none
DirectAccess 2016 - no access after public IPv4 is changed by ISP

    Question

  • I´m running single DA server 2016 enviroment PoC in a LAB. I´ve setup it succesffully with few clients and eveything worked fine BEFORE the public IPv4 in DA server changed.

    - I registered public domain (DA service adress) point to a new IP and client resolves it fine.
    - netsh name show policy and netsh name show effective commands shows exactly the same setup as before, when it worked (I took screenshots of working state). 
    - Server DA GPO and Client DA GPO do not contain any info of IPv4
    - IPv6 prefix has not changed while IPv4 did change
    - ipconfig shows iphttp interface with proper IPv6 prefix as it suppose to

    Problem:
    - Client stays at "Connecting" state, not Connected
    - DA server´s Remote Client status is empty, no client connected.
    - Client cant resolve internal Domain /DNS names, no access inside the domain


    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!



    • Edited by yannara Thursday, February 8, 2018 2:28 PM
    Thursday, February 8, 2018 2:22 PM

All replies

  • Hi,

    Thank you for your question. 
    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
    Thank you for your understanding and support.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 9, 2018 6:44 AM
  • Changing the public IP address should have no effect on DirectAccess operation, assuming of course you have deployed the DirectAccess server behind an existing edge firewall (one or two NICs). As long as client resolve the public hostname to the correct IP address they should be able to establish a DirectAccess connection.

    However, if your DirectAccess server is using a self-signed certificate for IP-HTTPS and you specified an IP address instead of a hostname (not recommended) then DirectAccess clients won't be able to connect.

    To begin, run the Get-NetIpHttpsState command on your DirectAccess client. If it returns an error, look up the error code and see what it translates to. That should yield some clue as to why your clients aren't connecting.

    Friday, February 9, 2018 11:11 PM
  • Changing the public IP address should have no effect on DirectAccess operation, assuming of course you have deployed the DirectAccess server behind an existing edge firewall (one or two NICs). As long as client resolve the public hostname to the correct IP address they should be able to establish a DirectAccess connection.

    However, if your DirectAccess server is using a self-signed certificate for IP-HTTPS and you specified an IP address instead of a hostname (not recommended) then DirectAccess clients won't be able to connect.

    To begin, run the Get-NetIpHttpsState command on your DirectAccess client. If it returns an error, look up the error code and see what it translates to. That should yield some clue as to why your clients aren't connecting.

    Thank you for reply. My DA server is deployed with 2 NICs, public NIC is directly in internet with ISP´s IP, so it is not behind an edge. Clients resolves new IP + public dns name fine (after I changed my public domain configuration when that IP had changed).  DA server and clients are using PKI certs and there is no IPv4 set anywhere. DA server has a web cert with DNS name (public fqdn). 

    I will try that command later on. Feel free to post if you have additional ideas etc.


    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Saturday, February 10, 2018 12:51 PM
  • To begin, run the Get-NetIpHttpsState command on your DirectAccess client. If it returns an error, look up the error code and see what it translates to. That should yield some clue as to why your clients aren't connecting.

    DA stays on "Connecting" status but the httpsstate gives 0x0 and active.

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Tuesday, February 13, 2018 10:25 AM
  • Up up

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Thursday, May 10, 2018 8:03 AM