Support of Microsoft DirectAccess and IPv6 (in Windows 7)

Article:TECH134869  |  Created: 2010-01-13  |  Updated: 2012-02-17  |  Article URL http://www.symantec.com/docs/TECH134869
Article Type
Technical Solution

Product(s)

Issue



The client cannot be managed through Microsoft DirectAccess with the Symantec Endpoint Protection (SEP) firewall installed and enabled.


Cause



DirectAccess requires the Windows Firewall to be started.

IPv6 must be enabled before DirectAccess will function.

 


Solution



Microsoft DirectAccess:
To allow Microsoft DirectAccess to work, you will need to:

  1. Enable the Windows Firewall (for Windows 7, it should already show as enabled and managed by SEP).
  2. Change the SEP firewall rules for IPv6 traffic to from "Block" to "Allow".
    • Please note the IPv6 support information below.
       

IPv6 support:
IPv6 traffic must be allowed through the SEP firewall so that DirectAccess will function. At this time the SEP firewall currently only able to block or allow IPv6 traffic, it cannot inspect it (see quotes below).  Full support for IPv6 traffic is expected in a future release; limited support is avaliable in SEP 12.1 (see Related Articles below).

  • Installation_Guide_SEP11.0.6.pdf:
    P. 53: "The Symantec firewall supports IPv4 only."
     
  • Administration_Guide_SEP11.0.6.pdf:
    P. 503: "The firewall blocks attacks that travel through IPv4, but not through IPv6. If you install the client on the computers that run Microsoft Vista, the Rules list includes several default rules that block the Ethernet protocol type of IPv6. If you remove the default rules, you must create a rule that blocks IPv6."

    *Until 11.0 RU6, no IPv6 firewall rules for hosts can be set in Firewall Policies. Only IPv4 IPs can be set in firewall rules for hosts.*

Reference:

Windows 7 features (including DirectAccess) explained: http://www.microsoft.com/windows/enterprise/products/windows-7/features.aspx

 

Note: In SEP 12.1 RU1, you will need to add a firewall rule to allow Ethernet traffic for protocols 0xfb33, 0xfb34, 0x806 and 0x0. All four exceptions are needed to get MS DirectAccess to work.


Supplemental Materials

SourceETrack
Value1674045


Legacy ID



2010071315253648


Article URL http://www.symantec.com/docs/TECH134869


Terms of use for this information are found in Legal Notices