Solved

direct access client

Posted on 2014-02-06
12
1,047 Views
Last Modified: 2014-04-05
I have two issues. My VPN works just fine but my direct access clients sit on connecting forever. Not sure where to begin troubleshooting. Also, my dashboard for clients say "Maximum client connections: 1". Is this my limit? if so, how do I increase this? or is this the maximum that has connection at once so far?
0
Comment
Question by:jsgrosskopf
  • 7
  • 5
12 Comments
 
LVL 18

Expert Comment

by:irweazelwallis
Comment Utility
Maximum client connections are the peak in clients connected at the same time

if its sat on "Connecting...." then you have another issue with the infrastructure
0
 

Author Comment

by:jsgrosskopf
Comment Utility
Thanks for the answer regarding max connections. The other issue is I realize there is an infrastructure issue but I don't know what. All my icons are green in the direct access dashboard. I can't ping anything on my domain on my client and it is stuck at connecting
0
 
LVL 18

Expert Comment

by:irweazelwallis
Comment Utility
are you running windows 7 or wndows 8?

either way you can run the diagnostics from the Direct Access client or the Direct Access connectivity assistant and then start on troublshooting

the first step is making sure you can resolve and ping your DA connection URL

then check the certificate thats being presented and make sure you can validate that.

if you are running windows 8 then there are less things to have to sort out
With windows 7 there are some extra complications

you can use these two commands to show potential issues

Netsh int httpstunnel show int

and

Get-DAConnectionstatus

if you post them up then we can start troubleshooting
0
 

Author Comment

by:jsgrosskopf
Comment Utility
I found another issue that may tie both together. I did not realize but none of my VPN clients can connect to external sites (google.com, msn.com etc.) when they are on VPN. They can connect to everything in house. This is the case whether I use forced tunneling or not. I have tried about 50 other changes and suggestions browsing through websites but none fix the problem. Does anyone have any ideas? I'm thinking if I fix this, maybe the direct access will start working.
0
 
LVL 18

Expert Comment

by:irweazelwallis
Comment Utility
well the VPN client will be down to routing, leave it with no split tunneling and first do a DNS lookup on google or something similar to check DNS is working, then do a trace route to see if you can the network path to it is correct.
 
Do you have a proxy server on your network? is that configured to allow connections from vpn clients

the direct access won't have anything to do with at. you need to run through the basic checks to see if you can resolve the DirectAccess server URL, check to see if you get to it
0
 

Author Comment

by:jsgrosskopf
Comment Utility
OK, I'll put the forced tunneling back in place. The last time I believe I could resolve the IP for google and espn.com. We do not use a proxy, I have an internal firewall setup as my gateway. My external connection on the DA server is connected directly to my cable modem. My internal is connection to the internal switch / internal gateway. I have a gateway configured on the external card and no gateway on the internal card. I attempted to install NAT but that did not work, I saw no traffic between internal and external. I figured with forced tunneling, the client would get our internal gateway however the address is blank when they connect.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 18

Expert Comment

by:irweazelwallis
Comment Utility
thats why it doesn't work if its hasn't picked up any network topology.
what is doing you VPN - what kind of firewall/vpn client

To help with the DA status can you confirm these

have you put static routes on the DA server to point to the internal network.
did you do simple setup or manual setup
Win7 or Win8 Client
can you run the two command i gave before and put the output up here
0
 

Author Comment

by:jsgrosskopf
Comment Utility
Sorry it took so long to respond. I have to attend a camping trip with my son and left the office early Friday

Our firewall is a PFSense firewall but this DA server is not connected to this firewall. The DA server is connected directly to the modem. The only firewall is the Windows firewall running on the DA server. As for the Internal connection, it is connected to our switch with the gateway pointing to our PFSense firewall. The VPN client is the built in Microsoft VPN client.

2nd question, I put a static IP of 192.168.0.105 on the internal connection. In the Windows 7 client, all of my users are using the simple setup. I have read that you can go into manual setup and select some option to use local gateway but that does not work either, then the situation is reversed (can get google, but no VPN resources.

I put forced tunneling back into place and ran the DNS lookup and tracert on google.com and compared to my workstation at work. The results are:

Client via DA: (This my lead some insight).
server: attunite.lan (AT&T wireless router client is connecting to)
address: 192.168.0.101

Name: google.com.(ourdomain).com
Address: 66.223.17.5

Client with VPN:
server: (our internal DNS server) internaldnsserver.ourdomain.com
address: 192.168.0.101

name: google.com
address: 2607.f8b0.4006.807::100e
74.125.228.73
74.125.228.68
etc.

Workstation:
Same as VPN yet VPN will not access google and workstation does. VPN Client says cannot display page

Tracert DA:
google.com: unable to resolve target

Tracert VPN:

google.com 74.125.228.70
internalDAservername.domain.com (192.168.1.193) (not the ip I assigned to the server)
Request timed out forever

TraceRT Workstation
google.com 74.125.228.70
serveral hops...Washington, Comcast etc.

Hope this gives some insight. I'm a little lost at the moment.
0
 
LVL 18

Expert Comment

by:irweazelwallis
Comment Utility
what is the VPN connecting to is that the DirectAccess Server as well?

might need to start from scratch and run through the DA setup.

First thing - network setup
Direct Access server should have 2 NIC's
the External NIC should have a default gateway and no DNS
the Internal NIC should have no default gateway and DNS (which points at you internal DNS Servers)

the two addresses on each server should have IP addresses on different subnets i.e.
external 192.168.1.35
internal 192.168.2.35

then you would put static routes on to point it at the internal subnet
route add 192.168.2.0 mask 255.255.255.0 192.168.2.1 -p

the above assumes its a /24 subnet and the default gateway is the start of the range.


As you are using windows 7 certificates become important.
What have you used for the Direct Access Server certificate and what have you used for the client certificate that installs on the Windows 7 machine.

also can you run the command i gave you on the Direct access client (the top one being more useful on windows 7)

Netsh int httpstunnel show int

and

Get-DAConnectionstatus
0
 

Author Comment

by:jsgrosskopf
Comment Utility
Sorry I took so long to reply. I finally gave in and opened up an incident with Microsoft. After three days, this setup is in worse shape than ever. Now I can't even get the direct access client to install with group policy. They will continue to work on it this week and I'll report what they did when they finally get it working. thanks
0
 

Accepted Solution

by:
jsgrosskopf earned 0 total points
Comment Utility
Ended up getting Microsoft to help. The issue ended up being a problem with two different dhcp scopes. My servers are on 192.168.0 and my clients are 192.168.1. We use a subnet mask of 255.255.254.0. With VPN, the clients are assigned 255.255.255.0 (can't change this apparently) so the clients where connecting with 192.168.1.0 network and 255.255.255.0 address and could not get to any servers, firewall, gateway anything. I ended up with a specific dhcp for my vpn clients that assigns them a 192.168.0. address and all is well.
0
 

Author Closing Comment

by:jsgrosskopf
Comment Utility
Microsoft solved it
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now