none
DA 2012, working, but no info in Remote Client Status on Server

    Question

  • Hiya,

    For windows 7 I have DA working on a Server 2012.  Single NIC config NAT'd out.

    When the server is up it all works fine, and 'netsh interface https tunnel show interfaces' shows the Win7 client is connected; with full domain connectivity.

    However.

    No clients Appear in the 'Remote Client Status'  on the server.

    No Machine certificate has been issued to the client computer (so its just using NTLM?)

    The Security Associations on the Clients Firewall page show no tunnels.

    When I turn off the server I lose DA on the cilent.  Can someone tell me why I cannot monitor the user sessions and why it is working without a machine certificate please; I have searched around a lot and I just cannot make sense of this!

    Thanks,

    Leon.


    :-)

    mercredi 28 novembre 2012 16:54

Réponses

  • IP-HTTPS connecting successfully doesn't have anything to do with the IPsec tunnels, you can connect that without a valid certificate. But until the IPsec tunnels build inside the transition (IP-HTTPS in this case) tunnel, no packets except for ICMP should be able to flow. Pings flow outside of IPsec, so if your testing is only ping it still doesn't necessarily mean DA is functional. Can you browse file shares and RDP into servers?

    The new single interface config definitely works differently, but Windows 7 clients still need a certificate to validate the IPsec tunnels. If you were running a Windows 8 client, then this would make more sense as they can use the new Kerberos Proxy feature to authenticate directly against AD without needing to establish an IPsec tunnel for that communication. This feature is only for Win8 though, not Win7.

    What do you mean by "NLS works"? I would be interested in seeing a DirectAccess Connectivity Assistant log file if you have time to generate one and send it my way.

    jordan.krause@ivonetworks.com

    • Marqué comme réponse Leon_Cambs jeudi 29 novembre 2012 18:49
    mercredi 28 novembre 2012 20:39

Toutes les réponses

  • Based on everything I know about DA, it is impossible for a Windows 7 client to establish the DirectAccess IPsec tunnels without a machine certificate. Your firewall showing no SAs confirms this, the tunnels do not exist. How did you test to determine that connectivity is working? Is it possible you are split brain DNS and that you are actually accessing externally facing things during your testing? No SAs means no DirectAccess...
    mercredi 28 novembre 2012 19:40
  • I know, it's weird for sure.  The IPHTTPS shows a active connection; I can access all domain services and ipv4 servers respond on IPv6.  The clients DNS is on a typical ADSL public circuit.

    If I take down or remove the DA config on the server, all functionality stops.  The lack of SA and tunnel reporting scares me the most as I built the server for PoC (I know DA pretty well as I have built 2008/UAG2007 DA in the past).

    In NETSH NAMESPACE SHOW EFFECTIVE POLICY no CA for the NLS or Domain show up either, though the NLS works (as netshdns show state works) and DA seems to function.  I have a gut feeling that single interface/tunnel is not working how we are used to with the old dual consec IPs / tunnels and its using some new magic to work?


    :-)

    mercredi 28 novembre 2012 20:28
  • Another werid one, the clients firewall, even though setup via DA GPO only, you can see if set too 'off' and you cannot make changes as it's controlled via GPO.  In my exp, the firewall should be forced set on via GPO.

    I don't want to issue a machine cert and see if the SA starts to work, I want to understand 1st why it is working w/o a machine cert.  If there any dumps / SS I can give you to help me dianose this crazy thing?


    :-)

    mercredi 28 novembre 2012 20:35
  • IP-HTTPS connecting successfully doesn't have anything to do with the IPsec tunnels, you can connect that without a valid certificate. But until the IPsec tunnels build inside the transition (IP-HTTPS in this case) tunnel, no packets except for ICMP should be able to flow. Pings flow outside of IPsec, so if your testing is only ping it still doesn't necessarily mean DA is functional. Can you browse file shares and RDP into servers?

    The new single interface config definitely works differently, but Windows 7 clients still need a certificate to validate the IPsec tunnels. If you were running a Windows 8 client, then this would make more sense as they can use the new Kerberos Proxy feature to authenticate directly against AD without needing to establish an IPsec tunnel for that communication. This feature is only for Win8 though, not Win7.

    What do you mean by "NLS works"? I would be interested in seeing a DirectAccess Connectivity Assistant log file if you have time to generate one and send it my way.

    jordan.krause@ivonetworks.com

    • Marqué comme réponse Leon_Cambs jeudi 29 novembre 2012 18:49
    mercredi 28 novembre 2012 20:39
  • Oh, I mean NLS works on the inside just fine, but on NETSH NAME SHOW EFFECTIVE no certs are listed for NLS or domain either.

    I have sent you the logs as requested :)

    ps. the corp ipv4 network range is 172.19.*


    :-)


    • Modifié Leon_Cambs jeudi 29 novembre 2012 10:31
    jeudi 29 novembre 2012 10:29
  • I can get full connectivity over IPv6 to all domain resources; DFS, email file shares, intranet etc.  As soon as I shutdown the DA server it all goes; IPv4 over IPv6 is working too 

    I am behind a NAT firewall and I’ve checked the config many times, the traffic is only going over port 443 (I am using the hosts file to spoof DNS!).

    The machine was setup as part of a cluster, but as VMware needs a static ARP route to muticast, the cluster threw a wobbly without one, so I ripped the cluster out via the NLB icon using  the start menu as I only had about 30secs before the server would die and could not boot up the Remote Access screen in time to remove the cluster configuration; this probably caused issues even after I re-commissioned it as a single server DA solution.  I suspect the DA routing side of it still was working just fine on the NIC when it was clustered (NIC not the virtual IP DIP) and this routing process got left behind when I ripped out the cluster (as I suspect the DIP would handle the security).  When I re-commisioned the server as standalone, it probably used the old non-gracefully removed cluster DA routing that got left behind to route unencrypted NTLM traffic over the IPSHTTPS.

    I am really happy that I found this bug, as if I would of tested with a machine certificate 1st time, then I potentially would of commissioned a ‘healthy’ system with a big security hole in it 

    :-)

    jeudi 29 novembre 2012 18:24
  • I have set a standalone DA2012 server, both Win7 and Win8 clients connect successfully. But there no client shows in Remote Client Status. Any suggestion?

    Regards

    dimanche 5 mai 2013 01:45
  • I have the same situation.   2012 DA server running on
    VMware.   Single nic setup using IP-HTTPS.   Windows 7
    clients work using the DA server only if server firewall domain profile is off
    and the laptop's firewall profile home is off (wifi
    hookup).     I know I should be seeing clients on the
    remote access policy dashboard but they aren't there.   From what I
    have read having the firewall profile domain turned off on the server causes
    this to the SA's to not show up.   I have built this setup 4
    different times using the microsoft recommended settings and it never works
    unless the domain profile is off on the server firewall.   Everything
    seems to work and very well also.   Just don't see clients in the
    remote access console.    <o:p></o:p>



    Any suggestions?<o:p></o:p>


    vendredi 13 septembre 2013 19:32
  • I know this doesn't help with your specific situation, but in my eyes the single-NIC implementation is really only useful for a quick setup proof-of-concept or testing environment. For a real DA production environment, you should stick with recommended methods and use a two-NIC install. In the two-NIC install, you would definitely have the Domain profile active on your internal NIC. I have done tons of installs like this and have never experienced the strange behavior you are seeing with clients working but not showing up. Maybe it is some kind of bug with the single-NIC implementation but I believe it's better to stay away from that anyway.
    lundi 16 septembre 2013 15:11