locked
I have DirectAccess working except for IP-HPPTS

    Question

  • Hi,

    I have setup DirectAccess in our enviroment, and it is working just fine with Teredo.
    If I disable Teredo so IP-HTTPS is active I cannot get connection to the DA server.

    If I run the "netsh interface httpstunnel show interfaces" command on the server and the client I will get the following results:

    This is the output from the command on the server:

    Interface IPHTTPSInterface Parameters
    ------------------------------------------------------------
    Role                                 : server
    URL                                  : https://DA1.domain.net:443/IPHTTPS
    Client authentication mode : certificates
    Last Error Code                 : 0x0 
    Interface Status                : IPHTTPS interface active

    And from the client:

    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        : https://DA1.domain.net:443/IPHTTPS
    Last Error Code       : 0x2afc
    Interface Status       : failed to connect to the IPHTTPS server. Waiting to reconnect


    I cannot open the URL in a browser. Should I be able to do that?
    Thomas Forsmark Soerensen
    • Edited by Forsmark Thursday, August 27, 2009 1:03 PM
    Thursday, August 27, 2009 1:03 PM

Answers

  • Hi Joe,

    Problem solved. I reinstalled my DA server and now everything i working.
    My old DA server was a RC upgradet to a 7168 and again updated to a RTM.
    After I installed a new clean RTM DA Server I can connect to the DA server with Teredo and with IPHTTPS :-)

    Thanks for your help.
    Thomas Forsmark Soerensen
    Sunday, August 30, 2009 10:24 PM

All replies

  • In my testing, you should get a HTTP 403 error when trying to access the IP-HTTPS server URL.

    Do you also get a "There is a problem with this website's security certificate"?

    Verify that the correct certificate was chosen in Step 2 of the DirectAccess Setup Wizard. Also verify that you can view the CRL distribution point in the selected certificate from Internet Explorer while on the Internet. For the test lab configuration, this URL is http://crl.contoso.com/crld.
    Thursday, August 27, 2009 5:44 PM
  • Hi Joe,

    This thing is driving my crazy.
    If I go to the URL I only get this error message:

    This problem can be caused by a variety of issues, including:
    • Internet connectivity has been lost.
    • The website is temporarily unavailable.
    • The Domain Name Server (DNS) is not reachable.
    • The Domain Name Server (DNS) does not have a listing for the website's domain.
    • There might be a typing error in the address.
    • If this is an HTTPS (secure) address, click Tools, click Internet Options, click Advanced, and check to be sure the SSL and TLS protocols are enabled under the security section.

     

    For offline users

    You can still view subscribed feeds and some recently viewed webpages.
    To view subscribed feeds

    1. Click the Favorites Center button , click Feeds, and then click the feed you want to view.

     

    To view recently visited webpages (might not work on all pages)

    1. Click Tools , and then click Work Offline.
    2. Click the Favorites Center button , click History, and then click the page you want to view.

    I have tried to disable frindly HTTP error messaging in IE, but that will not change anything.

    Should there be a IPHTTPS virtual directory or site in the IIS on the DA server? Should there be a certificate configured for SSL connections to the IIS?

    I can access the crl.mydomain.com/crld and will se 3 files there.
    The correct certificate is chosen in step 2.

    Any more suggestions?


    Thomas Forsmark Soerensen
    Thursday, August 27, 2009 9:29 PM
  • From your client, type ipconfig /all and provide the output. 

    Can you also verify that nothing is blocking port 443 between the client and the server?

    Friday, August 28, 2009 1:48 AM
  • Hi Sean,

    IPCONFIG /ALL with teredo enabled:

    -------------------------------------------------


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : PC
       Primary Dns Suffix  . . . . . . . : domain.net
       Node Type . . . . . . . . . . . . : Broadcast
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : domain.net

    Ethernet adapter LAN-forbindelse 2:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Ericsson F3507g Mobile Broadband Minicard Network Adapter
       Physical Address. . . . . . . . . : 02-80-37-EC-02-00
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Tr†dl›s netv‘rksforbindelse:

       Connection-specific DNS Suffix  . : domain.net
       Description . . . . . . . . . . . : Intel(R) WiFi Link 5300 AGN
       Physical Address. . . . . . . . . : 00-21-6A-13-79-6C
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::b007:2e68:7fc7:5a3e%12(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.1.109(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : 26. august 2009 17:11:53
       Lease Expires . . . . . . . . . . : 29. august 2009 10:01:30
       Default Gateway . . . . . . . . . : 192.168.1.1
       DHCP Server . . . . . . . . . . . : 192.168.1.1
       DHCPv6 IAID . . . . . . . . . . . : 218112362
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-0E-61-4F-00-1C-25-9F-DD-F5
       DNS Servers . . . . . . . . . . . : 193.162.153.164
                                           194.239.134.83
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter LAN-forbindelse:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : domain.net
       Description . . . . . . . . . . . : Intel(R) 82567LM Gigabit Network Connection
       Physical Address. . . . . . . . . : 00-1C-25-9F-DD-F5
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.domain.net:

       Connection-specific DNS Suffix  . : domain.net
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::5efe:192.168.1.109%19(Preferred)
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : 193.162.153.164
                                           194.239.134.83
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.{9D7BE636-1123-4016-8721-27B10DC8D0B6}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter LAN-forbindelse* 9:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:0:d482:117:36:698:aca1:4ea6(Preferred)
       Link-local IPv6 Address . . . . . : fe80::36:698:aca1:4ea6%37(Preferred)
       Default Gateway . . . . . . . . . : ::
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter iphttpsinterface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    ------------------

    IPCONFIG /ALL with Teredo disabled:

    ---------------------------


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : Forsmark-PC
       Primary Dns Suffix  . . . . . . . : domain.net
       Node Type . . . . . . . . . . . . : Broadcast
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : domain.net

    Ethernet adapter LAN-forbindelse 2:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Ericsson F3507g Mobile Broadband Minicard Network Adapter
       Physical Address. . . . . . . . . : 02-80-37-EC-02-00
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Tr†dl›s netv‘rksforbindelse:

       Connection-specific DNS Suffix  . : domain.net
       Description . . . . . . . . . . . : Intel(R) WiFi Link 5300 AGN
       Physical Address. . . . . . . . . : 00-21-6A-13-79-6C
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::b007:2e68:7fc7:5a3e%12(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.1.109(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : 26. august 2009 17:11:53
       Lease Expires . . . . . . . . . . : 29. august 2009 10:01:30
       Default Gateway . . . . . . . . . : 192.168.1.1
       DHCP Server . . . . . . . . . . . : 192.168.1.1
       DHCPv6 IAID . . . . . . . . . . . : 218112362
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-0E-61-4F-00-1C-25-9F-DD-F5
       DNS Servers . . . . . . . . . . . : 193.162.153.164
                                           194.239.134.83
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter LAN-forbindelse:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : domain.net
       Description . . . . . . . . . . . : Intel(R) 82567LM Gigabit Network Connection
       Physical Address. . . . . . . . . : 00-1C-25-9F-DD-F5
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.domain.net:

       Connection-specific DNS Suffix  . : domain.net
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::5efe:192.168.1.109%19(Preferred)
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : 193.162.153.164
                                           194.239.134.83
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.{9D7BE636-1123-4016-8721-27B10DC8D0B6}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter iphttpsinterface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    ----

    I cannot see that port 443 should be blocked.

    As I asked before.. skould there not be a IPHTTPS virtual directory or site in the IIS on the DA server?


    Thomas Forsmark Soerensen
    Friday, August 28, 2009 11:35 AM
  • > Should there be a IPHTTPS virtual directory or site in the IIS on the DA server? Should there be a certificate configured for SSL connections to the IIS?

    No. There is no need for an IPHTTPS virtual directory on the site. Therefore, there is no need for a certificate binding for port 443 in IIS.

    The DirectAccess server can be an IP-HTTPS server with IIS installed. We install IIS in the test lab so that the DirectAccess server can host the Web site for the CRL distribution list.
    Friday, August 28, 2009 3:47 PM
  • Hi Joe,

    Thanks for clearing that up.

    How can I debug my IP-HTTPS problem?
    Thomas Forsmark Soerensen
    Saturday, August 29, 2009 6:47 AM
  • Hi Joe,

    Problem solved. I reinstalled my DA server and now everything i working.
    My old DA server was a RC upgradet to a 7168 and again updated to a RTM.
    After I installed a new clean RTM DA Server I can connect to the DA server with Teredo and with IPHTTPS :-)

    Thanks for your help.
    Thomas Forsmark Soerensen
    Sunday, August 30, 2009 10:24 PM