Configure Settings to Confine ICMPv6 Traffic to the Intranet
Updated: October 7, 2009
Applies To: Windows Server 2008 R2
Important
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).
As described in Confining ICMPv6 Traffic to the Intranet, the default settings created by the DirectAccess Setup Wizard allow the following:
Any computer with a Teredo or 6to4 client can send Internet Control Message Protocol for IPv6 (ICMPv6) traffic to intranet locations through the DirectAccess server to probe for valid intranet destination IPv6 addresses. The amount of this traffic is limited by the Denial of Service Protection (DoSP) feature of the DirectAccess server.
A malicious user on the same subnet as a Teredo-based DirectAccess client can determine the IPv6 addresses of intranet servers by capturing ICMPv6 Echo Request and Echo Reply message exchanges.
This procedure allows you to prevent these possible security issues.
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify Group Policy settings. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To confine ICMPv6 traffic to the intranet
On a domain controller, start a command prompt as an administrator.
From the Command Prompt window, run the netsh –c advfirewall command.
From the netsh advfirewall prompt, run the following commands:
set store gpo="DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}"
consec show rule name=”DirectAccess Policy-ClientToDnsDc”
consec show rule name=”DirectAccess Policy-ClientToCorp”
From the display of the last two commands, copy or write down the IPv6 addresses for the RemoteTunnelEndpoint.
From the netsh advfirewall prompt, run the following commands:
set global ipsec defaultexemptions neighbordiscovery,dhcp
**consec add rule name=”Exempt ICMPv6 to Tunnel endpoint” profile=private,public action=noauthentication mode=tunnel endpoint1=any endpoint2=**IPv6AddressesOfTheRemoteTunnelEndpoints protocol=icmpv6
set store gpo="DomainName\DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}"
set global ipsec defaultexemptions neighbordiscovery,dhcp
**consec add rule name=”Exempt ICMPv6 from Tunnel endpoint” profile=private,public action=noauthentication mode=tunnel endpoint1=**IPv6AddressesOfTheRemoteTunnelEndpoints endpoint2=any protocol=icmpv6
Click Start, type gpmc.msc, and then press ENTER.
In the console tree, open **Forest/Domains/**YourDomain, right-click the DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12} GPO, and then click Edit.
In the console tree of the Group Policy Management Editor, open Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security.
Right-click Windows Firewall with Advanced Security, and then click Properties.
Click the IPsec Settings tab. In IPsec exemptions, in Exempt ICMP from IPsec, click No, and then click OK.
Close the Group Policy Management Editor.
In the console tree of the Group Policy Management console, open **Forest/Domains/**YourDomain, right-click the DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300} GPO, and then click Edit.
In the console tree of the Group Policy Management Editor, open Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security.
Right-click Windows Firewall with Advanced Security, and then click Properties.
Click the IPsec Settings tab. In IPsec exemptions, in Exempt ICMP from IPsec, click No, and then click OK.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.