none
Internal DirectAccess clients appearing after change to internal subnet mask on UAG RRS feed

  • Question

  • We changed our subnet mask on our internal network from 255.255.255.0 to 255.255.252.0 to give us more IPv4 addresses (10.0.0.1 - 10.0.3.255).

    I tried to follow the techent article Changing an internal IP address on the Forefront UAG server in SP1. However it did not prompt me to to activate the configuration as it suggests it should in step 10. Therefore I went in to Admin > Network Interfaces and went through the Network Configuration wizard to update the IP Addresses for the internal network. I then saved the configuration and activated it. Once TMG had synced I restarted the UAG server for good measure.

    Since making the change DirectAccess users appear in the Web Access monitor as Direct Access clients regardless of whether they are working on the internal network or are working remotely.

    I have also noticed that they are connecting to internal resources a lot slower so I am assuming this is because they think they are working remotely.

    I have verified that they are picking up the new IPv4 subnet mask and have renewed their IPv4 addresses.

    Any ideas how I fix the issue?

    Thanks in advance.


    Darren

    Monday, August 6, 2012 1:22 PM

Answers

  • Based on your comments about them showing up and that they seem to connect slower internally it sounds like your clients think they are not on your local network.
    (And therefore activates the tunneling techniques and the IPSec tunnels)

    Run the following command on one of the internal clients (in a commandprompt) to check.

    # netsh dnsclient show state

    Look for the section called "Machine Location".
    If it says "Outside corporate network", verify that the client can reach the NLS server and/or query the internal DNS servers for the UAGDirectAccess-corpConnectivityHost DNS record.

    Best wishes,
    Jonas blom


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Monday, August 6, 2012 1:51 PM
  • Hi,

    Can the client contact the NLS server?

    Has the subnet mask been changed on the NLS server.

    Run the below commands (in blue) on an client that is inside of the network. and post the results.

    DirectAccess Client:
    Settings and Status

    Useful Command: netsh dns show state

    Description: This is probably the first and most
    useful command you will run, as it provides essential information on the
    current DirectAccess status and general configuration state.

    Useful Command: netsh namespace show policy

    Description: This command is used to display the Name
    Resolution Policy Table (NRPT) that has been defined within Group Policy.



    Regards, Rmknight

    Monday, August 6, 2012 1:55 PM

All replies

  • Based on your comments about them showing up and that they seem to connect slower internally it sounds like your clients think they are not on your local network.
    (And therefore activates the tunneling techniques and the IPSec tunnels)

    Run the following command on one of the internal clients (in a commandprompt) to check.

    # netsh dnsclient show state

    Look for the section called "Machine Location".
    If it says "Outside corporate network", verify that the client can reach the NLS server and/or query the internal DNS servers for the UAGDirectAccess-corpConnectivityHost DNS record.

    Best wishes,
    Jonas blom


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Monday, August 6, 2012 1:51 PM
  • Hi,

    Can the client contact the NLS server?

    Has the subnet mask been changed on the NLS server.

    Run the below commands (in blue) on an client that is inside of the network. and post the results.

    DirectAccess Client:
    Settings and Status

    Useful Command: netsh dns show state

    Description: This is probably the first and most
    useful command you will run, as it provides essential information on the
    current DirectAccess status and general configuration state.

    Useful Command: netsh namespace show policy

    Description: This command is used to display the Name
    Resolution Policy Table (NRPT) that has been defined within Group Policy.



    Regards, Rmknight

    Monday, August 6, 2012 1:55 PM
  • Perfect! Both you and rm_knight helped put me on to the solution. It turned out to be nothing to do with the subnet mask change. The certificate used on the NLS web page had expired on the same day as the subnet change took place - talk about your unfortunate coincidences!

    Darren

    Tuesday, August 7, 2012 5:33 AM