none
DirectAccess connection issue after sleep RRS feed

  • Question

  • I've recently setup DirectAccess for a primary school for students that take their netbooks home. At this stage, they are on a force tunnel setup and we are using it to push students through the schools filtered ISP connection. We have the SMB port blocked at the DA server so that students can't browse the network from home.

    At the moment, our test group of users (approx. 5) is working well, with 1 exception.  The students are used to putting their netbooks to sleep when they leave school, and turning them back on when they get home.  Sometimes the connection doesn't get established and they are left with a 'Proxy not responding' error when trying to browse.  The connection status shows they are connected, and on the DA server it all looks o.k.  I've also noticed that it could take around 30 seconds to a minute to make the connection.

    At this stage, students are being advised to restart their machine if they have connection issues, but it seems ridiculous to have to do this all the time.  We are projecting in the coming weeks that we will have around 400 netbooks using this method when it becomes adoptive.

    Our current setup is through a DMZ (TMG 2010) that pushes traffic to the DA server (NLS and DA on the same virtual machine) within our network.  We are running DA on a 2012R2 server.  The virtual machine has 2 CPU's assigned and approx. 6GB if RAM, but it doesn't look to be under any load.  Our same TMG DMZ server also pushes a VPN to staff through to a NPS server internally.  Their connection takes around 3-5 seconds to be established, although they have to manually double click an icon that points to their rasphone.pbk file.

    Can anyone suggest anything to improve the connection speed and reliability of the DA service?

    Monday, August 17, 2015 9:05 PM

All replies

  • Is your DirectAccess traffic NAT'ed through your TMG server to the DA server? So its not exposed directly on the internet?

    If this is the case it means the connection protocol can only be HTTPS which is slow by design.

    To confirm, you have a single server that is to support potentially 400 clients?

    Ryan Betts

    MCSD, MCSE, MCSA, MCITP, MCTS, MCS, MCP, CCE, CCP, CCA, CCNP, CCNA, VCP

    Cloud Solutions Architect 

    Visit my Blog: http://blog.ryanbetts.co.uk

    Systems Up | iomart Group, 3<sup>rd</sup> Floor, 11-21 Paul Street, London, EC2A 4JU

    Thursday, August 20, 2015 12:45 PM
  • Yes that's correct.  The TMG server pushes requests to the internal DA server, so we can only use IPHTTPS unfortunately.  The internal network is NAT'd to a 10.x.x.x address.

    We are looking to push all the year 4-6 students through this method.  Is there any way to speed up the process?  Is there any other method to push clients to an internal proxy server (without exposing it to everyone on the Internet)?
    Friday, August 21, 2015 1:52 AM