none
Direct Access - should the NLS be reachable?

    Question

  • Hi,

    Should the Direct Access server be able to reach the NLS server? I though this should not be possible, but without that I am getting critical errors in the operations status.

    Kind regards,

    Wojciech

    Wednesday, June 13, 2018 12:37 PM

Answers

  • Hi,

    Thanks for your update. Very sorry for my delay.

    The NLS itself is nothing more than a web server with an SSL certificate installed. You can use any web server you choose, as long as it has a proper SSL certificate. The SSL certificate should be valid and the subject name should match the name used in the DirectAccess configuration. The SSL certificate issued to the NLS should also be trusted by the DirectAccess server and all clients. In addition, the NLS should be configured to allow inbound ICMP Echo Requests from the DirectAccess server.

    For more information, we could refer to the following article,

    http://www.ironnetworks.com/blog/directaccess-network-location-server-considerations#.WyZShtihfmI

    So we can see the DA deployment requires that the NLS should be reachable and available in the internal network.

    Hope this helps.  

    Highly appreciate your effort and time. If you have any question and concern, please feel free to let me know.

    Have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by rozanw Tuesday, June 19, 2018 8:56 AM
    Sunday, June 17, 2018 12:38 PM

All replies

  • Hi,

    Have a nice day! Thanks for your question.

    The Network Location Server (NLS) is a critical component in a DirectAccess deployment. The NLS is used by DirectAccess clients to determine if they are inside or outside of the corporate network.

    If a DirectAccess client can connect to the NLS, it must be inside the corporate network. If it cannot, it must be outside of the corporate network. It is for this reason that the NLS must not be reachable from the public Internet. A client configured for DirectAccess will probe the NLS when it first starts, and on subsequent network interface status changes.

    Therefore, the DA clients automatically determine its location for the purpose whether to connect to corporate network via DA with above mechanism.

    For more information, we could refer to the following article,

    https://directaccess.richardhicks.com/2015/02/09/directaccess-network-location-server-guidance/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Hope this helps.

    Highly appreciate your effort and time. If you have any question and concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, June 14, 2018 2:04 AM
  • Hi,

    Unfortunately Richard's article does not answer my question. 

    I know that the DA Clients inside the corp network need to be able tor each the NLS.

    I know that the DA Client outside the corporate network but connected via DA should not be able to reach the NLS.

    But my question is about the DA Server itself. Should the server have connectivity with the NLS?

    Kind regards,

    Wojciech

    Thursday, June 14, 2018 10:46 AM
  • Hi,

    Thanks for your update. Very sorry for my delay.

    The NLS itself is nothing more than a web server with an SSL certificate installed. You can use any web server you choose, as long as it has a proper SSL certificate. The SSL certificate should be valid and the subject name should match the name used in the DirectAccess configuration. The SSL certificate issued to the NLS should also be trusted by the DirectAccess server and all clients. In addition, the NLS should be configured to allow inbound ICMP Echo Requests from the DirectAccess server.

    For more information, we could refer to the following article,

    http://www.ironnetworks.com/blog/directaccess-network-location-server-considerations#.WyZShtihfmI

    So we can see the DA deployment requires that the NLS should be reachable and available in the internal network.

    Hope this helps.  

    Highly appreciate your effort and time. If you have any question and concern, please feel free to let me know.

    Have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by rozanw Tuesday, June 19, 2018 8:56 AM
    Sunday, June 17, 2018 12:38 PM
  • Hi,

    How are things going on? Could above reply be of help?

    Please feel free to let us know if you need further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, June 19, 2018 8:09 AM
  • Hello,

    Yes, everything is clear now.

    Thank you,

    Wojciech

    Tuesday, June 19, 2018 8:56 AM