locked
Failed to connect to the IPHTTPS Server. RRS feed

  • Question

  • Hi,

    I would be very grateful if somebody could give me some guidance in trying to resolve a DirectAccess 2012 problem.

    My configuration is this:

    Single DA 2012 Server configured behind a NAT'd firewall. Port-forwarding set up on firewall for IP-HTTPS Port 443. DA Server 2012 Remote Access Configuration setup successfully with no issues.

    Single Windows 8.1 Enterprise Desktop client in DMZ with two NIC's. One NIC is connected to External Internet and the other is connected to Internal network. The intention is to test DA on both sides of the firewall.

    All routing seems to be working as intended. I have also used Cisco's ASA packet tracer to simulate the relevant source and destination ports and addresses and all seems fine.

    The error, when the External interface is enabled, that I am receiving is as follows (netsh int httpstunnel sh int):

    Role: Client

    URL: https://da.mydomain.com:443/IPHTTPS

    Last Error Code: 0x274c

    Interface Status: failed to connect to the HTTPS server. Waiting to reconnect

    I have installed a Computer Cert from my Company's CA Server and also installed a public third-party wildcard Certificate which both seem to be working as intended on the DA Server. The client also has a computer Cert from the CA installed as well.

    Any assistance would be grateful as I have spent quite a bit of time troubleshooting this already. I have checked other blogs and forums but nothing seems to have worked. Frustrated and tired....

    Best regards,

    Paddy

    Monday, October 27, 2014 2:43 PM

Answers

  • Paddy,

    On the DirectAccess Client, I assume you only have one interface enabled (at a time), right?

    If you are only using the external interface, make sure the client has internet connectivity as well. I have seen situations where (for test purpose) a DirectAccess Client is put into a DMZ next to the DirectAccess Server. Although that may seems to work, it does not work if the client cannot connect to the internet. The DirectAccess Client must also be able to access the CRL of your public SSL certificate (used for IP-HTTPS).

    Have you tried it from a DirectAccess Client connected to a regulair internet connection, with one network interface?


    Boudewijn Plomp | BPMi Infrastructure & Security

    Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".


    Wednesday, October 29, 2014 12:23 PM

All replies

  • Paddy,

    On the DirectAccess Client, I assume you only have one interface enabled (at a time), right?

    If you are only using the external interface, make sure the client has internet connectivity as well. I have seen situations where (for test purpose) a DirectAccess Client is put into a DMZ next to the DirectAccess Server. Although that may seems to work, it does not work if the client cannot connect to the internet. The DirectAccess Client must also be able to access the CRL of your public SSL certificate (used for IP-HTTPS).

    Have you tried it from a DirectAccess Client connected to a regulair internet connection, with one network interface?


    Boudewijn Plomp | BPMi Infrastructure & Security

    Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".


    Wednesday, October 29, 2014 12:23 PM
  • Boudmijn,

    Thanks for your response. I think that it must be a firewall issue when connecting from the DMZ because, as you suggested, I tried the client from an outside connection and it worked. Now I just need to troubleshoot the issue when it is placed in the DMZ.

    Btw, the internal interface was disabled in the DMZ when testing.

    Many thanks,

    Paddy

    Thursday, October 30, 2014 9:01 AM
  • Ok, good to hear it works properly from the outside. Thanks for the update.


    Boudewijn Plomp | BPMi Infrastructure & Security

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".

    Thursday, October 30, 2014 9:45 AM