none
UAG DirectAccess 2010 SP1, DA Client Limited Connectivity RRS feed

  • Question

  • Appreciate any help with this as I'm newbie to UAG DA. Following the testlab guides, and my CLIENT1 is not getting connection to APP1 or DC1 shares. I've ensured that my machine cert is in place, and I can ping dc1 and app1 okay. But the DCA Client says corporate connectivity not working correctly (RED X). Not sure what to look for. I'm not getting to the file shares on DC1 or APP1. The CLIENT1 is on the HomeNet, and I've set this up with VMs on Hyper-V per the step-by-step guide. I've included some output of some of my troubleshooting commands below...

    C:\Windows\system32>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : CLIENT1
       Primary Dns Suffix  . . . . . . . : CORP.CONTOSO.COM
       Node Type . . . . . . . . . . . . : Mixed
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : CORP.CONTOSO.COM

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : CORP.CONTOSO.COM
       Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
       Physical Address. . . . . . . . . : 00-15-5D-01-4E-06
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::e99e:527f:87c:e08f%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.137.79(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Monday, March 26, 2012 11:45:58 PM
       Lease Expires . . . . . . . . . . : Tuesday, April 03, 2012 12:05:58 AM
       Default Gateway . . . . . . . . . : 192.168.137.1
       DHCP Server . . . . . . . . . . . : 192.168.137.1
       DHCPv6 IAID . . . . . . . . . . . : 234886493
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-D4-AB-1D-00-15-5D-01-4E-06
       DNS Servers . . . . . . . . . . . : 192.168.137.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.CORP.CONTOSO.COM:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : CORP.CONTOSO.COM
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 9:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:0:836b:2:3037:feb:7c94:ff9a(Preferred)
       Link-local IPv6 Address . . . . . : fe80::3037:feb:7c94:ff9a%12(Preferred)
       Default Gateway . . . . . . . . . : ::
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter iphttpsinterface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft IP-HTTPS Platform Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    C:\Windows\system32>


    ===================================================
    C:\Windows\system32>netsh namespace show effective

    DNS Effective Name Resolution Policy Table Settings


    Settings for nls.corp.contoso.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=COM, DC=CONTOSO, DC=CORP, CN=CORP-DC1-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (Proxy Settings)           : Use default browser settings

    Settings for uag1.corp.contoso.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=COM, DC=CONTOSO, DC=CORP, CN=CORP-DC1-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (Proxy Settings)           : Use default browser settings

    Settings for .CORP.CONTOSO.COM
    ----------------------------------------------------------------------
    Certification authority                 : DC=COM, DC=CONTOSO, DC=CORP, CN=CORP-DC1-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 2002:836b:3::836b:3
    DirectAccess (Proxy Settings)           : Bypass proxy

    =================================================

    C:\Windows\system32>netsh dnsclient show state

    Name Resolution Policy Table Options
    --------------------------------------------------------------------

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

    Network Location Behavior             : Let Network ID determine when Direct
                                            Access settings are to be used

    Machine Location                      : Outside corporate network

    Direct Access Settings                : Configured and Enabled

    DNSSEC Settings                       : Not Configured


    Bill

    Tuesday, March 27, 2012 5:33 AM

Answers

  • Your Teredo tunnel is established (which explains why your pings are working) but if file access is not working, then likely you do not have any IPsec tunnels being formed inside the Teredo tunnel. IPsec tunnels not establishing almost always comes down to the machine certificates not being configured properly. Since you are running straight from a TLG, I recommend going back through any certificate-related steps to make sure everything is setup according to the guide. Make sure you have a machine certificate issued to both the client and to the UAG server from the internal CA server, and make sure you are using the built-in "Computer" template to issue these certificates.
    • Marked as answer by Beachnut_ Thursday, March 29, 2012 3:50 AM
    Tuesday, March 27, 2012 1:32 PM

All replies

  • Your Teredo tunnel is established (which explains why your pings are working) but if file access is not working, then likely you do not have any IPsec tunnels being formed inside the Teredo tunnel. IPsec tunnels not establishing almost always comes down to the machine certificates not being configured properly. Since you are running straight from a TLG, I recommend going back through any certificate-related steps to make sure everything is setup according to the guide. Make sure you have a machine certificate issued to both the client and to the UAG server from the internal CA server, and make sure you are using the built-in "Computer" template to issue these certificates.
    • Marked as answer by Beachnut_ Thursday, March 29, 2012 3:50 AM
    Tuesday, March 27, 2012 1:32 PM
  • Just a followup on this. I double checked the CERTS as you recommended and they look good. Both are using 'Computer' template issued from my CA (DC1). I used the TLG troubleshooting Forefront UAG DA to ensure everything was as expected and I'm now communicating with internal share on DC1 from HomeNet. Not sure what the problem was, but no worries ... Thanks for your help Jordan! I'm sure I'll have more questions on this as I get deeper into my understanding of UAG DA.

    Bill

    Thursday, March 29, 2012 3:50 AM