none
UAG in SBS 2008 sbs 2011 network RRS feed

  • Question

  • is there any documentation on setting up UAG in a sbs 2008 2011 network.

    I have configured a single server with UAG in a sbs 2008 network. The server was installed with 2008 ent, afterwhich i ran the UAG install disk, this installed all the components for me including a default certificate which according to references on the internet was fine for lab testing. I want to set this up in a live network, the problem i think is related to the certificates. I installed the DCA on my Laptop placed my account in the AD container to which the direct access config has applied the GPO and updated the GPO. the DAC shows as connect and working and The portal works, when I take the Laptop off the network and connect it to the internet (completely outside the lan) the DCA disconnects (error) then reconnectes as working. this is where I get lost as I cannot ping any servers (sbs server) inside the lan therefor there cannot be a DA connection

    can someone please shed some light on where I'm going wrong. I don't want to make too many changes to the SBS server as it is a live server and I would hate to have to reinstall it.

    Thursday, April 26, 2012 2:22 PM

All replies

  • Hi Scanner,

    Can you please provide a sanitised version of the DCA diagnostics output?

    This is useful for basic troubleshooting: http://blogs.technet.com/b/edgeaccessblog/archive/2010/04/07/basic-troubleshooting-steps-for-uag-directaccess.aspx especially the 'cheat sheets'.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Thursday, April 26, 2012 3:28 PM
    Moderator
  • I went through the troubleshhoting steps mentioned above, I kept getting an inside corprate until I chaged the registry to point to the uag server, this gave me an outside corporate.

    the next few netsh commands gave me the correct results but stopped at

    netsh advf consec sh rule name=all type=dynamic | find "RemoteTunnel"

    this gave me no results so I'm assuming the tunnel is not working or connected.

    here is the log contents

    GREEN: Corporate connectivity is working correctly.
     
    30/4/2012 18:12:3 (UTC)


    Probes List
    PASS  PING: 2002:****:****::****:2043
    PASS  HTTP: https://uag.sbsdomain.co.uk
    PASS  HTTP: http://uag.sbsdomain.co.uk

    DTE List
    PASS  PING: 2002:****:****::****:2043
    PASS  PING: 2002:****:****::****:2042

    C:\Windows\system32\LogSpace\{08263B76-2632-46E7-A0A5-2B9E7A21F028}>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : CLIENT01
       Primary Dns Suffix  . . . . . . . : sbsdomain.local
       Node Type . . . . . . . . . . . . : Mixed
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : sbsdomain.local
       System Quarantine State . . . . . : Not Restricted


    Wireless LAN adapter Wireless Network Connection:

       Connection-specific DNS Suffix  . : HomeNetwork
       Description . . . . . . . . . . . : 802.11n Wireless LAN Card
       Physical Address. . . . . . . . . : E0-2A-82-55-CB-B7
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::****:****:****:*******(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.1.10(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : 30 April 2012 18:25:57
       Lease Expires . . . . . . . . . . : 03 May 2012 18:44:10
       Default Gateway . . . . . . . . . : 192.168.1.1
       DHCP Server . . . . . . . . . . . : 192.168.1.1
       DHCPv6 IAID . . . . . . . . . . . : 232794754
       DHCPv6 Client DUID. . . . . . . . : 00-***********************-61
       DNS Servers . . . . . . . . . . . : 21.94.155.25
                                           21.94.155.26
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.W3networks:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : homenetwork
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter iphttpsinterface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:0:518f:2042:3428:11b8:a13c:116d(Preferred)
       Link-local IPv6 Address . . . . . : fe80::3428:11b8:a13c:116d%17(Preferred)
       Default Gateway . . . . . . . . . : ::
       NetBIOS over Tcpip. . . . . . . . : Disabled

    C:\Windows\system32\LogSpace\{08263B76-2632-46E7-A0A5-2B9E7A21F028}>netsh int teredo show state
    Teredo Parameters
    ---------------------------------------------
    Type                    : client
    Server Name             : 215.15.23.56 (Group Policy)
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : qualified
    Client Type             : teredo client
    Network                 : unmanaged
    NAT                     : restricted
    NAT Special Behaviour   : UPNP: No, PortPreserving: No
    Local Mapping           : 192.168.1.10:60359
    External NAT Mapping    : 27.95.123.46:60999


    C:\Windows\system32\LogSpace\{08263B76-2632-46E7-A0A5-2B9E7A21F028}>netsh int httpstunnel show interfaces

    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        : https://mail.sbsdomain.co.uk:443/IPHTTPS
    Last Error Code            : 0x80190190
    Interface Status           : failed to connect to the IPHTTPS server. Waiting to reconnect


    C:\Windows\system32\LogSpace\{08263B76-2632-46E7-A0A5-2B9E7A21F028}>netsh dns show state

    Name Resolution Policy Table Options
    --------------------------------------------------------------------

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

    Network Location Behavior             : Let Network ID determine when Direct
                                            Access settings are to be used

    Machine Location                      : Outside corporate network

    Direct Access Settings                : Configured and Enabled

    DNSSEC Settings                       : Not Configured


    C:\Windows\system32\LogSpace\{08263B76-2632-46E7-A0A5-2B9E7A21F028}>netsh name show policy

    DNS Name Resolution Policy Table Settings

    Settings for mail.diskel.co.uk
    ----------------------------------------------------------------------
    Certification authority                 : CN=mail.sbsdomain.co.uk
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings

     

    Settings for .sbsdomain.local
    ----------------------------------------------------------------------
    Certification authority                 : CN=mail.sbsdomain.co.uk
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 2002:****:****::****:2043
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy

     


    C:\Windows\system32\LogSpace\{08263B76-2632-46E7-A0A5-2B9E7A21F028}>netsh name show effective

    DNS Effective Name Resolution Policy Table Settings


    Settings for mail.diskel.co.uk
    ----------------------------------------------------------------------
    Certification authority                 : CN=mail.sbsdomain.co.uk
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (Proxy Settings)           : Use default browser settings

     

    Settings for .sbsdomain.local
    ----------------------------------------------------------------------
    Certification authority                 : CN=mail.sbsdomain.co.uk
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 2002:****:****::****:2043
    DirectAccess (Proxy Settings)           : Bypass proxy

     


    C:\Windows\system32\LogSpace\{08263B76-2632-46E7-A0A5-2B9E7A21F028}>netsh int ipv6 show int level=verbose 

    Interface Loopback Pseudo-Interface 1 Parameters
    ----------------------------------------------
    IfLuid                             : loopback_0
    IfIndex                            : 1
    State                              : connected
    Metric                             : 50
    Link MTU                           : 4294967295 bytes
    Reachable Time                     : 16500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface Wireless Network Connection Parameters
    ----------------------------------------------
    IfLuid                             : wireless_0
    IfIndex                            : 12
    State                              : connected
    Metric                             : 25
    Link MTU                           : 1500 bytes
    Reachable Time                     : 16000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface isatap.W3networks Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_4
    IfIndex                            : 18
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 29000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface iphttpsinterface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_7
    IfIndex                            : 16
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 22500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface Teredo Tunneling Pseudo-Interface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_8
    IfIndex                            : 17
    State                              : connected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 10500 ms
    Base Reachable Time                : 15000 ms
    Retransmission Interval            : 2000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled


    C:\Windows\system32\LogSpace\{08263B76-2632-46E7-A0A5-2B9E7A21F028}>netsh advf show currentprofile

    Private Profile Settings:
    ----------------------------------------------------------------------
    State                                 ON
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Enable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable

    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Disable
    FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    MaxFileSize                           4096

    Ok.


    C:\Windows\system32\LogSpace\{08263B76-2632-46E7-A0A5-2B9E7A21F028}>netsh advfirewall monitor show consec

    Global Settings:
    ----------------------------------------------------------------------
    IPsec:
    StrongCRLCheck                        0:Disabled
    SAIdleTimeMin                         5min
    DefaultExemptions                     ICMP
    IPsecThroughNAT                       Never
    AuthzUserGrp                          None
    AuthzComputerGrp                      None

    StatefulFTP                           Enable
    StatefulPPTP                          Enable

    Main Mode:
    KeyLifetime                           60min,0sess
    SecMethods                            DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    ForceDH                               No

    Categories:
    BootTimeRuleCategory                  Windows Firewall
    FirewallRuleCategory                  Windows Firewall
    StealthRuleCategory                   Windows Firewall
    ConSecRuleRuleCategory                Windows Firewall


    Quick Mode:
    QuickModeSecMethods                   ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
    QuickModePFS                          None

    Security Associations:

    No SAs match the specified criteria.

    C:\Windows\system32\LogSpace\{08263B76-2632-46E7-A0A5-2B9E7A21F028}>Certutil -store my 
    my

    ****************************************************************************************************************************

    Monday, April 30, 2012 6:37 PM
  • You can definitely make DirectAccess work in an SBS environment. You have a Teredo tunnel established, but no IPsec tunnels within the Teredo tunnel. When you said you have a default certificate, are you talking about the SSL certificate? How about the internal machine certificates that need to be issued from an internal CA server? Is your SBS also your CA server and is it successfully issuing machine certificates to the DirectAccess server and to the DirectAccess client computers?

    Monday, April 30, 2012 7:21 PM
  • I have one certificate "mail.sbsdomain.co.uk" which is created when running the connect to internet wizard on the SBS server, and another which was created during the install of the UAG this certificates was just called WMSvc-UAG, I figured that since this certificate does not have any internet presence it will not work and is just for installation (lab) purposes, so I created another self signed certificate in IIS called uag.sbsdomain.co.uk and applied it using step 2 in the Direct access server wizard, although I still get the error message that the certificate cannot be validated and does not match file access settings.

    I have also setup A records at ISP (domain hosts) to point to each of these certificate names uag.sbsdomain.co.uk  points to 215.15.23.56 (UAG server) and mail.sbsdomain.co.uk points to 87.56.25.10 (sbs DC) 

    looking on the sbs server in the CA mmc consol under issued certificates I have one for the UAG$ server using the computer (machine) template and one for my Laptop using Basic EFS (EFS) template the certificate for the UAG is uag.sbsdomain.co.uk and the one issued to my Laptop is sbsdomain-DC-CA. Certificates is my weakest so I may need a bit of help here.



    • Edited by scanner Tuesday, May 1, 2012 9:20 AM
    Tuesday, May 1, 2012 9:14 AM
  • Sorry for the delay on this, I have had a blog post regarding certificates in draft for a while and your question gave me the bump to finish it :) Hopefully this clears the air on what certificates are needed where, and let us know if you have any further questions. Thanks!

    http://www.ivonetworks.com/news/2012/05/directaccess-help-im-drowning-in-certificates/

    Thursday, May 10, 2012 2:49 PM
  • Sorry for the delay on this, I have had a blog post regarding certificates in draft for a while and your question gave me the bump to finish it :) Hopefully this clears the air on what certificates are needed where, and let us know if you have any further questions. Thanks!

    http://www.ivonetworks.com/news/2012/05/directaccess-help-im-drowning-in-certificates/

    Nice post Jordan.

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Thursday, May 10, 2012 7:12 PM
    Moderator
  • Thanks J!
    Thursday, May 10, 2012 7:51 PM
  • Thanks

    I get the explaination on the certificates but i'm trying to apply this to a SBS environment, according to the above log file there is a teredo connection but no IPsec tunnel, so for this setup if i can get the IPsec tunnel connected working, I can then concentrate on the other fallback connections. when I use the Certificate of mail.sbsdomain.co.uk which point to an internal website on the SBS server this is validated in step 2 of the DA config. but this is also accessible from outside the network as port 443 is open for OWA. the certificate was created with the sbs internet wizard.

    Thursday, May 17, 2012 8:23 AM
  • Yes, the Teredo tunnel itself doesn't require any certificates. You will need to create a certificate infrastructure as specified in the article. You cannot use mail.sbsdomain.co.uk unless you are going to start using that DNS name for DirectAccess connectivity instead of your mail. I assume you don't want to give up your OWA access. Also, if it is a self-signed certificate, you are probably still going to run into problems with IP-HTTPS and so you'll likely end up having to purchase a new SSL cert anyway.

    And that is not even concerning IPsec. From the information provided, it sounds to me like your mail.sbsdomain.co.uk certificate is an SSL certificate. This certificate will not work for authenticating IPsec tunnels. You need to turn on a Windows CA server in your environment to issue the machine certificates that will be used for IPsec authentication. As far as I know, you can add the CA server role to your SBS and do it there.

    Thursday, May 17, 2012 1:37 PM
  • CA server role is enable on the sbs and from what i can see it has issued the mail.sbsdomain ssl cert to all the machinesin the domain, am i to tcreate a new certificate here for the ipsec authentication

    I went through the wizard SBS management consol and added another certificate called uag.sbsdomain.co.uk and this messed up owa and other applications now requesting the new cetificate which is no longer mail.sbsdomain.co.uk

    ???

    • Edited by scanner Tuesday, July 10, 2012 2:34 PM
    Tuesday, July 10, 2012 11:43 AM
  • I don't think you'll be able to use the SBS console for the machine certificates you need for IPsec, it sounds like you established a new SSL cert and because you were doing it inside the SBS wizard, it used this new cert to replace your old one (the SBS console is really only geared for simple tasks). You may not even need to touch the SBS server to issue these machine certs, depending on the current status of your CA role and templates.

    I am confident you can get this working, it's just a matter of getting the right certificates in the right places. Feel free to reach out to me directly if you want and we can schedule a time to look at this one-on-one: jordan.krause@ivonetworks.com

    Wednesday, July 11, 2012 1:17 AM
  • Hi,

    I had to do something very similar to implement RADIUS authentication for secure wireless networking in our SBS 2011 domain which involved the creation of certificates and group policies to roll them out to client computers. These are all self signed certs and I don’t get any issues with them because they all lead up to trusting the root CA. I had to create version 2 certificates which until server 2008 R2 standard were only available in 2008 Enterprise edition. Migrating to SBS 2011 allowed me to do this.

    I am going by the instructions for my setup with RADIUS and for you it should be pretty much the same except you need to select a different certificate template. Don’t use the SBS wizard, this assigns the certificate you create with this wizard to for exchange, IIS and remote desktop services gateway, if you haven’t done so already re-run the wizard and get it back to how it was working before using “mail” as your certificate name.

    You will need to do the following:

    In all those links above it describes the process for server authentication and client authentication, I haven’t looked yet but there should be a template based on the IPSEC for your scenario.

    I would be very interested in your progress with this post, as I stumbled across it in the hopes of achieving what you are trying to do – to configure DA in an SBS 2011 environment. I too am not very clever when it comes to certificates, it’s my weakest area.

    I hope this helps

    Friday, August 3, 2012 1:35 PM
  • Hi

    sorry for the long delay, I have been waiting for server 2012 and now that I have it I have tried this with both 2012 essential and standard 2012 server. the essential does have on major drawback in that it cannot run alongside a live sbs 2011 network, the standard 2012 server has DA for a single network card but I fear I will run into problems when it comes o the certificate again and separate public IP addresses as the 2012 server need to be internet facing and so does the SBS 2011 box both need port 443 and since the SBS certificate is assigned to the public IP pointing to the SBS box it is going to differ to that pointing to the 2012 server.

    Monday, October 22, 2012 2:09 PM
  • My setup worked with having SBS 2011 on the same network. I did this:

    First you do need two static public IP's (one for the SBS box and the other for the Windows Server 2012 Standard), your router needs to be able to handle multiple external static IP's and I am assuming you know how to configure this for your router.

    The following setup details are used for Windows 8 Enterprise, to connect using Direct Access.

    1. Install the Remote Access server role
    2. Open the Remote Access Management console
    3. Run the Getting Started Wizard
    4. Select to deploy Direct Access Only
    5. Ensure that “Behind an edge device (single network adapter)” is selected
    6. In the public name box enter DirectAccess.mydomain.co.uk
    7. Click next
    8. In the target computer selections select the scope for which computers will receive the Direct Access configuration Group Policies. By default all domain computers receive this, I select to keep this default so that computers of any type can be situated in any location
    9. Finish the Wizard
    10. In your external DNS ensure a Host A record exists which has the value of DirectAccess and its IP address points to your secondary public IPv4 address
    11. On your router ensure that the following ports are open for your secondary public IPv4 address and are assigned to go through to the internal IPv4 address of the Remote Access Server:
      1. 443
      2. 62000

      DA should also open these ports up in Windows Firewall - check this if you have problems

    12. Restart a Windows 8 Enterprise client machine which has the GPO's applied
    13. Open an Administrative PowerShell prompt and type Get-DAConnectionStatus to ensure the machine is locally connected, then disconnect from the internal network and connect to an external internet connection – then run the command again to check the machine is connected remotely

    remember you need to allow time for the external DNS host A record to propagate through the internet, mine did take a couple of days for this. This seemed to work for me just fine, but it does connect using the ....(Excuse me if my letters are wrong... IP-HTTPS) I believe this is the slower of the methods but have not investigated getting the most optimal protocol yet - was just happy that it worked at all for now.

    I hope this helps you

    Monday, October 22, 2012 3:51 PM