Direct Access clients can't reach one particular subnet. RRS feed

  • Question

  • Have a UAG Direct Access solution in place, has been working well for about a year.  Recently had to change ISPs, and was able to change the external address of the DA server without incident thanks to this link.  I mention this only because I'm not sure if this particular issue has always existed, or if it just cropped up since the ISP change.

    DA clients can successfully reach all 20 odd subnets on our network, just not this one.  The only host that is really on this subnet is our spam filter, which is a non-windows appliance.  Thinking that may have had something to do with it, I put a Server 2008 (R2, I think) host on the subnet as well, just for testing purposes.  On the corporate network, I can ping both of them.  Outside, using DA, both names resolve Ipv6 addresses, but I can't ping either host. 

    I have confirmed that the subnet in question is included in the "Internal" networks in TMG.  That was the solution when this same problem was occurring on a newly created subnet recently.  But for this subnet, no dice.

    What am I missing?




    Wednesday, November 16, 2011 5:40 PM

All replies

  • Routing to any particular subnet from DirectAccess depends on two things:

    1. The actual route. Make sure the route exists on the UAG server and that you can contact resources inside the subnet from the UAG server. If the route doesn't exist on the server, the clients will not be able to get there either.

    2. Making UAG/TMG "trust" the subnet. This sounds like what you already checked. You want to re-run the Network Interfaces wizard from the Admin menu inside UAG. Part of this wizard is defining the IP address scopes that make up your Internal network. Make sure that the IPs of the subnet in question exist in this wizard, and then reactivate UAG which basically pushes those changes into TMG to form the trust. Like I said, it sounds like you may have already verified this by checking TMG directly, but I would still check the UAG wizard to make sure they exist there as well.

    Wednesday, November 16, 2011 5:53 PM
  • It was missing the route on the server.  I'm sure I looked there at some point, but somehow still missed it.


    Thanks for your help!

    • Edited by pbagnell Wednesday, November 16, 2011 8:17 PM
    Wednesday, November 16, 2011 8:17 PM
  • Anytime, I'm glad it's working!
    Wednesday, November 16, 2011 9:48 PM