Sign in
Microsoft.com
 
Forefront Edge Security TechCenter
 
 
 
Forefront Edge Security TechCenter > Forefront Edge Security Forums > Forefront Edge Security – IAG/UAG > UAG DirectAccess and RDP
Ask a questionAsk a question
Search Forums:
 

QuestionUAG DirectAccess and RDP

  • Friday, November 06, 2009 10:39 PMmdriscoll Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    I've setup UAG RC0 and gone through the DirectAccess configuration. I have a client using Teredo. It connects to the UAG server and is able to ping resources on the Intranet, however, I am unable to browse to UNC paths or use RDP. Does anyone have any troubleshooting advice?
     

All Replies

  • Sunday, November 08, 2009 2:33 PMBen B[MSFT] Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote

    Hi,
    It sounds like the IPSec tunnel doesn't spin for some reason... try:

    1.Check you typed in the Domain Controller names in the infrastructure servers list tab (IPSec may not come up if the DC can't be accessed for a Kerberos Ticket)
    2.Enable IPSec auditing on the client : auditpol.exe /set /SubCategory:"IPsec Main Mode","IPsec Extended Mode" /success:enable /failure:enable --> then try and look at the log for the reason of the failures, it could be: missing certificate on the client/server, PKI trust, you don't use domain user on the client machine...

    Thanks

    Ben

     
  • Wednesday, November 11, 2009 6:33 PMBen AriMSFT, OwnerUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi, Mdriscoll.
    You have unmarked Ben B's answer as answer, which means, I guess, that his suggestion did not help. To continue this thread, please reply to this verbally, and describe the results or lack-of.
    Ben Ari
    Microsoft CSS IAG Support
    Sammamish, WA
     
  • Friday, November 13, 2009 3:21 AMmdriscoll Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    I did not realise there was a time limit on postings. I've been out of the office and unable to attempt Ben B's suggestions. I will do so as soon as I can.
     
  • Friday, November 13, 2009 5:32 PMmdriscoll Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    I added 3 of my DC's to the Infrastructure Servers list and verified that those changes propagated to my client. That didn't help. Next I enabled IPSec auditing on the client and I see some failures:

    Local Endpoint:
    Principal Name: domain username
    Network Address: 2001:0:x:x:x:x:x:x
    Keying Module Port: 500

    Remote Endpoint:
    Principal Name: host/uag server fqdn
    Network Address: 2002:x:x::x:x
    Keying Module Port: 500

    Additional Information:
    Keying Module Name: AuthIP
    Authentication Method: Kerberos
    Role: Initiator
    Impersonation State: Enabled
    Quick Mode Filter ID: 149423


    Failure Information:
    Failure Point: Local computer
    Failure Reason: IKE authentication credentials are unacceptable
    State: Sent second (SSPI) payload