DACorp forwarding=enabled advertise=enabled<br />::Add DNS record for relay<br />corprelay.example.com 144.19.0.10<br />6to4Relay<br />
  28. 28. Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)<br />ISATAP is similar to 6to4 as it tunnels IPv6 within an IPv4 packet<br />Protocol ID 41<br />ISATAP is used for tunnelling IPv6 across IPv4 intranets<br />
  29. 29. ISATAP Components<br />NativeIPv6 Host<br />ISATAPHost<br />Native IPv6Intranet<br />ISATAP Router<br />IPv4 Intranet<br />Tunnel<br />A::1<br />ISATAPHost<br />Tunnel<br />Advertise to ISATAP Hosts:<br />A ::/64 on ISATAP interface<br />::/0 next hop A::1<br />
  30. 30. ISATAP Host Configuration<br />0:5efe for a private IPv4 address<br />200:5efe for a public IPv4 address<br />The ISATAP interface address is constructed from a combination of the IPv6 network address and the IPv4 address<br />The 32-bit IPv4 address is be written in dotted decimal notation<br />fd00:9999:0:100:0:5efe:10.40.99.120<br />
  31. 31. ISATAP Host Configuration<br />The host can either be configured with the address of the ISATAP router or it can resolve it via DNS<br />If the host can resolve ISATAP via DNS, it automatically configures its ISATAP tunnel interface<br />The network address of the interface is published by the ISATAP router<br />The location of the ISATAP router is published in DNS with the key word ISATAP<br />For eample: isatap.example.com<br />DNS blocks the name isatap via the globalqueryblocklist <br />This must be cleared<br />
  32. 32. ISATAP Host to ISATAP Host<br />IPv4<br />Use me to get to fd00:9999:0:1::/64<br />On link<br />ISATAP tunnel <br />Tunnel IPv6<br />Send throughISATAP tunnel<br />fd00:9999:0:100:0:5efe:10.20.100.55<br />10.20.100.55<br />Ping fd00:9999:0:1:0:5efe:10.40.99.120<br />physical<br />
  33. 33. ISATAP Host to Native IPv6 Host<br />IPv4<br />Use me to get to ::/0Next hop ISATAP router<br />ISATAP tunnel <br />Tunnel IPv6<br />Send throughISATAP tunnel<br />fd00:9999:0:100:0:5efe:10.20.100.55<br />10.20.100.55<br />Ping fd00:9999:0:2::100<br />physical<br />
  34. 34. ISATAP Configuration (reference)<br />ISATAPHost<br />No Client configuration, ISATAP interface automatically configured when clientcan resolve the name ISATAP from DNS<br />::Enable IPv4 routing<br />netsh interface ipv4 set interface dacorp forwarding=enabled<br />netsh interface ipv4 set interface dabranch forwarding=enabled<br />::configure IPV6 address, advertising and routing on DACorp interface<br />netsh interface ipv6 set address dacorp fd00:9999:0:1::1/64<br />netsh interface ipv6 set interface dacorp forwarding=enabled advertise=enabled<br />netsh interface ipv6 set route fd00:9999:0:1::/64 dacorp publish=yes<br />ISATAP Router<br />netsh interface isatap set router 10.40.100.1<br />netsh interface ipv6 set interface 15 forwarding=enabled advertise=enabled<br />netsh interface ipv6 add route fd00:9999:0:100::/64 15 publish=yes<br />Remove ISATAP block : dnscmd /config /globalqueryblocklistwpad<br />Publish isatap.example.com<br />Alternatively, don’t publish in DNS and configure the host:<br />Netsh interface ipv6 isatap set state router xxy.example.com<br />DNS Server<br />
  35. 35. Supporting IPv4 Only Hosts<br />For connections between IPv6 hosts and hosts that only support IPv4<br />NAT-PT and DNS-ALG require<br />Improved translation with NAT64 and DNS64<br />Forefront Unified Access Gateway (UAG)<br />Includes support for NAT64 and DNS64<br />
  36. 36. IPv4 Internet<br />IPv4 private<br />Teredo<br />NAT Device<br />Teredoserver & relay<br />TeredoHost<br />Private IPv4 address<br />Public IPv4 address<br />Private IPv4 address<br />Teredo provides connectivity when the host is behind one or more NATs<br />The NAT will probably not support tunnelling IPv6 within IPv4 (protocol 41)<br />Teredo tunnels IPv6 in UDP <br />
  37. 37. Teredo Components<br />IPv6 Host<br />TeredoHost<br />NAT Device<br />IPv6Intranet<br />Tunnel<br />Teredoserver & relay<br />IPv4 Internet<br />Tunnel<br />NAT Device<br /> Tunnel<br />TeredoHost<br />Tunnel<br />
  38. 38. IPv4 Outbound Packet translation<br />IPv4 Internet<br />IPv4 private<br />NAT Device<br />Teredoserver & relay<br />TeredoHost<br />P200<br />P200 port 2000<br />I99 port 6000<br />I77<br />Translation<br />Mapping stored: P200 port 2000 I99 port 6000<br />
  39. 39. Inbound traffic<br />IPv4 Internet<br />IPv4 private<br />NAT Device<br />Teredoserver & relay<br />TeredoHost<br />P200<br />P200 port 2000<br />I99 port 6000<br />I77<br />Translation<br />Mapping in table: P200 port 2000 I99 port 6000<br />
  40. 40. The Challenge <br />NAT normally allows inbound traffic as a response to an outbound request<br />To allow any host to initiate communication with a Teredo host the NAT mappings will need to remain valid <br />Three different types of NAT<br />Cone<br />For mapped external IP and ports, allows inbound packets from any source IP address or port <br />Restricted<br />Only allows inbound from IP and Port that matched the original outbound destination IP and Port<br />Symmetric <br />Maps the same internal IP address and port to different external IP addresses and ports depending on the outbound destination address<br />
  41. 41. Initial Negotiation<br />The Teredo host connects to the Teredo server<br />The server performs tests to determine the type of NAT that the host is behind<br />To do this the server needs to be configured with two consecutive IPv4 addresses<br />The Server provides the address of the host’s Teredo tunnel<br />
  42. 42. Teredo Host Address<br />2001:0:9013:a:346b:a79:6fe6:37fe<br />IPv4 Internet<br />IPv4 private<br />NAT Device<br />Teredoserver & relay<br />TeredoHost<br />IPv4:144.19.200.1<br />144.19.0.10<br />Hex: 9013:c801<br />192.168.137.26<br />XOR with ffff<br />
  43. 43. Teredo Configuration (reference)<br />TeredoHost<br />::Enable client for Teredo<br />netsh interface ipv6 set teredoenterpriseclient teredo.example.com<br />::To resolve IPv6 DNS<br />HKLMCCSServicesDNSCacheParametersAddrConfigControl DWORD 0<br />::Add DNS entry for Teredo server<br />teredo.example.com 144.19.0.10<br />::Add second IP address to Teredo server - used for NAT detection<br />netsh interface ipv4 add address dainternet 144.19.0.11/16<br />::enable teredo server<br />netsh interface teredo set state type=server teredo.example.com <br />servervirtualip=144.19.0.10<br />::Enable Teredotunelling interface<br />netsh interface ipv6 set interface 11 forwarding= enabled<br />netsh interface ipv6 set route 2001::/32 11 publish=yes<br />Teredoserver & relay<br />43<br />
  44. 44. IPHTTPS<br />IPHTTPS can be used if a host behind NAT cannot tunnel using Teredo<br />Firewall blocking port 3544 <br />IPHTTPS encapsulates IPv6 in HTTPS<br />Most firewalls will pass HTTPS<br />Challenges<br />Certificates required<br />Host must have access to the CRL distribution point<br />44<br />
  45. 45. IPHTTPS Components<br />Web server with CRL<br />X<br />X<br />X<br />IPv6 Host<br />IPHTTPSserver<br />NAT Device<br />IPHTTPSHost<br />IPv6Intranet<br />IPv4 Internet<br /> Tunnel IPv6 in HTTPS<br />Certificate<br />Router advertises network prefix to the IPHTTPS host<br />URL of CRL distribution point published in certificate<br />
  46. 46. IPHTTPS Configuration (reference)<br />netsh interface httpstunnel add interface client <br /> https://DA1.example.com:443/IPHTTPS enabled<br />IPHTTPSHost<br />Client must be able to resolve URL and have to the CRL distributionpoint<br />IPHTTPSserver<br />:: Create IP-HTTPS tunnel interface and bind to DAInternet IP<br />netsh interface httpstunnel add interface url=<br /> "https://DA1.example.com:443/IPHTTPS" type=server state=default<br />::Enable IP-HTTPS interface to forward and advertise<br />netsh interface ipv6 set interface iphttpsInterface forwarding=enabled advertise=enabled<br />::Advertise prefix on IP-HTTPS interface<br />netsh interface ipv6 add route 2001:feff::/64 iphttpsinterface publish=yes<br />::Bind certificate to listening port<br />netsh http add sslcertipport=144.19.0.10:443 certhash= c4d1c97ee770f033dab9091fa7304a6946db4ca6 appid= {00112233-4455-6677-8899-AABBCCDDEEFF}<br />Certificate<br />
  47. 47. Don’t Like Netsh?<br />
  48. 48. Summary: Internet to Intranet <br />6to4Host/Router<br />6to4Relay<br />NAT Device<br />Teredoserver & relay<br />TeredoHost<br />Internet<br />Corporateintranet<br />IPHTTPSserver<br />IPHTTPSHost<br />NAT Device<br />
  49. 49. Summary: IPv6/IPv4 Intranet<br />IPv6<br />ISATAP Router<br />Native IPv6<br />IPv6<br />NAT-PTor NAT64<br />IPv4<br />IPv6IPv4<br />IPv4<br />IPv6IPv4<br />
  50. 50. Don’t Give Up Now<br />Part 1<br />IPv6 Intro<br />Transition Technologies<br />End-to-end connectivity<br />Part 2<br />IPsec<br />Configuring Direct Access<br />Network location and name resolution policies<br />It all works – just like that!<br />
  51. 51. Required Slide<br />Speakers, <br />TechEd 2009 is not producing <br />a DVD. Please announce that <br />attendees can access session <br />recordings at TechEd Online. <br />www.microsoft.com/teched<br />Sessions On-Demand & Community<br />www.microsoft.com/learning<br />Microsoft Certification & Training Resources<br />http://microsoft.com/technet<br />Resources for IT Professionals<br />http://microsoft.com/msdn<br />Resources for Developers<br />Resources<br />
  52. 52. Related Content<br />Required Slide<br />Speakers, <br />please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.<br />Breakout Sessions:<br />SVR402 DirectAccess Technical Drilldown, Part 2 of 2: Putting It All Together<br />SIA306 Microsoft Forefront Unified Access Gateway: DirectAccess and Beyond<br />SVR315 IPv6 for the Reluctant: What to Know Before You Turn It Off<br />Interactive Theater Sessions:<br />SVR08-IS End-to-End Remote Connectivity with DirectAccess<br />
  53. 53. My Sessions at TechEd<br />Required Slide<br />Speakers, <br />please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.<br />Breakout Sessions:<br />SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?<br />SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin<br />SVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition Technologies<br />SVR402 DirectAccess Technical Drilldown, Part 2 of 2: Putting It All Together<br />Interactive Theater Sessions:<br />SVR08-IS End-to-End Remote Connectivity with DirectAccess<br />
  54. 54. Required Slide<br />Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!<br />
  55. 55.
  56. 56. Required Slide<br />© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.<br />The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.<br />

×