none
Cannot get Direct Access from Outside Internet RRS feed

  • Question

  • I have UAG 2010 SP1 installed, I used Shannon Fritz's http://blog.concurrency.com/infrastructure/uag-sp1-directaccess-configuration-guide/#BGS as a guide.  The UAG server is connected to a DMZ behind a firewall, there is no firewall behind the UAG server.  The firewall has been configured as reccomended and TMG on the UAG server has been setup as reccomended.  The A record for the first IP address on the UAG server is setup.

    I have a virtual PC (Windows 7 Enterprise) with two nics, one is on the internal network and the second is in the DMZ.  I also have a lapto with Windows 7 Enterprise and the laptop is connected directly to our internet provider which is Wide Open West.  Both of these are in the same OU and have the same Group Policies applied, include the Direct Access Client GP.  The virtual PC connects via Direct Access.  The laptop does not.

    I found Deb Shinder's "7 Steps for Troubleshooting Direct Access Clients".  Group Policy Settings are OK, The client knows that it is not on the intranet, and the Name Resolution Policy is in effect (when I attempt to ping the IPv6 address of the DA DNS server, I do not get replies).  On my ipconfig /all, I do not have a gateway address for my Teredo Tunnel.  My ipconfig /all for the laptop on the internet is below.

    What is strange, when I PING an internal domain controller I get a response from 64.158.56.38 with wowway.com attached to the server name. 

    I am learning as I go, any help is appreciated.

    Chris Gardner


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : datest
       Primary Dns Suffix  . . . . . . . : dnr.state.oh.us
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : dnr.state.oh.us
                                           wowway.com

    Wireless LAN adapter Wireless Network Connection:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) WiFi Link 5300 AGN
       Physical Address. . . . . . . . . : 00-21-6A-B1-B2-38
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : wowway.com
       Description . . . . . . . . . . . : Intel(R) 82567LM Gigabit Network Connection
       Physical Address. . . . . . . . . : 00-26-B9-A3-03-5C
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::ec18:a4f0:deac:1d60%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.11.103(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Tuesday, February 22, 2011 10:25:49 AM
       Lease Expires . . . . . . . . . . : Wednesday, February 23, 2011 10:25:48 AM
       Default Gateway . . . . . . . . . : 192.168.11.1
       DHCP Server . . . . . . . . . . . : 192.168.11.1
       DHCPv6 IAID . . . . . . . . . . . : 234890937
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-EF-70-71-00-26-B9-A3-03-5C
       DNS Servers . . . . . . . . . . . : 64.233.222.7
                                           64.233.222.2
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{FC378B63-DB3B-4416-87EB-CCB13AA2773E}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.wowway.com:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : wowway.com
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter iphttpsinterface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:0:c6ea:2cec:3054:3514:b489:5740(Preferred)
       Link-local IPv6 Address . . . . . : fe80::3054:3514:b489:5740%16(Preferred)
       Default Gateway . . . . . . . . . : ::
       NetBIOS over Tcpip. . . . . . . . : Disabled

    On the laptop I can PING the external interface of my UAG server which is 198.234.44.236. 

    Wednesday, February 23, 2011 1:50 PM

Answers

  • I instaled Wireshark on the UAG server.  Captured packets from the outside interface.  When I start the laptop that is connected to the internet I see packets for the Teredo Protocol.  The source is the IPv6 address of the laptop, the destination is the IPv6 address of the UAG outside interface.  The description of the packets are - Direct IPv6 Connectivity Test id=varying numbers and seq=varying numbers.  I am unsure of the handshake that Teredo needs, and had no luck searching.  I assumed that I would see ISAKMP packets for the building of a tunnel?

    There are 21 of these packets, and no other Teredo packets.  I also have IPv6 protocol packets from the same source and destination as above, the info on these packets state  - IPv6 no next header

    I also have configured the laptop to only recieve the UAG Client GP and removed any other windows firewall configuation. 

     

    Friday, February 25, 2011 9:55 PM

All replies

  • Here is the ipconfig /all from my virtual PC that Direct Access works on.


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : TestDA
       Primary Dns Suffix  . . . . . . . : dnr.state.oh.us
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : dnr.state.oh.us

    Ethernet adapter DMZ:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2
       Physical Address. . . . . . . . . : 00-50-56-9C-00-64
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::6c33:17d6:55e1:5097%15(Preferred)
       IPv4 Address. . . . . . . . . . . : 198.234.44.230(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.240
       Default Gateway . . . . . . . . . : 198.234.44.225
       DHCPv6 IAID . . . . . . . . . . . : 335564886
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-A8-82-D4-00-50-56-9E-10-09
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{D24FFE52-E768-42A1-B4EB-418534EFE4BC}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter 6TO4 Adapter:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft 6to4 Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:c6ea:2ce6::c6ea:2ce6(Preferred)
       Default Gateway . . . . . . . . . : 2002:c6ea:2cec::c6ea:2cec
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:0:c6ea:2cec:3cbc:36e2:3915:d319(Preferred)
       Link-local IPv6 Address . . . . . : fe80::3cbc:36e2:3915:d319%16(Preferred)
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter iphttpsinterface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Wednesday, February 23, 2011 3:30 PM
  • Hello,

    Did you open all the required port on your DMZ as described here : http://security.sakuranohana.fr/2010/10/ports-used-directaccess.html

    Could you also :

    • Tell us what happening when you try to ping an internal ressource with the hostname or the dns name ?
    • Give more information about the problem

    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
    Thursday, February 24, 2011 8:45 AM
  • I ran into a couple of non-UAG issues that I had to work on and then my virtual test machine NRPT got corrupted, so I learned how to fix that.

    The UAG server sits in a DMZ behind a firewall, there is no firewall between the internal NIC our our corportate network.  I had the firewall configured with:

    • Allow inbound and outbound “Protocol 41″ (aka ISATAP) to support 6TO4 connections.
    • Allow UDP trafic over port 3544 to support Teredo connections.
    • Allow TCP traffic over port 443 to support IP-HTTPS connections.
    • Allow ping (ICMP echo) [optional].

    Results below are from the laptop that sits on the outside internet.  Again, I have a virtual PC that sits on our DMZ and I get a Direct Access connection and access to my shared drives, I see this connection in UAG Direct Access Monitor - Active Sessions Monitor.

    I have the Direct Access Connectivity Installed on the laptop, I could post the log also if that would help.  Is there any other type of logging avaialbe on the client or UAG server to look at?

    PING DNS result:

    Ping request could not find host xxxxx.dnr.state.oh.us. Please check the name and try again.

    PING Hostname result: I do not know where 64.158.56.38 is coming from, that is not from my network.

    Pinging xxxxx.wowway.com [64.158.56.38] with 32 bytes of data:
    Reply from 64.158.56.38: bytes=32 time=46ms TTL=47
    Reply from 64.158.56.38: bytes=32 time=45ms TTL=47
    Reply from 64.158.56.38: bytes=32 time=46ms TTL=47
    Reply from 64.158.56.38: bytes=32 time=46ms TTL=47

    netsho interface teredo show state:

    Teredo Parameters
    ---------------------------------------------
    Type                    : client
    Server Name             : 198.234.44.236 (Group Policy)
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : qualified
    Client Type             : teredo client
    Network                 : unmanaged
    NAT                     : restricted
    NAT Special Behaviour   : UPNP: No, PortPreserving: Yes
    Local Mapping           : 192.168.11.103:51947
    External NAT Mapping    : 75.118.168.191:51947

    PING outside interface of UAG server result:

    Pinging nruag.dnr.state.oh.us [198.234.44.236] with 32 bytes of data:
    Reply from 198.234.44.236: bytes=32 time=76ms TTL=105
    Reply from 198.234.44.236: bytes=32 time=78ms TTL=105
    Reply from 198.234.44.236: bytes=32 time=80ms TTL=105
    Reply from 198.234.44.236: bytes=32 time=80ms TTL=105

    Friday, February 25, 2011 3:17 PM
  • I instaled Wireshark on the UAG server.  Captured packets from the outside interface.  When I start the laptop that is connected to the internet I see packets for the Teredo Protocol.  The source is the IPv6 address of the laptop, the destination is the IPv6 address of the UAG outside interface.  The description of the packets are - Direct IPv6 Connectivity Test id=varying numbers and seq=varying numbers.  I am unsure of the handshake that Teredo needs, and had no luck searching.  I assumed that I would see ISAKMP packets for the building of a tunnel?

    There are 21 of these packets, and no other Teredo packets.  I also have IPv6 protocol packets from the same source and destination as above, the info on these packets state  - IPv6 no next header

    I also have configured the laptop to only recieve the UAG Client GP and removed any other windows firewall configuation. 

     

    Friday, February 25, 2011 9:55 PM