none
Route the Traffic Through Direct Access RRS feed

  • Question

  • Hello,

    All I need is i have a Direct Access Server and is working fine also Client Machine is Access-able to Connect through DA. I want that each client machine is having internet and is accessing through his internet but after connecting through DA the internet connectivity should be through Direct Access. Is anyone knows the Solution, help me.

    thanks,

    Roshan

    Thursday, July 23, 2015 5:07 AM

Answers

  • i did it, Actually for the Force tunneling we need to set two gateway one each for both the External and Internal network.
    • Edited by roshan kr Monday, August 31, 2015 10:32 AM
    • Marked as answer by roshan kr Monday, August 31, 2015 10:32 AM
    • Unmarked as answer by roshan kr Monday, August 31, 2015 10:32 AM
    • Marked as answer by roshan kr Monday, August 31, 2015 10:32 AM
    Monday, August 31, 2015 10:32 AM

All replies

  • Hi,

    That's the force-tunneling scenario of DirectAccess. From a technical point of view any name resolution will be performed throught the NRPT/DNS64 mechanism and all network trafic will be forcer to pass throught the DirectAccess IPSEc tunnels. Force tunneling is a checkbox located in the first step of the Advanced configuration wizard.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Proposed as answer by BenoitSMVP Thursday, July 23, 2015 12:06 PM
    Thursday, July 23, 2015 7:35 AM
  • ya, i am trying this but the issue is when i am applying the GPO using link.

    https://technet.microsoft.com/en-us/library/ee649127(v=ws.10).aspx

    I have followed this steps but while adding a IPV6 Address to any and checking DNS Settings for DA i am unable to do that as it says the name already exists. 

    Also Client Computer has been disconnected with Internet.

    1. In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Windows Settings\Name Resolution Policy.

    2. In the details pane, in To which part of the namespace does this rule apply?, click Any.

    3. Click the DNS Settings for Direct Access tab, and then click Enable DNS settings for Direct Access in this rule.

    4. In DNS servers (optional), click Add. In DNS server, type the IPv6 address of your dual protocol (IPv4 and IPv6) proxy server or your NAT64/DNS64 devices that are in front of your IPv4-based proxy server. Repeat this step if you have multiple IPv6 addresses.

    5. Click Create, and then click Apply.

     
    • Edited by roshan kr Saturday, August 1, 2015 1:57 PM
    Saturday, August 1, 2015 1:51 PM
  • Hi,

    This procedure apply to Windows 2008 R2, no longer applicable to Forefront UAG and latest version of DirectAccess natively included into Windows Server editions. This might be a better procedure : https://technet.microsoft.com/en-us/library/jj134204.aspx?f=255&MSPPError=-2147217396#BKMK_forcetunnel.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, August 3, 2015 12:27 PM
  • Hello, 

    I Followed the Above Link, I am Explaining My Environment What I have done is.

    -> Made a Routing Server In which I have Done Nating to provide Internet to our internal Domain.

    ->Made a Server for Domain Controller in Which Configured ADDS, DNS & DHCP and Also Configured Root CA.

    ->Made a Server for Subordinate CA.

    ->Made another Server For Direct Access in Which Configured DA with EDGE. Also All the Server are having 2012 r2. 

    -> opened the following port TCP :-41,50,443

    ->UDP -: 41,50,500 3544   Outbound and Inbound both.

    -> Client machine after offline Domain Join.

    The Client Machine is getting Connected with Direct Access. But when i am enabling the Force Tunneling features the Internet on Client Gets blocked. For this i am doing:-


    -> Enabling the Force tunneling Features on Direct Access Server.

    ->open the Gpmc.msc on Domain Controller edit the policy DirectAccess Client and then 

    1. In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Administrative Templates\Network\Network Connections.

    2. In the details pane, double-click Route all traffic through the internal network.

    3. In the Route all traffic through the internal network dialog box, click Enabled, and then click OK.

    then in NRPT rule on this 

    1. In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Windows Settings\Name Resolution Policy.

    there is two rule by default one for Direct Access Server and another for any and not knowing what to do in this rule . Also made the Changes as mentioned below.

    1. In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies.

    2. In the details pane, double-click 6to4 State.

    3. In the 6to4 State dialog box, click Enabled, click Disabled State in Select from the following states, click Apply, and then click OK.

    4. In the details pane, double-click Teredo State.

    5. In the Teredo State dialog box, click Enabled, click Disabled State in Select from the following states, click Apply, and then click OK.

    6. In the details pane, double-click IP-HTTPS State.

    7. In the IP-HTTPS State dialog box, click Enabled State in Select Interface state from the following options, click Apply, and then click OK.

    Now what to do please suggest me. the answer will be appreciated.

    thanks 

    roshan

    Wednesday, August 5, 2015 3:44 AM
  • Hi,

    DO you add a wildcard entry in NRPT that point to your internal proxy (using FQDN not IPv4)?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, August 5, 2015 7:42 AM
  • hello,

    I am not using Proxy Server

    Thursday, August 6, 2015 1:17 PM
  • So if your're not using a proxy, witch DNS do you use to resolve public DNS names? Your Active Directory?

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, August 6, 2015 2:46 PM
  • Look I have used local name like a domain.in as a domain. I am Sending u the List what i have made is 

    made server like this:-

    1. DC:- Domain Controller - Installed ADDS, DNS & DHCP and also ADCS (Root CA) used local Domain example rk.com

    2. SCA: Subordinate Server :-  domain  Joined the Machine and Installed ADCS (Subordinate CA)

    3. DA: Direct Access Server :-  Domain  joined the Machine and Installed and Configured DA used two Adapter one for Internal Domain other for External in which i have used Public IP.

    4. Router server in which i did Nating used two Adapter one having the Internet  and other as internal network in which i have provided Internet through routing .

    Thats it Now tell me what to do.???

    • Edited by roshan kr Friday, August 7, 2015 5:43 AM
    Friday, August 7, 2015 5:21 AM
  • Hi,

    So on a DirectAccess client connected on Internet, when you run the following command (NETSH NAMESPACE SHOW EF), you should see one entry for your NRPT and a second on for your internal domain. Am-i right?

    If that's the case, we only need to enable the force tunneling in the remote Access Management Console. If I remember well, it's in the first step in the interface.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, August 7, 2015 7:41 AM
  • hello,

    after following the Command NETSH NAMESPACE SHOW EF 

    i am getting this:-

    DNS Effective Name Resolution Policy Table Settings

    Note: DirectAccess settings are inactive when this computer is inside a corporat
    e network.

    Friday, August 7, 2015 10:35 AM
  • OK my fault cause your on LAN. Try NETSH NAMESPACE SHOW POLICY

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, August 7, 2015 10:36 AM
  • After running the above command i am getting this:-

    DNS Name Resolution Policy Table Settings


    Settings for .
    ----------------------------------------------------------------------
    DNSSEC (Certification Authority)        :
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (Certification Authority)  :
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : da.rk.in:443
    Generic (DNS Servers)                   :
    Generic (VPN Trigger)                   : disabled
    IDN (Encoding)                          : UTF-8 (default)


    Settings for .rk.in
    ----------------------------------------------------------------------
    DNSSEC (Certification Authority)        :
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (Certification Authority)  :
    DirectAccess (DNS Servers)              : 2008:cb84:d968:3333::1
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy
    Generic (DNS Servers)                   :
    Generic (VPN Trigger)                   : disabled
    IDN (Encoding)                          : UTF-8 (default)


    Settings for DirectAccess-NLS.rk.in
    ----------------------------------------------------------------------
    DNSSEC (Certification Authority)        :
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (Certification Authority)  :
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings
    Generic (DNS Servers)                   :
    Generic (VPN Trigger)                   : disabled
    IDN (Encoding)                          : UTF-8 (default)

    Also I noticed that I am not able to apply The GPO correctly I looked at the Above Mentioned Link but then also i am unable to do that. Provide me the steps so that i can do it and route the Internet traffic through DA server.

    thanks
    • Edited by roshan kr Friday, August 7, 2015 11:23 AM
    Friday, August 7, 2015 10:44 AM
  • Hi,

    According to the result of the command you already have Force tunneling enabled as jou have awildcard entry (resolve all names). Proxy to be used is da.rk.in:443


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, August 7, 2015 11:57 AM
  • ya then also Internet is limitted on the Client machine. is ther eany solution to overcome from this.
    Friday, August 7, 2015 1:05 PM
  • When you enable force tunneling all internet access pass throught your proxy ak da.rk.in. Force tunneling need some tuning because some Windows feature such as NCSI does not understand what happend.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, August 7, 2015 1:08 PM
  • When i am tracing the Path through Client Machine for Example 

    tracert google.com

    my IPV6 of Da server is pinging one time and then its showing request timed out 

    Friday, August 7, 2015 1:17 PM
  • Ping is not a good friend as it does not use NRPT, prefer NSLOOKUP -Server 2008:cb84:d968:3333::1 <name to resolve>

    If you have an answer it's not a name resolution problem but a connectivity problem.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, August 7, 2015 1:19 PM
  • now it's coming this.

    C:\Windows\system32>NSLOOKUP -Server 2008:cb84:d968:3333::1
    *** Invalid option: Server
    DNS request timed out.
        timeout was 2 seconds.
    Server:  UnKnown
    Address:  10.2.0.4

    DNS request timed out.
        timeout was 2 seconds.
    *** Request to UnKnown timed-out

    and one more thing i want to ask from you that I can do this force tunneling without Proxy or Not as i haven't made the proxy server till yet.
    • Edited by roshan kr Saturday, August 8, 2015 5:05 AM
    Saturday, August 8, 2015 4:55 AM
  • My fault, wrong syntax

    NSLOOKUP

    Server 2008:cb84:d968:3333::1

    <Internal name to be resolved>


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, August 10, 2015 7:57 AM
  • i did it, Actually for the Force tunneling we need to set two gateway one each for both the External and Internal network.
    • Edited by roshan kr Monday, August 31, 2015 10:32 AM
    • Marked as answer by roshan kr Monday, August 31, 2015 10:32 AM
    • Unmarked as answer by roshan kr Monday, August 31, 2015 10:32 AM
    • Marked as answer by roshan kr Monday, August 31, 2015 10:32 AM
    Monday, August 31, 2015 10:32 AM