locked
Changing the IP-HTTPS URL Name RRS feed

  • Question

  • I'm trying to get my IP-HTTPS tunnel up and running and the problem seems to be a disparity between the server certificate name and the UAG IP-HTTPS tunnel name.

    When I run netsh on the the client I receive the following:

    netsh interface httpstunnel show interfaces
    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        : https://da.company.com:443/IPHTTPS
    Last Error Code            : 0x800b010f
    Interface Status           : failed to connect to the IPHTTPS server. Waiting to reconnect

    The configuration looks right... and the error code indicates the certificate name does not match.

    On the server side it comes up as

    netsh interface httpstunnel show interfaces
    Interface IPHTTPSInterface Parameters
    ------------------------------------------------------------
    Role                       : server
    URL                        : https://natoruag01.internal.company.com:443/IPHTTPS
    Client authentication mode : certificates
    Last Error Code            : 0x0
    Interface Status           : IPHTTPS interface active

    My question is, how do I change the server URL name to match the client side URL?

    Any help is appreciated!




    Wednesday, March 3, 2010 10:11 PM

Answers

  • Hi Eric,

    If your client has a public IP address, it will be using 6to4 to connect to the UAG DA server.

    I have been in that position many times before -- where I forgot to click "Activate" after deploying the Group Policy. The user interfaces makes it appear that everything is done once you deploy the Group Pollicy settings, but the fact is that you need to turn on all the IPv6 stuff on the UAG DA server.

    HTH,
    Tom
    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Tuesday, March 9, 2010 6:52 PM
    Monday, March 8, 2010 1:27 PM

All replies


  • Ok.  So I managed to change the interface URL to have it match.  I did this using the NETSH SET INTERFACE command and now I get a new facinating error message.

    >netsh interface httpstunnel show interfaces
    Interface IPHTTPSInterface Parameters
    ------------------------------------------------------------
    Role                       : server
    URL                        :
    https://da.company.com:443/IPHTTPS

    Client authentication mode : certificates
    Last Error Code            : 0x57
    Interface Status           : invalid IPHTTPS URL specified

    I think the obvious question is... how do I fix this or am I borking this system into a deeper hole... and secondly, where in the original UAG setup was it actually specified to enter the external server FQDN?  Why did it take the server internal FQDN as the IP-HTTPS tunnel URL name?

    Thanks!

    Thursday, March 4, 2010 2:36 PM
  • Hi Eric,

    If you are going to use a new URL, you'll need a new certificate.

    After making the changes, make sure to run the UAG DA wizard again and make sure the new GPO settings are deployed to the clients and servers.

    HTH,
    Tom
    MS ISDUA/UAG DA Anywhere Access Team
    Thursday, March 4, 2010 5:26 PM

  • You're right.  I painfully discovered my mistake last night... its not that the certificates were wrong... worse.... its that after every combination of configuration change, I never hit the activate configuration button.  Stupid is as stupid does.  My IP-HTTPS interfaces are now active between client and server, but I dont see any routing to the internal network occuring (or even name resolution returning an address).   The DA client is sitting directly on the internet.  I'm looking for a place to start troubleshooting... Am I right in assuming that even if it can't route internally it should at least be able resolve internal addresses from the UAG via NSLOOKUP?

    Thanks!

    Friday, March 5, 2010 2:32 PM
  • Hi Eric,

    If your client has a public IP address, it will be using 6to4 to connect to the UAG DA server.

    I have been in that position many times before -- where I forgot to click "Activate" after deploying the Group Policy. The user interfaces makes it appear that everything is done once you deploy the Group Pollicy settings, but the fact is that you need to turn on all the IPv6 stuff on the UAG DA server.

    HTH,
    Tom
    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Tuesday, March 9, 2010 6:52 PM
    Monday, March 8, 2010 1:27 PM
  • You have to change both seting on the UAG server and UAG client (GPO). I passed by this issue with a client using SAN Certificate and the common name is not the name of the IP-HTTPS (da.compan.com). You may check my blog for this issue

    itcalls.blogspot.com

     

    Thursday, November 24, 2011 7:32 AM