locked
Hyper-v as Direct Access client RRS feed

  • Question

  • Hi all, i have uag 2010 on my network running very good. I have hyper-v as direct access client, is everything ok, but when my hyper-v on the internet side is connected via direct access, on hyper-v i can't open virtual machine console anymore, i can only open via windows 7 hyper-v management, on the hyper-v it self nothing more.

    Everybody know why this happen?

    Thanks.

    Thursday, April 21, 2011 1:16 AM

Answers

  • Jason, the problem is not management hyper-v throught direct access, it's ok. The problem is, after i joined hyper-v on domain and put as direct access client, i can't conect on hyper-v it self on remote virtual machine console.

    I read this,

    The real problem:
    Hyper-V server requires the ability to connect back to the “remote” client via resolving the FQDN of the connecting client and establishing its own TCP connection back to the “remote” client. Even while managing Hyper-V locally the local tools are seen as a “remote” client and as such the Hyper-V server will extract the FQDN of the connection and attempt to do name resolution to ensure that the client that is connecting actually owns the IP address it is connecting from. With NRPT active but unable to access a Direct Access server because the Direct Access client is offline the NRPT prevents the resolution of the FQDN (it would have allowed short-name resolution to fall through and use local LLMNR except that the connection is using IPv4 and not IPv6 and thus the IP addresses would not match and the connection is denied as a “spoof” attack). Once NRPT is taken out of the picture the Hyper-V server is able to properly do name resolution leveraging the local resolver and everything connects up just fine.

    The solution:
    -go into the Registry and delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig"
    -in an elevated command prompt, enter: sc control dnscache paramchange

    After that the “Virtual Machine Connection” was working fine.

    After doing that, back to normal, but other problem, after delete dnspolicyconfig, i can't use direct access anymore!

     

    • Marked as answer by Erez Benari Wednesday, May 4, 2011 11:40 PM
    Saturday, April 23, 2011 1:20 PM

All replies

  • Jason, the problem is not management hyper-v throught direct access, it's ok. The problem is, after i joined hyper-v on domain and put as direct access client, i can't conect on hyper-v it self on remote virtual machine console.

    I read this,

    The real problem:
    Hyper-V server requires the ability to connect back to the “remote” client via resolving the FQDN of the connecting client and establishing its own TCP connection back to the “remote” client. Even while managing Hyper-V locally the local tools are seen as a “remote” client and as such the Hyper-V server will extract the FQDN of the connection and attempt to do name resolution to ensure that the client that is connecting actually owns the IP address it is connecting from. With NRPT active but unable to access a Direct Access server because the Direct Access client is offline the NRPT prevents the resolution of the FQDN (it would have allowed short-name resolution to fall through and use local LLMNR except that the connection is using IPv4 and not IPv6 and thus the IP addresses would not match and the connection is denied as a “spoof” attack). Once NRPT is taken out of the picture the Hyper-V server is able to properly do name resolution leveraging the local resolver and everything connects up just fine.

    The solution:
    -go into the Registry and delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig"
    -in an elevated command prompt, enter: sc control dnscache paramchange

    After that the “Virtual Machine Connection” was working fine.

    After doing that, back to normal, but other problem, after delete dnspolicyconfig, i can't use direct access anymore!

     

    • Marked as answer by Erez Benari Wednesday, May 4, 2011 11:40 PM
    Saturday, April 23, 2011 1:20 PM