locked
Accessing UAG Trunk from DirectAccess Clients RRS feed

  • Question

  • I have DirectAccess deployed and a UAG Trunk for RDP Access.  This seems to work beautifully for Internal and External users with one exception.  None of my DirectAccess clients can reach the trunk.

    I don't currently have an external DNS entry, but for non-DA clients I have a host file entry for testing purposes.  For internal clients I have created an internal DNS address resolving to the External Trunk VIP.

    Your help is appreciated.

    Wednesday, February 16, 2011 6:49 AM

Answers

  • Hi,

     

    At first, host files are not a good idea. Windows 7 clients configured for DirectAccess will rely on FQDN. These FQDN will be resolved as IPv6 addresses throught the  NAT64/DNS64 provided by your UAG. All start from the client. If resources they want to access depend on one DNS suffix included in the NRPT, your DNS request will be forwarded to NAT64/DNS64. If not, yout client will use the old way.

     

    If you have correct DNS entries in your internal DNS zone (Active Directory DNS zone by default), your clients will be able to reach them without using the external trunk. 

     

    Have a nice day.

     


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by AmbersF Thursday, February 17, 2011 2:50 AM
    Wednesday, February 16, 2011 8:33 AM
  • Hi AmbersF,

    Like BenoitS says, if your dnsrecord matches something in the NRPT list it will bypass the hosts file.

    One way to solve it is to add your dns record as excluded in the NRPT configuration and all DirectAccess clients will use the normal way (hosts file / external dns records) to get to your trunk from the outside.

     

    Best wishes,
    Jonas Blom

    • Marked as answer by AmbersF Thursday, February 17, 2011 2:50 AM
    Wednesday, February 16, 2011 9:24 PM

All replies

  • Hi,

     

    At first, host files are not a good idea. Windows 7 clients configured for DirectAccess will rely on FQDN. These FQDN will be resolved as IPv6 addresses throught the  NAT64/DNS64 provided by your UAG. All start from the client. If resources they want to access depend on one DNS suffix included in the NRPT, your DNS request will be forwarded to NAT64/DNS64. If not, yout client will use the old way.

     

    If you have correct DNS entries in your internal DNS zone (Active Directory DNS zone by default), your clients will be able to reach them without using the external trunk. 

     

    Have a nice day.

     


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by AmbersF Thursday, February 17, 2011 2:50 AM
    Wednesday, February 16, 2011 8:33 AM
  • Hi AmbersF,

    Like BenoitS says, if your dnsrecord matches something in the NRPT list it will bypass the hosts file.

    One way to solve it is to add your dns record as excluded in the NRPT configuration and all DirectAccess clients will use the normal way (hosts file / external dns records) to get to your trunk from the outside.

     

    Best wishes,
    Jonas Blom

    • Marked as answer by AmbersF Thursday, February 17, 2011 2:50 AM
    Wednesday, February 16, 2011 9:24 PM
  • I'll try using this TechNet article along with the information you have provided to attempt to resolve the issue:

    http://technet.microsoft.com/en-us/library/ee649235(WS.10).aspx

    Thanks for your help.

     

    Ambers

    Thursday, February 17, 2011 3:00 AM
  • Yes, use that article to configure the NRPT.

    Also, in production, your public DNS will have the required entries.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Thursday, February 17, 2011 12:59 PM