locked
Direct Access clients unable to access shares in branch offices, but can ping and rdp without a problem. RRS feed

  • Question

  • At our head office we use Microsoft UAG with SP1 and have been using Direct Access for a while now.  We just recently set some users at the remote branch offices up with Direct Access clients which are connected to the head office via a hardware VPN thinking they would be able to come in using Direct Access then it would just direct them over the internal hardware VPN to access their shares at the branch office. 

    It appears to work to a certain point.  I can ping the servers at the remote branch offices and rdp into them, but for some reason I am unable to access shares?  When I go into the TMG part and use the logging options to view the firewall traffic it is saying the errors below.  I don't see any errors on the file server I am trying to access about it blocking the share connection attempt and the end file servers don't have and firewall running.  I am able to access shares on servers in the head office with no problem at all and as I said this has been working for sometime.  Is it something to do with the DA traffic going across the hardware VPN between the firewall/router at the headoffice and the firewall/router at the branch office that messes it up and if so why only for accessing shares?

    Publishing Rule::TCP445 Failed Connection Attempt

    Log type: Firewall service
    Status: No connection could be made because the target machine actively refused it.
    Rule: DirectAccess Allow NATPT

    Source: External (2001:0:18cf:6ba:877:153e:3027:ee2a:56202)

    Destination: Internal (172.16.0.3:445)
    Protocol: PublishingRule::Tcp445
    Additional information
    • Number of bytes sent: 0 Number of bytes received: 0
    • Processing time: 985ms Original Client IP: 2001:0:18cf:6ba:877:153e:3027:ee2a

    Same for HTTP

    Failed Connection Attempt SPIDER 4/7/2011 9:41:49 PM
    Log type: Firewall service
    Status: No connection could be made because the target machine actively refused it.
    Rule: DirectAccess Allow NATPT
    Source: External (2001:0:18cf:6ba:877:153e:3027:ee2a:56213)
    Destination: Internal (172.16.0.3:80)
    Protocol: HTTP
    Additional information
    • Number of bytes sent: 0 Number of bytes received: 0
    • Processing time: 1235ms Original Client IP: 2001:0:18cf:6ba:877:153e:3027:ee2a
    Failed Connection Attempt SPIDER 4/7/2011 9:41:49 PM
    Log type: Firewall service
    Status: No connection could be made because the target machine actively refused it.
    Rule: DirectAccess Allow NATPT
    Source: External (2001:0:18cf:6ba:877:153e:3027:ee2a:56213)
    Destination: Internal (172.16.0.3:80)
    Protocol: HTTP
    Additional information
    • Number of bytes sent: 0 Number of bytes received: 0
    • Processing time: 1235ms Original Client IP: 2001:0:18cf:6ba:877:153e:3027:ee2a
    Friday, April 8, 2011 5:00 AM

Answers

  • Problem has now been resolved.  Turns out the hardware we use for the VPN tunnels from the head office to the branch offices was blocking the 445 traffic as part of a default rule.  Removed 445 from being blocked and now works as expected.
    • Marked as answer by Dan.Morris Friday, April 8, 2011 6:01 AM
    Friday, April 8, 2011 6:00 AM