direct access client

Posted on 2014-02-06
Last Modified: 2014-04-05
I have two issues. My VPN works just fine but my direct access clients sit on connecting forever. Not sure where to begin troubleshooting. Also, my dashboard for clients say "Maximum client connections: 1". Is this my limit? if so, how do I increase this? or is this the maximum that has connection at once so far?
Question by:jsgrosskopf
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
LVL 18

Expert Comment

ID: 39841322
Maximum client connections are the peak in clients connected at the same time

if its sat on "Connecting...." then you have another issue with the infrastructure

Author Comment

ID: 39841709
Thanks for the answer regarding max connections. The other issue is I realize there is an infrastructure issue but I don't know what. All my icons are green in the direct access dashboard. I can't ping anything on my domain on my client and it is stuck at connecting
LVL 18

Expert Comment

ID: 39841798
are you running windows 7 or wndows 8?

either way you can run the diagnostics from the Direct Access client or the Direct Access connectivity assistant and then start on troublshooting

the first step is making sure you can resolve and ping your DA connection URL

then check the certificate thats being presented and make sure you can validate that.

if you are running windows 8 then there are less things to have to sort out
With windows 7 there are some extra complications

you can use these two commands to show potential issues

Netsh int httpstunnel show int



if you post them up then we can start troubleshooting
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.


Author Comment

ID: 39842232
I found another issue that may tie both together. I did not realize but none of my VPN clients can connect to external sites (, etc.) when they are on VPN. They can connect to everything in house. This is the case whether I use forced tunneling or not. I have tried about 50 other changes and suggestions browsing through websites but none fix the problem. Does anyone have any ideas? I'm thinking if I fix this, maybe the direct access will start working.
LVL 18

Expert Comment

ID: 39842719
well the VPN client will be down to routing, leave it with no split tunneling and first do a DNS lookup on google or something similar to check DNS is working, then do a trace route to see if you can the network path to it is correct.
Do you have a proxy server on your network? is that configured to allow connections from vpn clients

the direct access won't have anything to do with at. you need to run through the basic checks to see if you can resolve the DirectAccess server URL, check to see if you get to it

Author Comment

ID: 39842731
OK, I'll put the forced tunneling back in place. The last time I believe I could resolve the IP for google and We do not use a proxy, I have an internal firewall setup as my gateway. My external connection on the DA server is connected directly to my cable modem. My internal is connection to the internal switch / internal gateway. I have a gateway configured on the external card and no gateway on the internal card. I attempted to install NAT but that did not work, I saw no traffic between internal and external. I figured with forced tunneling, the client would get our internal gateway however the address is blank when they connect.
LVL 18

Expert Comment

ID: 39842936
thats why it doesn't work if its hasn't picked up any network topology.
what is doing you VPN - what kind of firewall/vpn client

To help with the DA status can you confirm these

have you put static routes on the DA server to point to the internal network.
did you do simple setup or manual setup
Win7 or Win8 Client
can you run the two command i gave before and put the output up here

Author Comment

ID: 39847231
Sorry it took so long to respond. I have to attend a camping trip with my son and left the office early Friday

Our firewall is a PFSense firewall but this DA server is not connected to this firewall. The DA server is connected directly to the modem. The only firewall is the Windows firewall running on the DA server. As for the Internal connection, it is connected to our switch with the gateway pointing to our PFSense firewall. The VPN client is the built in Microsoft VPN client.

2nd question, I put a static IP of on the internal connection. In the Windows 7 client, all of my users are using the simple setup. I have read that you can go into manual setup and select some option to use local gateway but that does not work either, then the situation is reversed (can get google, but no VPN resources.

I put forced tunneling back into place and ran the DNS lookup and tracert on and compared to my workstation at work. The results are:

Client via DA: (This my lead some insight).
server: attunite.lan (AT&T wireless router client is connecting to)


Client with VPN:
server: (our internal DNS server)

address: 2607.f8b0.4006.807::100e

Same as VPN yet VPN will not access google and workstation does. VPN Client says cannot display page

Tracert DA: unable to resolve target

Tracert VPN: ( (not the ip I assigned to the server)
Request timed out forever

TraceRT Workstation
serveral hops...Washington, Comcast etc.

Hope this gives some insight. I'm a little lost at the moment.
LVL 18

Expert Comment

ID: 39849497
what is the VPN connecting to is that the DirectAccess Server as well?

might need to start from scratch and run through the DA setup.

First thing - network setup
Direct Access server should have 2 NIC's
the External NIC should have a default gateway and no DNS
the Internal NIC should have no default gateway and DNS (which points at you internal DNS Servers)

the two addresses on each server should have IP addresses on different subnets i.e.

then you would put static routes on to point it at the internal subnet
route add mask -p

the above assumes its a /24 subnet and the default gateway is the start of the range.

As you are using windows 7 certificates become important.
What have you used for the Direct Access Server certificate and what have you used for the client certificate that installs on the Windows 7 machine.

also can you run the command i gave you on the Direct access client (the top one being more useful on windows 7)

Netsh int httpstunnel show int



Author Comment

ID: 39863558
Sorry I took so long to reply. I finally gave in and opened up an incident with Microsoft. After three days, this setup is in worse shape than ever. Now I can't even get the direct access client to install with group policy. They will continue to work on it this week and I'll report what they did when they finally get it working. thanks

Accepted Solution

jsgrosskopf earned 0 total points
ID: 39966490
Ended up getting Microsoft to help. The issue ended up being a problem with two different dhcp scopes. My servers are on 192.168.0 and my clients are 192.168.1. We use a subnet mask of With VPN, the clients are assigned (can't change this apparently) so the clients where connecting with network and address and could not get to any servers, firewall, gateway anything. I ended up with a specific dhcp for my vpn clients that assigns them a 192.168.0. address and all is well.

Author Closing Comment

ID: 39979830
Microsoft solved it

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My GPO's made for 2008 R2 servers were not allowing me to RDP into a new 2012 server by default.  That’s why I tried to allow RDP via Powershell, because I could log into a remote shell without further configuration. Below I will describe how I wen…
The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question