none
DirectAccess - Server 2012 and Win 7/8 Clients Unable to connect

    Question

  • Hi All,
    We've setup Direct Access on Server 2012, everything seems to be ok.
    We are able to connect locally but not remotely.
    I believe we have an issue with our certificate but it seems to be ok.
    What do we need to check if the certificate is running?
    I also tried to browse our da URL externally nothing appears (https://da.domain.com/IPHTTPS)
    Please advise.
    NOTE: Believe its setup correctly, but not external access.
    Thanks!
    Wednesday, November 06, 2013 3:51 AM

Answers

All replies

  • Hi,

    Give us a bit more information about your setup please and how you have it running.

    Also what do you mean it connects locally? YOur PC won't connect through direct access if it is already within the network.

    Where is your DA server located? How many NIC's? What options were chosen during setup?

    It may also be a good idea to only setup support for Windows 8 at present as this removes a lot of the complexity - you can then go ahead and add win7 support once win8 is up and running.

    Thanks


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Wednesday, November 06, 2013 6:05 AM
  • Hi

    We have another server that has DA installed. It is also a backup DC. CA is on another server which is a DC as well. We've configured DA based on some of the articles and it appears to be running ok. The server is running on a single NIC.

    I'm not sure, but I believe it is caused by a certificate issue.

    When I tried to run the URL while on the public internet, it doesnt load at all. Even on the DA server, I cant run website thats on 443.

    Please let me know what else you need, and Ill post it up.

    Cheers

    Wednesday, November 06, 2013 6:33 AM
  • so you are running DA with a single NIC?

    What public DNS entries have you setup?

    What firewall rules are setup?

    The NIC is on a behind NAT interface by the sounds of it too.

    Best setup is two nics - no NAT on public NIC, with HTTPS443 open on your firewall to public NIC.

    Windows8 doesn't rely on client certs like windows 7 does - it's unlikely to be a cert issue as the 2012 DA wizard is pretty clever and will only let you select 'good' certs to use - or generate them automatically.

    also DA on a DC - very bad practice - this isn't recommended at all.

    If this is your first DA attempt I would start again a fresh - setup one dedicated server for DA - dual NIC, one internal, one public. Register a DNS entry with public DNS provider for your external NIC - maybe something like directaccess.company.com ? then open your firewall to allow https443 connections in to the public NIC.

    The 2012 wizard will guide you through the steps required - if you need further help I can post a guide with screenshots etc on my blog to guide you through these steps.


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Wednesday, November 06, 2013 7:27 AM
  • Yes I understand the whole best practice concept behind it.

    But this is what we wanted, setting this up on a single NIC. Not sure why this isnt working. Maybe we need to get a 3rd party CA.

    Firewall is all configured, tested and works.

    So unsure what's causing it.

    Question, eventhough its not best practice to install on DC, but this should work shoudnt it?

    Thursday, November 07, 2013 12:34 AM
  • Hi,

    I shall reiterate that it’s really not recommended to configure DA on a DC.

    This causes many problems especially DNS issues.

    So I cannot tell you for sure if this works well.

    Please follow the guide troubleshooting connectivity issue:

    Fixing Connectivity Issues Between the DirectAccess Client and the DirectAccess Server over the Internet

    http://technet.microsoft.com/en-us/library/ee844100(v=ws.10).aspx


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Thursday, November 07, 2013 9:53 AM
    Moderator
  • what did you put in the public ip / dns name when you went through the wizard.

    The firewall infront of your NIC - what rules have you configured on it?

    Why are you setting up a complex environment which doesn't meet best practices and will cause you issues rather than a single server environment to get the basics working then add to it by adding additional servers and NLB etc.


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Thursday, November 07, 2013 3:48 PM