locked
Implementing DirectAccess (Can't Connect - Never Have) - Server 2012 with Windows 8 client RRS feed

  • Question

  • I have been trying to implement DirectAccess and have been unable to do so.  

    Server- 2012 domain joined with no NAT behind Cisco ASA firewall

    LAN nic - no gateway - static routes - has DNS servers configured

    DMZ nic - has gateway no DNS serversOn the Windows 8 client I see the DA connection but it always sits at connecting.  It never has made a connection.  

    I have opened up the Cisco firewall (to test only and shut it back down) to allow all traffic to the DA Server.  During that time i tried to ping the DA host name and was successful and then tried to connect.  The only thing i saw in the logs was allow icmp from an ipv6 address and then from my external home ip address.  I then saw an allow on a single tcp from my external home ip address to the DMZ ip address on 443.  Then there were several more ICMP connections to the server from the same ipv6 address as before.  

    I read that the windows firewall must be enabled on the server so I uninstalled Symantec Endpoint Protection and enabled the windows firewall.  I did the same with the Windows 8 laptop.  I am still unable to make this connection. 

    Where do I start to troubleshoot this?  Even with the Cisco wide open to the server it does not connect, so i am pretty sure that is not the issue unless it is coming back into the network but i would imagine that there are logs i can look at to determine that.  

    Thanks for any help you can lend.  I have been tinkering with this on and off for months trying to get it implemented but keep coming up empty handed. 





    • Edited by bbjewrican Saturday, May 25, 2013 4:06 PM
    Saturday, May 25, 2013 4:03 PM

Answers

  • Hi bbjewrican,


    Thanks for the question.


    Please check if the following could help.


    Test DirectAccess Connectivity from Behind a NAT Device

    http://technet.microsoft.com/en-us/library/hh831467.aspx


    [TechNet Thread] Windows Server 2012 DirectAccess behind NAT

    http://social.technet.microsoft.com/Forums/en-US/winserver8gen/thread/3a2be182-0af5-4bb5-a951-3f0f948bfa17/


    Thanks.


    Jeremy Wu
    TechNet Community Support

    • Marked as answer by Jeremy_Wu Monday, June 10, 2013 3:38 AM
    Wednesday, May 29, 2013 7:57 AM
  • This issue was caused by me changing my ip address of my public interface between the time of setting up / configuring DirectAccess and connecting clients.  The server will not publish the updated information and therefore i could not connect since the policies are looking for the old. 

    I excluded my nls server address in the infrastructure servers (create a new entry with no dns settings which means exclude) to make sure that didnt become an issue (was not in this case but should be done anyway)

    I backed up the GPO's and ran a powershell script set-remoteaccess -internetinterface DMZ -verbose where dmz is the name of the external interface.  This allowed me to make a connection to the server.  I then needed to fix a DNS entry I had.  On the Infrasturcture servers then DNS screen, I deleted the entry for my ad domain and let it auto detect the DNS settings.  I had this pointing to my internal DNS but if you dont have ipv6 setup this is not possible.  So the autodetect points it back to itself so it can do ipv4 to ipv6 conversion for you.

    This was a tough one but i am connected and working!  So glad i went to TechEd and met a DirectAccess resource there!



    • Marked as answer by bbjewrican Monday, June 24, 2013 1:22 PM
    • Edited by bbjewrican Wednesday, June 26, 2013 6:34 PM spelling
    Monday, June 24, 2013 1:20 PM

All replies

  • I collected logs on the DA client and noticed something at the top.  

    Probes List

    http: https://ournlsserver.domain.com/ (fail)

    DTE List

    PING: ipv6 (fail)

    PING: different ipv6 (pass)

    Is this likely the cause of this?  Where would these IPV6 addresses be configured from and what SHOULD they be?  Should there always be two?

    **edit**

    so i was going down the path above, and I found that from the server I could not ping Google's IPv6 addresses from the server.  I get "PING:  transmit failed.  General failure."

    • 2001:4860:4860::8888
    • 2001:4860:4860::8844

    I am thinking that this means that the traffic cant get back out?  Do you agree?  The odd thing to me is that i can ping the second ipv6 address in that DTE list without an issue from my home network which almost makes me think that this is not the issue.  Is this a requirement for DA to function?  

    Just trying to give as much detail as possible.  


    • Edited by bbjewrican Saturday, May 25, 2013 4:42 PM
    Saturday, May 25, 2013 4:14 PM
  • Hi,

    I am Chetan Savade from Symantec Technical Support Team.

    Although you have mentioned SEP is uninstalled I would like to update about previously known issues with Direct Access.

    Microsoft Direct Access network traffic is blocked
    Fix ID: 2745094
    Symptom: Traffic to Microsoft Direct Access (DA) servers is blocked when Symantec Endpoint Protection is installed and network threat protection is enabled. Traffic is still blocked with an "allow all" rule.

    Solution: Modified the SYMNETS driver to allow Direct Access traffic

    Fixed in SEP 12.1 RU2: http://www.symantec.com/docs/TECH199676 

    Microsoft DirectAccess VPN does not function with Symantec Endpoint Protection firewall
    Fix ID: 2879077
    Symptom: After installing the Symantec Endpoint Protection firewall, clients fail to connect to the domain servers using Microsoft DirectAccess VPN tunnel.

    Solution: Updated Teefer to properly filter packets being passed without ether headers or filter flags

    Fixed in SEP 12.1 RU2 MP1: http://www.symantec.com/docs/TECH204685 

    Thanks and Regards,
    Chetan Savade
    Technical Support Engineer,
    End Point Security
    Enterprise Technical Support

    Monday, May 27, 2013 4:46 PM
  • Hi,

    I am Chetan Savade from Symantec Technical Support Team.

    Although you have mentioned SEP is uninstalled I would like to update about previously known issues with Direct Access.

    Microsoft Direct Access network traffic is blocked
    Fix ID: 2745094
    Symptom: Traffic to Microsoft Direct Access (DA) servers is blocked when Symantec Endpoint Protection is installed and network threat protection is enabled. Traffic is still blocked with an "allow all" rule.

    Solution: Modified the SYMNETS driver to allow Direct Access traffic

    Fixed in SEP 12.1 RU2: http://www.symantec.com/docs/TECH199676 

    Microsoft DirectAccess VPN does not function with Symantec Endpoint Protection firewall
    Fix ID: 2879077
    Symptom: After installing the Symantec Endpoint Protection firewall, clients fail to connect to the domain servers using Microsoft DirectAccess VPN tunnel.

    Solution: Updated Teefer to properly filter packets being passed without ether headers or filter flags

    Fixed in SEP 12.1 RU2 MP1: http://www.symantec.com/docs/TECH204685 

    Thanks and Regards,
    Chetan Savade
    Technical Support Engineer,
    End Point Security
    Enterprise Technical Support

    Thanks for the articles.  I will be putting Symantec back on the servers, so this will be good.  

    I just need to get the darn thing working without it before I can try with it ha ha.  

    Anyone have any recommendations?
    Tuesday, May 28, 2013 7:41 PM
  • Hi bbjewrican,


    Thanks for the question.


    Please check if the following could help.


    Test DirectAccess Connectivity from Behind a NAT Device

    http://technet.microsoft.com/en-us/library/hh831467.aspx


    [TechNet Thread] Windows Server 2012 DirectAccess behind NAT

    http://social.technet.microsoft.com/Forums/en-US/winserver8gen/thread/3a2be182-0af5-4bb5-a951-3f0f948bfa17/


    Thanks.


    Jeremy Wu
    TechNet Community Support

    • Marked as answer by Jeremy_Wu Monday, June 10, 2013 3:38 AM
    Wednesday, May 29, 2013 7:57 AM
  • Hi bbjewrican,


    How is the issue going now? Is there any update?


    Thanks.


    Jeremy Wu
    TechNet Community Support

    Friday, May 31, 2013 6:02 AM
  • This issue was caused by me changing my ip address of my public interface between the time of setting up / configuring DirectAccess and connecting clients.  The server will not publish the updated information and therefore i could not connect since the policies are looking for the old. 

    I excluded my nls server address in the infrastructure servers (create a new entry with no dns settings which means exclude) to make sure that didnt become an issue (was not in this case but should be done anyway)

    I backed up the GPO's and ran a powershell script set-remoteaccess -internetinterface DMZ -verbose where dmz is the name of the external interface.  This allowed me to make a connection to the server.  I then needed to fix a DNS entry I had.  On the Infrasturcture servers then DNS screen, I deleted the entry for my ad domain and let it auto detect the DNS settings.  I had this pointing to my internal DNS but if you dont have ipv6 setup this is not possible.  So the autodetect points it back to itself so it can do ipv4 to ipv6 conversion for you.

    This was a tough one but i am connected and working!  So glad i went to TechEd and met a DirectAccess resource there!



    • Marked as answer by bbjewrican Monday, June 24, 2013 1:22 PM
    • Edited by bbjewrican Wednesday, June 26, 2013 6:34 PM spelling
    Monday, June 24, 2013 1:20 PM
  • Works like a charm!  Everything is great!
    Wednesday, June 26, 2013 6:34 PM
  • Hello,

    I can't connect my win 8 client at all. I can see the message, Your PC is attempting to contact the DirectAccess server. Contact your admin for help if this message persists.

    Please help.

    Wednesday, September 11, 2013 2:55 PM
  • we would need a lot more information just this error to even begin to assist, but you are much better off starting a new thread instead of responding to an old one.  It will get much more attention and much more help.  You need to be much more descriptive as this just tells us you are having an issue, and not an idea at all as to its configuration or where it is failing.  In windows 8 it will even do a diag for you.  At least provide that in your new thread you create. 
    Thursday, September 12, 2013 11:37 AM