none
Changing the IP address of Direct Access Server

    Question

  • I need to change the external IP address of my direct access server.  What would be the result on the clients computers with direct access all ready installed?  Will direct access quit working?

    Server 2012 R2 - Direct Access

    Wednesday, February 05, 2014 1:54 PM

Answers

  • Yes, when you change the external IP, DirectAccess will stop working. You will need to change the IP, then re-run through the DirectAccess configuration wizards (particularly Step 2) and change the information over to use the new IP. This will then update the GPO settings, and the clients will have to receive these new GPO settings before they will be able to connect successfully again.

    So this means you will have to either bring those client machines into the office to get their new GPO settings, or connect them in some other way, like using  traditional VPN connectivity (potentially through your same DA server if you have it setup that way)

    It's not hard to cut them over, just a simple "gpupdate /force" will do it, or they'll get the new policy information naturally when they are next connected to the corp network, but if you have clients who are remote 100% of the time and DA is their only connection option, then it can be tricky to get them the new GPO info. This is the main thing you'll want to consider during this cutover.

    • Marked as answer by dirkbucket Thursday, February 06, 2014 2:23 PM
    Thursday, February 06, 2014 2:13 PM

All replies

  • Yes, when you change the external IP, DirectAccess will stop working. You will need to change the IP, then re-run through the DirectAccess configuration wizards (particularly Step 2) and change the information over to use the new IP. This will then update the GPO settings, and the clients will have to receive these new GPO settings before they will be able to connect successfully again.

    So this means you will have to either bring those client machines into the office to get their new GPO settings, or connect them in some other way, like using  traditional VPN connectivity (potentially through your same DA server if you have it setup that way)

    It's not hard to cut them over, just a simple "gpupdate /force" will do it, or they'll get the new policy information naturally when they are next connected to the corp network, but if you have clients who are remote 100% of the time and DA is their only connection option, then it can be tricky to get them the new GPO info. This is the main thing you'll want to consider during this cutover.

    • Marked as answer by dirkbucket Thursday, February 06, 2014 2:23 PM
    Thursday, February 06, 2014 2:13 PM
  • Does this answer apply to environments where only IPHTTPS is used?  Don't IPHTTPS DA Clients just point at a public URL rather than an IP, in which case, can't you just:

    1. Change the IP

    2. Rerun the DA Config wizard

    3. Change the public DNS record so it points to the new IP.

    Or would the DA Clients still need to pitstop to update their GPO settings?

    Many thanks, and nice book by the way Jordan, very useful.




    • Edited by Calliper Tuesday, February 11, 2014 11:23 AM
    Tuesday, February 11, 2014 11:12 AM
  • It does still apply. In the steps you described, the IP-HTTPS tunnel will "swing" successfully over to the new IP address, but you will fail to establish any IPsec tunnels inside that IP-HTTPS tunnel, because the WFAS Connection Security rules that are used to establish IPsec tunnels are all directed at the old IP address. Those rules need to be updated (via the new GPO settings) to point at the new IP. Very good question!

    And thanks for the feedback on the book! Good to know at least one person has read it other than myself ;)

    Tuesday, February 11, 2014 3:30 PM
  • I'm in the same boat as dirk, my external IP address changed last night and this morning I have no-one connected.

    I checked the Step 2 wizard in Remote Access Setup and my external is using my DNS name directaccess.mydomain.com (which has propagated and is showing the correct new IP address) and not an IPv4 address... but no one is able to connect.

    I also scrolled through the GPO and nowhere in there could I find any references to an IPv4 address, just the domain name directaccess.mydomain.com... 

    Any further steps you can think of?

    PS what's the name of your book? :)

    -M

    Friday, February 21, 2014 5:04 PM
  • The address specification is inside the WFAS rules, the Connection Security rules that are used to build the IPsec tunnels. They are actually IPv6 address specifications, not IPv4, which is why you didn't see them. The IPv6 destination addresses they have in the rules are based off the public IPv4 addresses. So when the public IPv4 changes, you need to re-run through Step 2, and then do the "Finish" button so that the updates get pushed to the GPO. Then those new GPO settings need to filter their way down to the client computers so they have the new information in their IPsec connection rules.

    Here is a link to the book: Microsoft DirectAccess Best Practices and Troubleshooting

    Friday, February 21, 2014 7:00 PM
  • Thanks for the quick reply, Jordan. :)

    In the meantime I changed my public DNS record BACK to the original external IP address, it's already propagated, but I'm still not seeing any successful connections... are there any MAC address considerations to take into account as well?

    Before I click & buy the book, is that link an Amazon affiliate link or did you want to change it and double-dip? ;)

    Friday, February 21, 2014 10:03 PM
  • What if I can assign old and new ip's in my DA Server for a few days (sufficient to apply client policies)? Maybe all clients will find the DA Server. Then I can remove the old ip's.

    Thanks

    Wednesday, April 09, 2014 2:32 PM