IP- HTTPS  is working correctly  but 6to4 has a problem.
Packet filter prevents 6to4  IPsec connections ESP –packets (Encapsulating Security Payload).

This shows, how we tested DirectAccess in different client machines:

Connection type: 6to4
Connection IP-address: 2002:50dc:2a62::50dc:2a62

DirectAccess connection started to work, only after when I added the last hexadecimal (2a62) into Network Service “DirectAccess”  (Ethernet, Protocol=0x2a62, Outgoing).

We found the package from the SEP packet log.

This rule of DirectAccess looks like this:
 
IP [41,50,51,58]
UDP [Remote=500,3544]
Ethernet [Protocol=0x86dd]
Ethernet [Protocol=0x2a62; Outgoing]
Ethernet [Protocol=0x70a5]
Ethernet [Protocol=0x70a6]
Ethernet [Protocol=0x5ef5]
Ethernet [Protocol=0xc067]
Ethernet [Protocol=0x7087]
Ethernet [Protocol=0x7088]

Network monitor shows that particular ESP -packet is inside IPv6-packet (what is 6to4 packet) and that packet is IPv6-packet inside normal IPv4.

If we use SEP RU6MP3, then the DirectAccess connection works perfectly and we don’t even need to make any separate network service rule for that. Only allow IPv6 traffic. That’s it.

Also we have heard from Symantec principal regional product manager, that Symantec has made some changes into SEP RU7 firewall, so that might be the reason for this.

Conclusion:

SEP packet filter cannot deal with ESP – packet. Because it only understands IPv6- address last part to Ethernet Frame types.

This problem occurs in these SEP versions: 11.0.7000, 11.0.7101 and 12.1.671.

We have tried to get answers from Symantec support, but we have not received enough technical help to fix this.

We have about 7000 clients and we are missing the solution.

New ideas are needed to solve this problem

Support of Microsoft DirectAccess and IPv6 (in Windows 7)

Unfortunately those links which you sent didn’t solve this problem

All needed ports and protocols are in this article http://social.technet.microsoft.com/wiki/contents/articles/directaccess-and-firewalls-and-nat.aspx  is open but still SEP firewall does not handle the way as it should.

What is the reason why now (SEP ru7) we have to add those Ethernet protocols to get DirectAccess to work?

Example, if we use SEP release ru6mp3, then we don’t have to add any ethernet protocols to get it work.

About firewalls and communication ports

Those, links won't answer to our problem.

as I wrote before:

IP- HTTPS and Teredo is working correctly  but 6to4 (IP:41) has a problem.
Packet filter prevents 6to4  IPsec connections ESP –packets (Encapsulating Security Payload).

Now SEP firewall is blocking those packets, because of Ethernet protocols.

It’s not a solution for this to add separately thousands of different ethernet protocols or even allow all Ethernet protocols.

As you can see it’s not practical that we have to add lots of different ethernet protocols to get this 6to4 connection working.

We are not going to add thousands of different ethernet protocols for that.

After all simple question is:

We are missing a simple rule to make firewall to allow  ethernet protocol where ipv6 adress last four bits are variable

This case has been added to a defect list and forwarded to the engineering team. This issue is addressed in the next release of SEP i.e. RU 7 MP3, which is expected by August 2012.