Directaccess - Inside Corporate Network RRS feed

  • Question

  • Currently testing out deployment of DirectAccess and have my one client computer saying its Inside of the Coporate Network (when its not) after a show netsh dns show state. Obviously this is a NLS error, but striking out on what the possible causes could be. The NLS is currently on the DirectAccess server. Any ideas/assistance would be appreciated!
    Thursday, August 20, 2015 7:30 PM

All replies

  • I've just noticed that I am able to access the NLS on and off the network via a web browser, hence the client thinking its still on the network. Any ideas why its accessible off the network?
    Thursday, August 20, 2015 8:03 PM
  • There's a few reasons it could be detected while off the network.

    Make sure you don't have the NLS server's record published in external DNS and that the server is not accessible via the Internet. Most people don't accidentally do that, but still it should be mentioned as a possibility.

    The more common reason is that the NLS server was not added as an exemption in the NRPT table when DirectAccess was setup.

    In the Remote Access Management console, Configuration view, edit the "Infrastructure Server Setup" (Step 3) and add the FQDN for each NLS. Do not specify a DNS server. That will effectively create an NRPT exemption so that the NLS cannot be reached when the DirectAccess client is connected remotely.

    There's some good screenshots, and information, over at Richard Hicks's blog post:


    Those would be my best guesses based on the description.

    • Edited by RhinoBytes Wednesday, September 9, 2015 5:43 PM Added information from Richard Hicks's blog
    Wednesday, September 9, 2015 5:40 PM
  • You should really move the NLS website off the DirectAccess server as a best practice. Having it co-hosted on the DA server causes various issues and security vulnerabilities (self-signed certs, yikes), and it also disables you from being able to use advanced features of DirectAccess in the future. For example, it is very common to turn on a second DirectAccess server and load balance the two for either growth or redundancy purposes, but in order to do that you would have to move NLS anyway - it then becomes a requirement not a recommendation.

    It's much easier to make the change and do it "right" in the beginning, rather than have to figure out how to swing your production environment later down the road. Making changes to NLS once you have a bunch of people using it is tricky, because doing it wrong could mean that all your DA clients are unable to resolve DNS lookups when they are inside the office.

    Tuesday, September 15, 2015 3:18 PM