none
Direct Access has no internet access

    Question

  • Hi all,

    Hopefully some can help me with this issue that I have been struggling with for about a week now.

    I'm new to Direct Access so please bear with me

    I've setup a Server 2012 box and installed the Direct Access role.  The server is behind en edge device with 1 NIC.

    I've configured it and can connect up Windows 8.1 tablets successfully, both on the internal network and when connected externally.

    The problem I have is with internet access when they are connected externally and I've tried with Force Tunneling enabled and disabled (ideally for security reasons I'd like it enabled).

    We use a proxy server configured with a wpad file hosted on Server 2003.  This is published via DNS.

    Internet Explorer is configured to Auto Detect Internet Settings

    I can connect to any of our internally hosted websites, and also strangely enough, our main publically accessible web site.

    If I don't have Force Tunneling enabled then I get the following behavior

    • I can't use Internet Explorer to connect to any public websites though (google.com, yellowpages.com, etc).
    • I can connect to any website that has the same domain suffix as our domain
    • I can use Firefox and connect to external websites if I say 'Direct Connection to Internet' or 'Use System Settings'

    If I use Force Tunneling then I get the following behavior:

    • The network connection says it is 'limited' and the Direct Access connection says it has 'No Internet Access'
    • I can't use Internet Explorer to connect to any public websites though (google.com, yellowpages.com, etc).
    • I can connect to any website that has the same domain suffix as our domain
    • I can't use Firefox and connect to external websites

    Does anyone know why this would be the case?

    Thanks


    • Edited by Chris2352 Thursday, May 15, 2014 2:27 AM
    Thursday, May 15, 2014 2:26 AM

Answers

  • I have never used Forced Tunneling but first thing i can think of is an issue with the connection to the proxy server. DA clients cannot access ressources by IP addresses if you work in an IPv4 network, so you need to access ressources by DNS name. What do clients receive as a proxy server? Is that a DNS name or an IP address?


    • Proposed as answer by Thomas Vitoz Monday, May 19, 2014 8:43 AM
    • Marked as answer by Chris2352 Wednesday, May 21, 2014 4:02 AM
    Friday, May 16, 2014 11:46 AM

All replies

  • So I thought I'd add an update to this.

    I removed ISATAP from the DNS Global Query Block List but this has made no difference.

    I did some more testing and I'm not sure if this is normal or not.

    When the tablet is connected through Direct Access I can access shared drives and directories but I can't access shares on the Direct Access Client from another computer. I cannot ping the Direct Access Client also from another computer.

    I jumped on the Direct Access Server and I was able to access the admin share on the Direct Access Client and I was also able to successfully ping the computer as well.

    Is that normal?

    Friday, May 16, 2014 4:42 AM
  • I have never used Forced Tunneling but first thing i can think of is an issue with the connection to the proxy server. DA clients cannot access ressources by IP addresses if you work in an IPv4 network, so you need to access ressources by DNS name. What do clients receive as a proxy server? Is that a DNS name or an IP address?


    • Proposed as answer by Thomas Vitoz Monday, May 19, 2014 8:43 AM
    • Marked as answer by Chris2352 Wednesday, May 21, 2014 4:02 AM
    Friday, May 16, 2014 11:46 AM
  • DA clients need the Firewall enabled to get a proper DA configuration, by default there are no rules to allow ICMP to DA clients. So you may need one.

    Also in an IPv4 network, when you are connected to Direct Access you cannot ping other computers on IP addresses because the IPSEC tunnels relies on IPv6. Use DNS names.

    The DA server will work as a relay server for ipv4 to ipv6 transition on behalf of clients.


    Friday, May 16, 2014 12:02 PM
  • Thanks for the responses, I managed to get this working by unticking the 'Auto Detect Settings' and manually entering the proxy server and port under the 'Proxy Settings' option

    It means that it doesn't read my wpad file but I can manage this way still through GP.

    Another problem that I've just encountered for no reason that I can see is this.

    I'm connected to my Domain, I pull the LAN cable and then it auto connects me to my wireless network.  It used to auto connect me to my Direct Access server but it doesn't anymore, it just says connecting.  If I reboot the tablet while on the wireless LAN and then log on with my Domain Credentials it'll connect me through to the Direct Access server.

    Why would it need a reboot?  Why has it stopped connecting straight away after detecting I'm no longer on the domain?

    Wednesday, May 21, 2014 4:02 AM