none
Clients failing to connect to Direct access server RRS feed

  • Question

  • I've been going at this for days jumping around the internet trying to find a solution. My clients will not connect to my direct access server. The server seems happy as it has all green lights. For me this seems to be incredibly hard to figure out. Here is what I have going on....

    - I have 2 NICs on my DA server, Public name is da.domain.net, I'm using IP-HTTPS with a DA cert from the CA, I'm using a CA for authentication.

    - A webserver running https://directaccess-nls.domain.net with a Cert from a CA for the network location server

    - DNS is setup so my domain.net is using the DA IP for DNS (Directaccess-nls.domain.net is setup without an DNS Address)

    - My server and client both have computer Certificates

    I have done a gpupdate on my client on the domain and then take it off (looks like it recognizes the difference between on the domain and off.) When off the domain I connect my machine to a clearwire unit and Notice my DA connection is just sitting at connecting.....

    It never establishes a connection. I ran the DA client troubleshooting tool and got this:

    Interface Test - Green light

    Network Location Test - Warning - DNS Server ******* does not reply on icmp echo request

    IP connectivity Test - Red X - The IPHTTPS interface is not operation, last error code is 0x2af9

    Windows Firewall - Green Light

    Certificate Tests - Green Light

    Infrastructure tunnel test - Red X - failed to connect to domain sysvol share

    I basically just went through the wizard and got everything setup and beyond that haven't changed anything. I see alot of stuff online about getting into the group policy and making changes to the NLS rules and so forth but have not come across anything that looks like it will solve my issue. If anyone has information that would help me resolve this and get it working it would be so appreciated!

    If I need more logs/information and I will be happy to post them!

    Thanks,

    Josh

    Friday, December 5, 2014 12:19 AM

Answers

  • Hi There - thanks for your time earlier - for the benefit of the forums the issues now resolved are / were as follows.

    DirectAccess Server domain profile was blocking communications to the Domain Controllers. This was determined during routine checks. Remedial Action was to create a GPO for the DA Server to set the WFAS Profiles to be correct - Domain Profile / Allow / Allow, Private Block / Allow, Public Block / Allow and limited to the DA Server Computer. Redundant IPv6 Entries from a previous install still present in DNS. Remediation - removed DNS Entries. IPv6 Address entered manually on the DA Server to resolve previous DNS Issues. Remedial action removed DA Config (which was correct at the time except didn't write IPv6 Address to the DA Server) and removed Manual IPv6 Address on DA Server. Re-ran DA Setup wizard with all previous settings and applied Auto Created GPO's. DA Server reported good health. Added da.****.net as an exclusion to the NRPT Table as the same domain name was used externally and internally. Applied known W2K12R2 DA Hotfixes to DA Server and Clients. Created DNS Records Manually to prevent DNS scavenging from removing them.

    Result clients connected and full DA was available. Probably did a few other recommended practises to help out our colleague such as Remote Desktop using DA etc.

    Glad to have helped ! Enjoy DirectAccess and Merry Christmas.

    Kr


    John Davies

    • Proposed as answer by Icon8000 Tuesday, December 9, 2014 6:33 PM
    • Marked as answer by joengelhart Wednesday, December 10, 2014 3:48 PM
    Tuesday, December 9, 2014 6:33 PM

All replies

  • I've been going at this for days jumping around the internet trying to find a solution. My clients will not connect to my direct access server. The server seems happy as it has all green lights. For me this seems to be incredibly hard to figure out. Here is what I have going on....

    - I have 2 NICs on my DA server, Public name is da.domain.net, I'm using IP-HTTPS with a DA cert from the CA, I'm using a CA for authentication.

    - A webserver running https://directaccess-nls.domain.net with a Cert from a CA for the network location server

    - DNS is setup so my domain.net is using the DA IP for DNS (Directaccess-nls.domain.net is setup without an DNS Address)

    - My server and client both have computer Certificates

    I have done a gpupdate on my client on the domain and then take it off (looks like it recognizes the difference between on the domain and off.) When off the domain I connect my machine to a clearwire unit and Notice my DA connection is just sitting at connecting.....

    It never establishes a connection. I ran the DA client troubleshooting tool and got this:

    Interface Test - Green light

    Network Location Test - Warning - DNS Server ******* does not reply on icmp echo request

    IP connectivity Test - Red X - The IPHTTPS interface is not operation, last error code is 0x2af9

    Windows Firewall - Green Light

    Certificate Tests - Green Light

    Infrastructure tunnel test - Red X - failed to connect to domain sysvol share

    I basically just went through the wizard and got everything setup and beyond that haven't changed anything. I see alot of stuff online about getting into the group policy and making changes to the NLS rules and so forth but have not come across anything that looks like it will solve my issue. If anyone has information that would help me resolve this and get it working it would be so appreciated!

    If I need more logs/information and I will be happy to post them!

    Thanks,

    Josh

    Alright so now I got most of these errors gone. I'm getting an error that my client is failing to resolve DNS. I can Ping my external DMZ NIC from the client as well as the HTTPS tunnel NIC, I can ping my DNS ipv6 address. Any thoughts as why this would be? For the DNS settings should my domain.net be resolved to my internal nic, external nic, or my Actual DNS server? Non of these settings are clear online.....Thanks


    • Edited by joengelhart Sunday, December 7, 2014 3:00 AM
    Sunday, December 7, 2014 1:02 AM
  • Hi There - Your external domain name - da.yourdomain.net should resolve to the first public ip address of the da server, or to the firewall device in front of the da server. If a "webserver running https://directaccess-nls.domain.net with a Cert from a CA for the network location server" it must be on your LAN with no public DNS resolving to it, and an exclusion within the da server NRPT config (Step 3). The setup seems that you have both internal and external names the same - is this correct. If so then everything must be excluded from your tunnel until you want an internal resource to be included. I.e intranet.yourdomain.net is not publicly available or resolvable via external DNS so you need to force it through the DA tunnel by adding it as an NRPT inclusion. Anything external such as webmail etc needs to be added as an exclusion in the NRPT Table.

    Kr


    John Davies

    Monday, December 8, 2014 12:15 PM
  • Hi John,

    I have my domain name da.mydomain.net resolving to the first public ip address of the server.

    My internal NLS website is running only on the inside and does not have a public DNS record.

    In my NRPT Rules I have the following:

    mydomain.net - IPv6 address that was detected when I hit the detect button.

    da.mydomain.net - with no DNS settings (Exlcusion correct?)

    directaccess-nls.domain.net - with no DNS settings (Exlcuded as well correct?)

    We do have an internal only website that is only accessable via inside the network however I can't even get to my file server yet so I haven't attempted to access this resource. But your saying if I want to get to my internal website I would need to add it to step 3 with the resolving IPv4 address?

    The server almost acts like it's not passing the request to my internal network. My client is passing all of the test except the following:

    -DNS Server ("IPv6 address" from the NRPT rule that was detected in step 3) does not reply on ICMP Echo request

    -No Response recieved from domain.net

    -Failed to connect to domain sysvol share..........

    I think one of my questions is what shoudl the .domain.net address resolve to within DNS in step 3. The IPv4 address of the internal NIC? The IPv4 of the external NIC? Or my actually DNS servers (on two different servers on our network)

    Any help would be great I would love to get this working!

    Thanks!

    Also I should mention that I can see my client in the DA consol. It shows a blank username but shows the "Host Name" of my client. The protocol is IPHttps and the access details shows its using protocol 17 on port 53 to get to the IPv6 address pulled from step 3. Some Bytes coming in but no Bytes going out. Even with this my client still says  "connecting" and  I can't get to internal resources.

    • Edited by joengelhart Monday, December 8, 2014 4:09 PM
    Monday, December 8, 2014 4:03 PM
  • Hi there - firstly *.domain.net should be included using step 3 "detect now" which should be an IPv6 address of the da server xxx.xxx:3333::1 Also check that from the da server you can ping the doc and that the correct routes if needed allow access to the dc. Also I would look at windows firewall rules on the dc to ensure they can be reached. My concern is that the dc's cannot be "pinged" which is the basic da server connectivity check. Kr and keep me posted

    John Davies

    Monday, December 8, 2014 4:59 PM
  • Ok so *.domain.net in step three does pull a xxx.xxx:3333::1 number this is the address in my NRPT rule on my client as well as the DNS Server that's "not replying" on the client. When you say ping the doc I'm assuimg you mean domain controller? I can ping our local domain controllers DC02,DC03,D04. (O2 and O3 are the DNS servers). Routing is probably something that may need to be fixed or configured. The only routing I've done is in windows I did a route to my comptuer subnet so that I can RDP to the DA server. My DA internal NIC is on the same 10.10.0 network as my Domain Controllers so I was assuming I didn't need to configure any routing? On our Domain Controllers we do not have the windows firewall configured, They are in a off state with the way our network is configured we generally don't enable the firewalls except for on the DA server. Appricate the time your putting into helping me resolve this! Thanks
    Monday, December 8, 2014 5:51 PM
  • Mid day update for you. I believe I have resolved the angry DNS light. It now says the DNS server is online. For some reason the internal NIC did not have the IPv6 (:3333::1) number set as the IP. Once I set this as a static address the DNS turned Green. I still have a "No repsonse received from domain.net" and a "cannot connect to sysvol share." I have added all of my domain and dns servers into the route table just for kicks. When I run "Get-DaConnectionStatus" from the client I get "Error" "Some Remote Network Resources Not Responding." Any thoughts or ideas would be great!

    Thanks.

    Monday, December 8, 2014 9:15 PM
  • Hi there - struggling to visualise the scenario and maybe midday for you but almost bedtime for me :-) - happy for us to take this offline and work through - email me at John.davies@iconicit.co.uk and we can schedule a screen share and get you sorted out then post the resolution on the forum

    John Davies

    Monday, December 8, 2014 9:46 PM
  • Hi There - thanks for your time earlier - for the benefit of the forums the issues now resolved are / were as follows.

    DirectAccess Server domain profile was blocking communications to the Domain Controllers. This was determined during routine checks. Remedial Action was to create a GPO for the DA Server to set the WFAS Profiles to be correct - Domain Profile / Allow / Allow, Private Block / Allow, Public Block / Allow and limited to the DA Server Computer. Redundant IPv6 Entries from a previous install still present in DNS. Remediation - removed DNS Entries. IPv6 Address entered manually on the DA Server to resolve previous DNS Issues. Remedial action removed DA Config (which was correct at the time except didn't write IPv6 Address to the DA Server) and removed Manual IPv6 Address on DA Server. Re-ran DA Setup wizard with all previous settings and applied Auto Created GPO's. DA Server reported good health. Added da.****.net as an exclusion to the NRPT Table as the same domain name was used externally and internally. Applied known W2K12R2 DA Hotfixes to DA Server and Clients. Created DNS Records Manually to prevent DNS scavenging from removing them.

    Result clients connected and full DA was available. Probably did a few other recommended practises to help out our colleague such as Remote Desktop using DA etc.

    Glad to have helped ! Enjoy DirectAccess and Merry Christmas.

    Kr


    John Davies

    • Proposed as answer by Icon8000 Tuesday, December 9, 2014 6:33 PM
    • Marked as answer by joengelhart Wednesday, December 10, 2014 3:48 PM
    Tuesday, December 9, 2014 6:33 PM
  • Thanks John for the support! I really appreciate your expertise on direct access and for getting me up and running! Firewall Pshhhh.

    Thanks again! Merry Christmas!

    Josh

    Tuesday, December 9, 2014 8:16 PM