Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3320
  • Last Modified:

DirectAccess on Server 2012

Hi Guys

We've configured DirectAccess on Server 2012.
Everything seems to be ok. Internally its connected, but external it's not.

We've checked everything but nothing we can see. I'm sure theres something, but not sure what it is.

When we did the netsh dns show state command, it shows Inside corporate network but its not even connected to the corp network.

Any ideas?

Cheers
0
goraek
Asked:
goraek
  • 14
  • 7
2 Solutions
 
Keith AlabasterEnterprise ArchitectCommented:
Is this just a DA implementation or DA and RAS combined?
What server is being used to detect whether the client is on the LAN or operating externally - the DA server itself?
0
 
ChrisCommented:
how did you do the setup up - simple deployment or the full wizard

which client are you using win8 or win7

use netsh name show - this will show the NRPT table - make sure you internal domain names are showing up

what does the diagnostic report from the client say
0
 
goraekAuthor Commented:
thanks for the response.

this is just DA itself.

sorry, how do i check if the client is on LAN or externally?

i've setup this using both, and configuration appears to be working.
i believe i'm having issues with NLS, but not too sure if its working or not because it cant detect whether its inside or outside corporate network

we're running both win 7 and 8, but at the moment testing on win 8.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
ChrisCommented:
ok win8 is the easiest to troubleshoot with

on the client start with
 Get-daconnectionstatus

if its local you'll get this

Status    : ConnectedLocally
Substatus : None

or it should be
Status    : ConnectedRemotely


then if you are running windows 8 if you right click on the DA connection you should be able to run the diagnostics out and tell whether its failed to connect to something i.e. NLS, the other internal end points


if you use
netsh int httpstunnel show int

you should get if you are on the network

Interface IPHTTPSInterface (Group Policy)  Parameters
------------------------------------------------------------
Role                       : client
URL                        : https://yourDAURL:443/IPHTTPS
Last Error Code            : 0x0
Interface Status           : IPHTTPS interface not installed.
                             Other corporate connectivity available.

If external and connected
Interface Status           : IPHTTPS interface active

or it will show an error code
0
 
goraekAuthor Commented:
Yeah hence Im doing this on win 8 to troubleshoot.
I dont get the IPHTTPS interface active when externally connected.
Any reason to this? That's probably why it isnt working?
0
 
goraekAuthor Commented:
I just double checked and its giving me IPHTTPS interface deactivated.
0
 
ChrisCommented:
does the DA connection from the charm bar still show as connecting at this point?
what does the get-daconnectionstatus show at this point?

can you run the advanced diagnostics and show the output
0
 
goraekAuthor Commented:
This is what I get when I ran the health test.

Component            RemoteAccessServer   HealthState     TimeStamp            Id              OperationStatus
---------            ------------------   -----------     ---------            --              ---------------
Server               localhost            OK              6/11/2013 5:44:59 AM
6to4                 localhost            Disabled        6/11/2013 4:33:04 AM
Vpn Addressing       localhost            Disabled        6/11/2013 4:33:04 AM
Network Security     localhost            OK              6/11/2013 4:38:04 AM
Dns                  localhost            OK              6/11/2013 4:38:49 AM
IP-Https             localhost            OK              6/11/2013 5:44:59 AM
Nat64                localhost            OK              6/11/2013 4:38:04 AM
Dns64                localhost            OK              6/11/2013 4:38:04 AM
IPsec                localhost            OK              6/11/2013 4:38:04 AM
Kerberos             localhost            OK              6/11/2013 5:44:58 AM
Domain Controller    localhost            OK              6/11/2013 4:38:10 AM
Management Servers   localhost            Disabled        6/11/2013 4:33:04 AM
Network Location ... localhost            OK              6/11/2013 5:44:15 AM
Otp                  localhost            Disabled        6/11/2013 4:33:04 AM
High Availability    localhost            Disabled        6/11/2013 4:33:04 AM
Isatap               localhost            Disabled        6/11/2013 4:33:04 AM
Vpn Connectivity     localhost            Disabled        6/11/2013 4:33:04 AM
Teredo               localhost            Disabled        6/11/2013 4:33:04 AM
Network Adapters     localhost            OK              6/11/2013 4:38:04 AM
Services             localhost            OK              6/11/2013 4:38:04 AM
0
 
goraekAuthor Commented:
After I ran Get-DaConnectionStatus I get:

PS C:\Users\administrator> Get-DAConnectionStatus


Status    : Error
Substatus : CouldNotContactDirectAccessServer

This also shows Connecting
0
 
goraekAuthor Commented:
Here is the diagnostic

PS C:\Users\administrator> nltest /dsgetdc:directaccess.domain.local
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
PS C:\Users\administrator> Get-DAConnectionStatus


Status    : Error
Substatus : CouldNotContactDirectAccessServer



PS C:\Users\administrator> netsh int httpstunnel sh int

Interface IPHTTPSInterface (Group Policy)  Parameters
------------------------------------------------------------
Role                       : client
URL                        : https://directaccess.domain.local:443/IPHTTPS
Last Error Code            : 0x0
Interface Status           : IPHTTPS interface deactivated

PS C:\Users\administrator> netsh dns sh state

Name Resolution Policy Table Options
--------------------------------------------------------------------

Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                        if the name does not exist in DNS or
                                        if the DNS servers are unreachable
                                        when on a private network

Query Resolution Behavior             : Resolve only IPv6 addresses for names

Network Location Behavior             : Let Network ID determine when Direct
                                        Access settings are to be used

Machine Location                      : Outside corporate network

Direct Access Settings                : Configured and Enabled

DNSSEC Settings                       : Not Configured
0
 
goraekAuthor Commented:
I ran the httpstunnel command again, now Im getting not installed:

PS C:\Users\administrator> netsh int httpstunnel sh int

Interface IPHTTPSInterface (Group Policy)  Parameters
------------------------------------------------------------
Role                       : client
URL                        : https://directaccess.domain.local:443/IPHTTPS
Last Error Code            : 0x0
Interface Status           : IPHTTPS interface not installed.
                             Other corporate connectivity available.

Any ideas?
0
 
goraekAuthor Commented:
By the way, how do we reset the 443 IIS cert binding? We've set this manually, but want to revert this back.
0
 
goraekAuthor Commented:
I believe there's an issue with the certificate.
I cant browse to is externally. Is there something we need to do with the certificate?
0
 
ChrisCommented:
So the basic tests would be from the client ping the DA server address makes ste it resolves
then you can browse to it using the url that,you got above
this shouldn't display much but you can check the cert i.e. Make sure its trusted etc
are you using a 3rd party cert?

when you say you reset the binding do you mean you went into iis on the da server?
did you change to a different port.
if you run through the da setup wizard again for the step where you set the url and cert then that should do it....maybe make a change and apply and then change it back
0
 
goraekAuthor Commented:
i can ping the url but unfortunately im not able to browse to it.
is there a guide to create a self-signed cert? i believe i did it correct.

yes thats correct, i made the change on DA server, manually binded port 433.
how do I remove the manual bind and use the default bind from DA setup?
0
 
ChrisCommented:
the self signed cert i am talking about it created via the DA wizard. Are you talking about one you created and signed with an internal CA?



i would almost think about redoing the config
0
 
goraekAuthor Commented:
i've re-done the config many times, still no go.
I'm just not able to connect externally, and everything seems all fine.
0
 
ChrisCommented:
the reason for redoing the config so reset the binding on IIS

have you checked the config for the NRPT table to ensure it includes all the domain names of you internal domain

on the client side do it have the group policies applied correctly
does it have the certificate trusted?
does it have the firewall on
0
 
goraekAuthor Commented:
Interesting enough, I found a guide:

Prerequisites for Using DirectAccess
Before you can use DirectAccess for Windows 8:
•      Your computer must be running the Windows 8 Release Preview (or later) image or Windows 8 Release Preview Enterprise Edition or later.
•      Your computer must be joined to a deployed domain.
•      You must have a physical smart card and smart card reader. If you have a physical smart card but haven’t used it to connect to the corporate network using IT VPN, you must reset or unblock your smart card PIN. You can also reset your PIN if you have forgotten it. For more information, see << Insert more information URL or technical support contact>>.
•      Your computer must have a Trusted Platform Module (TPM) and it must be initialized. For more information, see “Checking Your Computer for a TPM in this guide.

It seems like I need a smart card reader and TPM.

Not sure if this is true, but it does say it is a prerequisite.

Can someone confirm this?
0
 
ChrisCommented:
No you don't need a smart card reader. Not 100% sure about TPM but not sure what it needs to be used for. We have TPM's in all our laptops
the only prerequisites that i adhered to was it being win8 enterprise
0
 
goraekAuthor Commented:
Apparently it was an OS issue, it needs to be Enterprise. Changed this and all was good.
0
 
goraekAuthor Commented:
Using Enterprise fixed issue.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 14
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now