So, the time has come to retire our old Windows 2003 server. This box runs bookkeeping software (Exact Globe 2003, and BCS Delta), and is exclusively used internally by the administrative accounting staff.
The first thought that came to mind: since we're running several Linux servers already on IPv6-only, would it be possible to run a Windows server also on IPv6?
...
So I'llgo for 2008 R2 and give it a shot.
...
Basics
IPv6-only VLAN
A dedicated VLAN was created for IPv6-only systems, so that building, testing and configuring would not interfere with any production networks. Configuring this VLAN with only IPv6 allows to use simpler IP Access Control Lists (ACLs), and start from scratch:
...
I started out with IPv6 ACLs that disallow everything by default, and then open up specific things.
Addressing
Obviously, the first thing to do is to uncheck IPv4 in the interface configuration 
. For IPv6 addressing I choose autoconfigured EUI64, no privacy extensions. The reason is that this is a server, and it will not be used for any web browsing activities. Static addresses also help configuring the (empty) IP ACLs. The idea is that during configuration and testing the IPv6 ACLs will be constructed, based on stuff that does not work. Eventually, when everything works, it might be an option to use privacy extensions.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
REM RFC 4941 privacy extensions (i.e. temporary address for outgoing connections) netsh interface ipv6 set privacy state=disabled store=active netsh interface ipv6 set privacy state=disabled store=persistent REM Don't use random identifiers. This will result in EUI64 based adddresses netsh interface ipv6 set global randomizeidentifiers=disabled store=active netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent REM disable unused tunneling protocols netsh interface ipv6 6to4 set state disabled netsh interface ipv6 isatap set state disabled netsh interface ipv6 set teredo disabled |
DNS
The DNS server addresses are statically assigned, and are picked from the SURFnet DNSSEC-validating resolvers.
The "Register this connection's addresses in DNS" option has been deselected, because this causes DNS registration requests to go out, which we do not want. Eventually things look like this:
NTP
...
At the time of writing, the default time server that is used by Windows 2008 R2 to sync its clock, time.windows.com, unfortunately is not (yet) reachable over IPv6.
But again, SURFnet comes to the rescue, because several of their NTP servers are IPv6-enabled. I picked chime3.surfnet.nl, which, according to the web interface, appears to be a Meinberg NTP server. Windows digs it all-right:
Windows Update
Unfortunately the Microsoft Update servers are also available only on IPv4 
.
I set-up a limiting HTTP proxy server that listens on IPv6, and added a number of regular expressions to allow Windows to download updates. Windows seems to dig it:
As can be seen from the lists, several other URLs also need whitelisting, such as CRLs and OCSPs.
Details of the proxy and the Windows configuration process are described on a separate page.
Exact Software
I phoned up Exact Software Netherlands to see if Exact Globe would support IPv6, but the help desk could not provide me with a definitive answer. So then, time for some testing.
Exact Globe consists of a network share containing an installer, and an SQL Server. Clients map the network drive and install the software on their computer.
Windows 2008 R2 support SMB (File sharing) over IPv6-only without any problems:
Once installed, the software then initiates a connection to TCP port 1433 of an SQL Server. In our case this is the same server.
The old (Windows 2003) server runs SQL Server 2000, but starting from release 404 (July 2012), the Exact software does not support this any more. So I had to upgrade to SQL Server 2008 R2.
That software supports IPv6 just fine, but I was more afraid of client side issues. All users in accounting all run Windows 7, so the operating system itself shouldn't be a problem.
While testing I quickly found out that the Exact application was using ODBC, which did support IPv6, so the application works on IPv6
Crypto
I wasn't really sure if the SQL Server traffic was plain text or not, and after running Wireshark it turned out that is wasn't...
Because we are part of the TERENA Certificate Service, we have access to 'free' SSL certificates from SURFnet.
Installing those went easy, but I got stuck in the end because the SQL server would'nt recognise the certificate.
More
| Excerpt Include | ||||||
|---|---|---|---|---|---|---|
|