Direct Access Not Working

I recently installed Windows Server 2012 with the Direct Access feature and (thought I had) followed the instructions carefully for enabling a Windows 7 client PC to remote in however it’s not working.  Following a gpupdate /force (on both the server and PC)   I examined the registry on the PC and see the DA settings, yet when I get onto the non-corporate network, although I see Toredo and iphttps Interfaces enabled with IPv6 addresses, a netsh dns show state reveals:
•      Outside corporate network
•      Network location behavior – Never use DA settings
•      DA Settings – not configured
•      DNSSEC Settings – not configured

So I don’t understand why it says “Never use DA settings” or why the others show not configured.  And I suppose it’s proper to have both interfaces active?!  

My setup is a fully patched DA server with one interface sitting behind a firewall.  So I have my firewall redirecting all requests to the DA server.  The log of my Cisco router/firewall is showing nothing in the log of any traffic blocked.  I do have ESP traffic going through my firewall due to site-to-site VPN traffic. (Hopefully that’s not interfering with anything.)

I also found this website listing the steps needed for allowing Windows 7 clients into DA which I performed 

No messages in the event log; the Remote Access Mgmt Console shows everything green and doing a trace shows absolutely nothing.  What can I do to fix this or reveal the source of my problem?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

From the above it looks like you are using Windows 7 as your client.

Have you setup all the requirements for that - a computer certificate for any clients, published the CRL of the issuing certificate authority for those certificates i.e. made it accessible externally.
Do the group policy settings apply correctly to the Win7 client - GP results to show if it has picked up the settings
what does the DA troubleshooting say from the client - that will show more than the netsh commands
can you resolve the external FQDN of your DA server
can you telnet to port 443 from externally to the DA server
David Johnson, CD, MVPOwnerCommented:
Check that it is not set at 2 Set it to 0, or 1

HKLM\Software\Policies\Microsoft\Windows NT\DNSClient or HKLM\System\CurrentControlSet\services\Dnscache\Parameters<1>
EnableDAForAllNetworks" DWORD (32Bit) to 0
ejefferson213Author Commented:
Thank you both very much for your suggestions!

David,  I made the change as you suggested but unfortunately it didn't make any difference.  Again, thanks for the suggestion!

irweazelwallis, I too was wondering about the certificate so, using the purchased GoDaddy cert, I imported that cert into the public store on the RAS/DA server but I don't know how to publish the CRL, I'll look more into that.  On my Windows 7 PC, I can see DA settings brought about by Group policy so that should be ok (although I'm still concerned that the netsh dns show state results look bad).  The external FQDN is resolvable and I can telnet to port 443 (it comes back with a blank screen to which I haven't a clue what to enter).  

I also don't know yet what troubleshooting tools are available on the RAS/DA server so I'll look into that some more.

Thanks again with your help!!
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

didn't mention last time win7 and win8 will need to be enterprise edition to work

Do you have a windows 8 client you can test with as that should work out of the box

Do you have an internal PKI?
here is a quick guide on the steps

this matches pretty much what i have done
We also present out CRL's externally so that the Win7 Client can do a revocation check  - i.e. change the AIA to have an externally resolvable URL i.e.
i couldn't find any nice screen shot guides for this on the first look but if you need help i will have another look or screenshot something up myself
ejefferson213Author Commented:
Thanks for that link, Somewhere/somehow I had come across that and followed each step.  However my one issue is this, when trying to edit the Remote Access Server setup, under the Network Adapter, you can choose to use a self-signed certificate.  I chose to use the certificate we purchased from Godaddy.  However, when I click on Browse... it doesn't list it even though when I bring up the Certificates MMC, I see it under Personal/Certificates.   Any clue on that????

And btw, I'm using Windows 7 Professional (wonder if that's my problem). And no, we don't have an internal PKI in place.  And next week, my boss is bringing in her Windows 8 machine to test with.

Thank you!
ejefferson213Author Commented:
Also, I forgot to mention that my Certificate server is on Windows Server 2008 R2 if that makes a difference.... I've forgotten why the role was installed but we never use it so I guess I must correct myself by saying that we "do" have a PKI infrastructure.
2008 R2 is fine - haven't upgraded my internal one past that.
Its the certificate templates that need to be specific
the AIA publishing points - need to have HTTP locations in there - this means reissuing root CA cert and an other certs that will need to be used in the DA deployment i.e. NLS

you would need to set up the specific enrollment polices for the win7 computers

How did you do the config of Direct access - quick setup or the more involved wizard?
have you tested with win8 to make sure its functional as is?
ejefferson213Author Commented:
I must admit that I am a novice when it comes to certificates but being that what I've read makes me believe that a PKI infrastructure isn't needed and that DA generated certs are possible, I'm puzzled why this is a certificate issue.  And I've followed several articles for setting up my Windows 7 PCs and used the wizard of DA for setup.  It won't be until Tuesday (7/22) that I'll be able to test Windows 8.  (Stay tuned...)  However, I'm more interested in why the command: Netsh show dns state               reveals: Network Location Behavior:   Never use Direct Access Settings.
An article I found on  line spoke of a registry setting (EnableDAonAllNetworks) (or some such key) and my registry didn't have that at all but I placed it in there along with the suggested value and rebooted and it still doesn't work.  I can't believe that Windows 7 professional is the culprit but I may need to open a case with MS to get this resolved.
if you use the getting start wizard PKI is not required - BUT - its not very clear but it won't work with Windows7 
if you look down to the advanced setup it shows it will support windows 7

can you confirm that its windows 7 Professional? this will be a problem only enterprise (and ultimate) versions of the desktop OS's are supported
David Johnson, CD, MVPOwnerCommented:
Direct access is supported on: Windows 7 Ultimate and Windows 7 Enterprise only, Windows 8 Enterprise and not PRO

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ejefferson213Author Commented:
I guess that's been my problem because indeed, we only use Windows 7 Professional.  I'll test Windows 8 out and let you know the results.  Thank you!
No problem, if you want windows 7 you will need it to be enterprise and have some certificate infrastructure setup but test out with Win8 first
ejefferson213Author Commented:
Thank you both for your help.  While I await a Windows 8 machine to test with, I don't want to see this question abandoned so I'll close it out.  I'm confident that the solutions you suggested will solve the issue I'm having.  Thanks once again!!!
Wow, thanks for your all solution. I'm practicing for my Windows Server 2012 and I have Windows 8.1 Pro and I was wondering why the group policy pushed from Server 2012 R2 wasn't going to the client.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.