IPv6 Must be Enabled on the Forefront UAG Server’s External Interface

Since many customers have not utilized IPv6 prior to the advent of DirectAccess, some of them disabled IPv6 as part of their standard server build process or image (as described in https://support.microsoft.com/kb/929852).  While we don’t recommend this (see the ‘Argument Against Disabling IPv6’ at https://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx), we have seen a few of our DirectAccess early adopters doing this across their servers.  While UAG’s NAT64 component allows your internal network to remain IPv4 only, IPv6 is required to be enabled on the outside interface of the UAG server.  If IPv6 is not enabled on the external interface, you may encounter various IPSec failures when DirectAccess clients attempt to send traffic to the UAG server.  These failures do not explicitly call out the v6 dependency, but may instead have event descriptions referring to incompatible security associations between the endpoints.  To correct these problems, simply reenable IPv6 on the UAG server.

Author:
John Morello