none
DirectAccess Connectivity Assistant DTE Tunnel Settings RRS feed

  • Question

  • I am trying to setup the DirectAccess Connectivity Assistant per the Solution Accelerator "Deploying, Managing, and Using the Microsoft DirectAccess Connectivity Assistant".

    Does anyone know where to find the DTE Tunnel IPv6 Addresses?

    DTE

    Type: A collection of IPv6 addresses that each identify a DirectAccess server.

    Default: None

    Description: Specifies the dynamic tunnel endpoints (DTEs) of the IPsec tunnels that enable DirectAccess. It is through these tunnels that the DCA attempts to access the resources that are specified in the CorporateResources setting. By default, the DCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two DTEs, one for the infrastructure tunnel, and one for the user tunnel. You should configure one DTE for each tunnel. Each entry consists of the text PING: followed by the IPv6 address, for example: PING:2001:3039::0001.

    Important

    If your DirectAccess configuration uses the Full Intranet Access or Selected Server Access models, where IPsec tunnel mode is used to connect to the DirectAccess infrastructure servers, and a separate IPsec transport mode tunnel is used to access shared resources that are required by the user, configuring one or more servers in the DTE setting is required.

    Thursday, February 25, 2010 8:01 PM

Answers

  • These are the IPV6 addresses bound to the external interface of the DA Server (or UAG).

    Do a netsh advfirewall monitor show mmsa on a DA client and look at the 'Remote IP Address' values to determine the DTE's.

    Cheers

    JJ
    Jason Jones | Forefront MVP | Silversands Ltd
    • Marked as answer by NathanN Monday, March 1, 2010 8:22 PM
    Sunday, February 28, 2010 12:04 AM
    Moderator

All replies

  • It is the address your IPsec tunnels terminate at.
    Saturday, February 27, 2010 9:57 AM
  • These are the IPV6 addresses bound to the external interface of the DA Server (or UAG).

    Do a netsh advfirewall monitor show mmsa on a DA client and look at the 'Remote IP Address' values to determine the DTE's.

    Cheers

    JJ
    Jason Jones | Forefront MVP | Silversands Ltd
    • Marked as answer by NathanN Monday, March 1, 2010 8:22 PM
    Sunday, February 28, 2010 12:04 AM
    Moderator
  • The IP addresses for the DTE should also appear in the Connection Security Rules.

    HTH,
    Tom
    Monday, March 1, 2010 12:56 PM
  • Thanks for the info Jason....

    Here is a sterilized output just for documentation purposes, using the
    netsh advfirewall monitor show mmsa command.

    DTE's are in bold below.

    Main Mode SA at 03/01/2010 14:19:58
    ----------------------------------------------------------------------
    Local IP Address:                     2002:1122:3344:1:8828:3653:7eed:552
    Remote IP Address:                    2002:1122:3355::1122:3355
    Auth1:                                ComputerCert
    Auth2:                                UserNTLM
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          1cbfa87cf25f4e0e:1e9f969cc6590d6a
    Health Cert:                          No

    Main Mode SA at 03/01/2010 14:19:58
    ----------------------------------------------------------------------
    Local IP Address:                     2002:1122:3344:1:8828:3653:7eed:552
    Remote IP Address:                    2002:1122:3355::1122:3355
    Auth1:                                ComputerCert
    Auth2:                                UserNTLM
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          6fe5434eaf1664d3:73a42501b324bd02
    Health Cert:                          No

    Main Mode SA at 03/01/2010 14:19:58
    ----------------------------------------------------------------------
    Local IP Address:                     2001:0:d893:b568:3c8b:3fb8:e78b:2ee
    Remote IP Address:                    2002:1122:3355::1122:3355
    Auth1:                                ComputerCert
    Auth2:                                UserNTLM
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          c667efb69e1f79ae:18399b196e8f9c9f
    Health Cert:                          No

    Main Mode SA at 03/01/2010 14:19:58
    ----------------------------------------------------------------------
    Local IP Address:                     2002:1122:3344:1:8828:3653:7eed:552
    Remote IP Address:                    2002:1122:3377::1122:3377
    Auth2 Local ID:                       DOMAIN\user1
    Auth2 Remote ID:                      host/UAG1.domain.com
    Auth1:                                ComputerCert
    Auth2:                                UserKerb
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          0238a259333a0970:a9d2ed78a4a546d0
    Health Cert:                          No
    Ok.

    Monday, March 1, 2010 8:29 PM
  • 2002:1122:3355::1122:3355
    2002:1122:3377::1122:3377

    There you go!

    Tom

    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, March 2, 2010 10:55 AM
    Moderator
  • You can also just run IPConfig on the DirectAccess Server too and copy the IPv6 Addresses from its 6TO4 Adapter.

    Tunnel adapter 6TO4 Adapter:

     

       Connection-specific DNS Suffix  . :

       IPv6 Address. . . . . . . . . . . : 2002:aabb:ccdd::aabb:ccdd

       IPv6 Address. . . . . . . . . . . : 2002:aabb:ccdd::aabb:ccde

       Default Gateway . . . . . . . . . : 2002:aabb:cc01::aabb:cc01

    Where aabb:ccdd are the hex values of your enternal IPv4 address.

    • Proposed as answer by MrShannon Saturday, May 8, 2010 8:40 PM
    Saturday, May 8, 2010 8:39 PM
  • There you go!

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, May 10, 2010 12:35 PM
    Moderator
  • what if when i didnt this command netsh advfirewall monitor show mmsa show

    no SAs match the specified criteria

    ??


    Best Regards

    Monday, March 26, 2012 2:04 PM
  • That command lists your active DirectAccess IPsec tunnels. Getting "No SAs match the specified criteria" means you have no active IPsec tunnels which if you are running the command from the client means that either DA is not connected currently because maybe you are inside the office, or that there is something wrong with your configuration causing DA not to connect.
    Monday, March 26, 2012 5:55 PM
  • I am trying to get the connectivity assistant working and I have added in my DTE ipv6 addresses by following as suggested using the 2 remote IP Addresses and they still show as failed to Ping.

    I have 2 x corp resources that are passing so I know Direct access is working but the DTE's always show as FAIL when I am internal and external?

    I am assuming this maybe due to the fact ICMP isnt allowed through the firewall but I have left the firewall settings as default on my 2012 server but should I be allowing ICMP to get the connectivity assistant working correctly?

    Tuesday, November 27, 2012 4:24 PM
  • All sorted, had to simply enable the 2 x inbound rules for icmp echo requests for ipv4 and ipv6 - simples.
    Thursday, December 6, 2012 11:30 AM
  • All sorted, had to simply enable the 2 x inbound rules for icmp echo requests for ipv4 and ipv6 - simples.

    If using Teredo you will also need to do that on ALL intranet hosts...

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Friday, December 7, 2012 9:39 PM
    Moderator
  • I'm a bit confused by the DTEs setting.  The description reads: "By default, the DCA uses the same DirectAccess server that the DirectAccess client computer connection is using."

    Does that mean if you leave this Not Configured, the client will automatically use the DTEs of its DA Server anyway?  In which case, why would you ever populate this?  What am I missing here?





    • Edited by Calliper Thursday, June 19, 2014 4:22 PM
    Thursday, June 19, 2014 4:21 PM
  • Hi,

    if you do not configure DTE, DAC wont be able to validate DirectAccess connectivity. We need to populate is if we want DAC to provide accurate information about DirectAccess connectivity.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, June 19, 2014 6:43 PM