locked
Direct Access Client IPHTTPS Interface Issues RRS feed

  • Question

  • Hi,

    I am having issues with my Direct Access configuration. This morning I was able to connect my clients however they weren't able to connect to any resources. Even though it was showing connected and I could see my clients in the connection window. I reset my IPHTTPS Interface on the Server and then rebooted it. Ever since my clients are now hang at connecting. However most of them when I connect using wifi it goes straight away to limited connectivity. I did some troubleshooting and if I disable the IPHTTPS Interface in device manager on the client my wireless goes to connected straight away. Soon as I enable it and it tries to establish a direct access connection it goes to limited connectivity and I have no internet connection. Can anyone provide some advice on why it would be doing this please?

    It is a relatively simple connection as its a single network adapter deployed behind a NAT. Everything is green in the console. All firewalls and everything are in place. I mean it was working this morning at least connected just couldn't access any resources and when I rest the interface is when I have had dramas. Any help with this would be greatly appreciated as I am running out of ideas.

    The server is 2012 R2 and the client is Windows 8.1. Force tunnelling is not enabled. Also when I run the various tests I am outside the corporate network and no errors on my iphttps interface sais active.

    Thank You,



    • Edited by grayman001 Tuesday, August 9, 2016 2:05 PM
    Tuesday, August 9, 2016 12:48 PM

Answers

  • Hi, Thanks very much for the reply. Does this still apply to me even though I don't have force tunneling enabled? Ended up doing further testing. Turns out it was a Group Policy that was causing it. Thanks for the help
    • Edited by grayman001 Wednesday, August 10, 2016 7:35 AM
    • Marked as answer by grayman001 Wednesday, August 10, 2016 7:35 AM
    Wednesday, August 10, 2016 4:10 AM

All replies

  • Hi,

    >>The server is 2012 R2 and the client is Windows 8.1. Force tunnelling is not enabled.

    Windows® 8 and later DirectAccess client computers report "No Internet" as status for the DirectAccess connection, and Network Connectivity Status Indicator (NCSI) reports limited connectivity.

    This can occur when Force Tunneling is enabled in the DirectAccess configuration and, because of this, only IPHTTPS is being used. To resolve this issue, you can create and configure a proxy server. NCSI then uses the proxy server to perform Internet connectivity checks. It is recommended that you add a static proxy to the Name Resolution Policy Table (NRPT) by using the following procedure.

    Before you run the commands in this procedure, ensure that you replace all domain names, computer names, and other Windows PowerShell command variables with values that are appropriate for your deployment.

    Configure a static proxy for an NRPT rule

    1. Display the "." NRPT rule: Get-DnsClientNrptRule -GpoName "corp.example.com\DirectAccess Client Settings" -Server <DomainControllerNetBIOSName>

    2. Note the name (GUID) of the "." NRPT rule. The name (GUID) should start with DA-{……..}

    3. Set the proxy for the "." NRPT rule to proxy.corp.example.com:8080Set-DnsClientNrptRule -Name "DA-{……..}" -Server <DomainControllerNetBIOSName> -GPOName "corp.example.com\DirectAccess Client Settings" -DAProxyServerName "proxy.corp.example.com:8080" -DAProxyType "UseProxyName"

    4. Display the "." NRPT rule again by running Get-DnsClientNrptRule, and verify that ProxyFQDN:port is now correctly configured.

    5. Refresh Group Policy by running gpupdate /force on a DirectAccess client when the client is connected internally, then display the NRPT using Get-DnsClientNrptPolicy and verify that the "." rule shows ProxyFQDN:port.

    REF:Troubleshooting DirectAccess

    https://technet.microsoft.com/en-us/library/dn467926(v=ws.11).aspx

    In addition,you could monitor DirectAccess machine/user activity by using component event logging,here is the link for your reference:

    Additional way to monitor DirectAccess machine/user activity on Windows 2012 and
    2012R2 DirectAccess with component event logging

    https://blogs.technet.microsoft.com/martin_j_solis/2015/03/20/additional-way-to-monitor-directaccess-machineuser-activity-on-windows-2012-and-2012r2-directaccess-with-component-event-logging/

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
    tnmff@microsoft.com.

    Wednesday, August 10, 2016 2:58 AM
  • Hi, Thanks very much for the reply. Does this still apply to me even though I don't have force tunneling enabled? Ended up doing further testing. Turns out it was a Group Policy that was causing it. Thanks for the help
    • Edited by grayman001 Wednesday, August 10, 2016 7:35 AM
    • Marked as answer by grayman001 Wednesday, August 10, 2016 7:35 AM
    Wednesday, August 10, 2016 4:10 AM
  • Hi,

    Glad to hear that,could you tell us what kind of group policy caused this behavior?For helping other users who encounter similar issue,thanks.

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
    tnmff@microsoft.com.

    Wednesday, August 10, 2016 8:02 AM
  • Will do. I have found the Group Policy Object that was causing the issue and pretty sure I have found the policy. Once confirmed will post on here.

    The policy that the client had enabled was "Route all traffic through the internal network" enabled. Set that to not configured and all was good. Was located in Administrative Templates\Network\Network Connections

    • Edited by grayman001 Saturday, August 13, 2016 2:43 AM
    Wednesday, August 10, 2016 1:15 PM