locked
Internal UAG client can't find NLS server RRS feed

  • Question

  • Ok this is purely a hypothetical situation, what if i have a client who is internal and for whatever reason cannot find the NLS server, so it kicks in DirectAccess, but i dont want it to use DirectAccess while its inside the network, is there anyway to disable DirectAccess on the client forcing it to attempt join the network like a normal behaving machine lol.
    Saturday, March 26, 2011 9:35 PM

Answers

  • Hi,

     

    The DirectAccess COnnectivity Assistant will solve your problem. Your users will be able to switch to normal DNS resolution. The NLS failure will cause problem to clients computers that are re-evaluating their firewall situation (switch from VLAN, ...). Clients computers that previously found the NLS are not affected.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by radray Thursday, March 31, 2011 12:33 AM
    Sunday, March 27, 2011 4:19 PM
  • Yes, like mentioned above if you appropriately configure the DirectAccess Connectivity Assistant, your users will then have the ability to right-click on it and choose to "Prefer Local DNS Names" which basically turns off the Name Resolution Policy Table (NRPT). This tells all traffic to go over the local NIC's connection instead of trying to push corporate traffic through the DA IPsec tunnels whether the tunnels exist or not.

    Note: If you are using DA in Force Tunnel mode I believe this option is not available in the Assistant.

    This scenario is the reason that it is recommended the NLS be highly available. However, in many networks if the NLS is unavailable, it really won't affect the users at all. If your internal network has the capability to route to your company's external IP addresses, then even when inside the network DA will still be able to connect and establish its tunnels, and the users will be able to function as they would any other day (though perhaps slower because their requests are moving over DA instead of directly over the LAN). However, if your external network is not routable from your internal network, then DA is going to fail to establish connectivity and you will have many unhappy users to talk to :)

    • Marked as answer by radray Thursday, March 31, 2011 12:34 AM
    Monday, March 28, 2011 12:33 PM

All replies

  • Hi,

     

    The DirectAccess COnnectivity Assistant will solve your problem. Your users will be able to switch to normal DNS resolution. The NLS failure will cause problem to clients computers that are re-evaluating their firewall situation (switch from VLAN, ...). Clients computers that previously found the NLS are not affected.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by radray Thursday, March 31, 2011 12:33 AM
    Sunday, March 27, 2011 4:19 PM
  • Yes, like mentioned above if you appropriately configure the DirectAccess Connectivity Assistant, your users will then have the ability to right-click on it and choose to "Prefer Local DNS Names" which basically turns off the Name Resolution Policy Table (NRPT). This tells all traffic to go over the local NIC's connection instead of trying to push corporate traffic through the DA IPsec tunnels whether the tunnels exist or not.

    Note: If you are using DA in Force Tunnel mode I believe this option is not available in the Assistant.

    This scenario is the reason that it is recommended the NLS be highly available. However, in many networks if the NLS is unavailable, it really won't affect the users at all. If your internal network has the capability to route to your company's external IP addresses, then even when inside the network DA will still be able to connect and establish its tunnels, and the users will be able to function as they would any other day (though perhaps slower because their requests are moving over DA instead of directly over the LAN). However, if your external network is not routable from your internal network, then DA is going to fail to establish connectivity and you will have many unhappy users to talk to :)

    • Marked as answer by radray Thursday, March 31, 2011 12:34 AM
    Monday, March 28, 2011 12:33 PM
  • Thanks, so after reading on network location server placement, i still dont understand why you shouldn't put the NLS on a DC, can someone explain this please, i'm a bit confused
    Tuesday, May 31, 2011 3:14 PM
  • Hi

     

    There is no technical reason to put the NLS on a domain controller. In my point of view it's a bad idéa to put it on a domain controller. The real requirement is to have a highly reliable web server by using NLB or other network load balancing mechanism. In a PoC or simple environments, domain controllers might be the only highly reliable servers to hots the NLS.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Tuesday, May 31, 2011 5:28 PM
  • Bear in mind that in this sceanrio, internal clients may pickup Teredo addresses...I have seen an issue where this consequence impacted SCCM software delivery due to site boundary configuration...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, June 1, 2011 9:23 AM