none
DirectAccess 2012 - Force Tunneling IP-HTTPS: Windows 8 Client Reports No Internet Access, however the DirectAccess tunnel & Internet access is working

    Question

  • Hello Everyone,

    I'm hoping someone who is using Force Tunneling over IP-HTTPS connection in DirectAccess 2012 has come across this issue.

    What I've found is when Force Tunneling is enabled, Windows 8 DirectAccess clients report "No Internet Access" on their connection state, and also in the DirectAccess Properties, the status shows "No Internet Access" however, the Windows 8 Client is able to successfully connect to the internet as well as Intranet resources.

    This issue does not appear to occur on Windows 7. With the same client settings applied to a Windows 7 machine, the network connectivity assistant (2.0) indicates DirectAccess is working properly.

    Force tunneling is a requirement for us as Management wants all end user traffic to be routed over the DirectAccess connection and do not want users to access their local network resources using their corporate issued laptops.

    DirectAccess is currently setup in a single server/single NIC environment behind a firewall. The NLS is running on a separate server.

    Thursday, November 07, 2013 4:03 PM

Answers

  • I was able to resolve this by selecting the DNS option "Use local name resolution for any kind of DNS resolution error (least restrictive)".

    Once I did this, the error message was gone. I am suspecting that there is some sort of record lookup that is failing on the internal DNS servers. I will try to run WireShark and see if I have time.

    But for now, the error is gone. We are using the 'Force Tunneling' option along with TMG web proxy where we log each user's activity anyways. So even if a user's machine uses local DNS for a lookup, the traffic still flows through the corporate network so we are ok from a compliance perspective. 

    Hope this helps you as well.


    SinghP80

    Friday, November 15, 2013 3:47 PM

All replies

  • Hi,

    Firstly, I recommend you check if there are any related error messages.

    Besides, please make sure that the DA client side is IPv6 aware and the UDP port 3544, UDP port 500 and TCP port 443 are opening.

    More information:

    More on DirectAccess Split Tunneling and Force Tunneling

    http://blogs.technet.com/b/tomshinder/archive/2010/03/30/more-on-directaccess-split-tunneling-and-force-tunneling.aspx

    Best regards,

    Susie

    Friday, November 08, 2013 6:37 AM
  • Susie,

    Thanks for your reply. I don't see how opening ports would resolve this issue. The DirectAccess tunnel does come up on the Windows 8 client and the Windows 7 Clients connect just fine with port 443 open. It's just the Windows 8 client reports the wrong status.

    What is the purpose for opening UDP 3544 and UDP 500? I have 6to4 and Teredo disabled in my configuration.

    Wednesday, November 13, 2013 1:37 PM
  • Hello Amardeep,

    I am seeing the exact same issue. Everything is working fine but the status on Windows 8 and (in my case) also on Windows 7 shows "No Internet Access". If someone has any ideas, please advise.

    Thanks,


    SinghP80

    Friday, November 15, 2013 3:20 PM
  • I was able to resolve this by selecting the DNS option "Use local name resolution for any kind of DNS resolution error (least restrictive)".

    Once I did this, the error message was gone. I am suspecting that there is some sort of record lookup that is failing on the internal DNS servers. I will try to run WireShark and see if I have time.

    But for now, the error is gone. We are using the 'Force Tunneling' option along with TMG web proxy where we log each user's activity anyways. So even if a user's machine uses local DNS for a lookup, the traffic still flows through the corporate network so we are ok from a compliance perspective. 

    Hope this helps you as well.


    SinghP80

    Friday, November 15, 2013 3:47 PM