locked
UAG DirectAccess Client Problems... RRS feed

  • Question

  • I have lab set up to test UAG DA (TLG), and have been troubleshooting DA client access from Homenet and Simulated Internet. Limited success, and see that the DCA client is never happy.

    I've listed the output log from DCA, and wondering if I should be seeing 'archived' certs when I issue command (certutil -store my)?

    I'm focusing on certs because I've read many times this is the crux of many client connection issues. I've ensured that the UAG1 server has root cert from corp.contoso.com CA, and it has updated IP-HTTPS cert from CA. I've doublechecked the clients to make sure they are getting computer cert, but wondering if this 'archived!' cert issue is part of the problem.

    I can ping all internal hosts just fine, and can ping uag1 when clients are on simulated internet (131.107.0.0). But cannot connect to \\dc1\files as expected. Is it possible they cannot reach the CRLDist share?

     thanks in advance - Bill

    RED: Corporate connectivity is not working.
    Microsoft DirectAccess Connectivity Assistant is not properly configured. Please contact your administrator if this problem persists.
    23/4/2012 22:49:24 (UTC)


    C:\Windows\system32\LogSpace\{7DD421E4-6845-4E22-BE36-3735EE121388}>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : CLIENT1
       Primary Dns Suffix  . . . . . . . : CORP.CONTOSO.COM
       Node Type . . . . . . . . . . . . : Mixed
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : CORP.CONTOSO.COM

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : corp.contoso.com
       Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
       Physical Address. . . . . . . . . : 00-15-5D-6B-46-04
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::5d0e:2986:6235:3742%10(Preferred)
       IPv4 Address. . . . . . . . . . . : 131.107.0.102(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.0.0
       Lease Obtained. . . . . . . . . . : Monday, April 23, 2012 5:47:15 PM
       Lease Expires . . . . . . . . . . : Tuesday, May 01, 2012 5:47:15 PM
       Default Gateway . . . . . . . . . :
       DHCP Server . . . . . . . . . . . : 131.107.0.1
       DHCPv6 IAID . . . . . . . . . . . : 234886493
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-0C-10-AF-00-15-5D-6B-46-04
       DNS Servers . . . . . . . . . . . : 131.107.0.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.corp.contoso.com:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : corp.contoso.com
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter 6TO4 Adapter:

       Connection-specific DNS Suffix  . : corp.contoso.com
       Description . . . . . . . . . . . : Microsoft 6to4 Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:836b:66::836b:66(Preferred)
       Default Gateway . . . . . . . . . : 2002:836b:2::836b:2
       DNS Servers . . . . . . . . . . . : 131.107.0.1
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:0:836b:2:8ce:18d5:7c94:ff99(Preferred)
       Link-local IPv6 Address . . . . . : fe80::8ce:18d5:7c94:ff99%13(Preferred)
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter iphttpsinterface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    C:\Windows\system32\LogSpace\{7DD421E4-6845-4E22-BE36-3735EE121388}>netsh int teredo show state
    Teredo Parameters
    ---------------------------------------------
    Type                    : enterpriseclient
    Server Name             : 131.107.0.2 (Group Policy)
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : qualified
    Client Type             : teredo host-specific relay
    Network                 : managed
    NAT                     : none (global connectivity)
    NAT Special Behaviour   : UPNP: No, PortPreserving: No
    Local Mapping           : 131.107.0.102:59178
    External NAT Mapping    : 131.107.0.102:59178


    C:\Windows\system32\LogSpace\{7DD421E4-6845-4E22-BE36-3735EE121388}>netsh int httpstunnel show interfaces

    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        : https://uag1.corp.contoso.com:443/IPHTTPS
    Last Error Code            : 0x0
    Interface Status           : IPHTTPS interface deactivated


    C:\Windows\system32\LogSpace\{7DD421E4-6845-4E22-BE36-3735EE121388}>netsh dns show state

    Name Resolution Policy Table Options
    --------------------------------------------------------------------

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

    Network Location Behavior             : Let Network ID determine when Direct
                                            Access settings are to be used

    Machine Location                      : Outside corporate network

    Direct Access Settings                : Configured and Enabled

    DNSSEC Settings                       : Not Configured


    C:\Windows\system32\LogSpace\{7DD421E4-6845-4E22-BE36-3735EE121388}>netsh name show policy

    DNS Name Resolution Policy Table Settings

    Settings for uag1.corp.contoso.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=COM, DC=CONTOSO, DC=CORP, CN=CORP-DC1-CA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings

     

    Settings for nls.corp.contoso.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=COM, DC=CONTOSO, DC=CORP, CN=CORP-DC1-CA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings

     

    Settings for .CORP.CONTOSO.COM
    ----------------------------------------------------------------------
    Certification authority                 : DC=COM, DC=CONTOSO, DC=CORP, CN=CORP-DC1-CA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 2002:836b:3::836b:3
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy

     


    C:\Windows\system32\LogSpace\{7DD421E4-6845-4E22-BE36-3735EE121388}>netsh name show effective

    DNS Effective Name Resolution Policy Table Settings


    Settings for uag1.corp.contoso.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=COM, DC=CONTOSO, DC=CORP, CN=CORP-DC1-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (Proxy Settings)           : Use default browser settings

     

    Settings for nls.corp.contoso.com
    ----------------------------------------------------------------------
    Certification authority                 : DC=COM, DC=CONTOSO, DC=CORP, CN=CORP-DC1-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (Proxy Settings)           : Use default browser settings

     

    Settings for .CORP.CONTOSO.COM
    ----------------------------------------------------------------------
    Certification authority                 : DC=COM, DC=CONTOSO, DC=CORP, CN=CORP-DC1-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 2002:836b:3::836b:3
    DirectAccess (Proxy Settings)           : Bypass proxy

     


    C:\Windows\system32\LogSpace\{7DD421E4-6845-4E22-BE36-3735EE121388}>netsh int ipv6 show int level=verbose 

    Interface Loopback Pseudo-Interface 1 Parameters
    ----------------------------------------------
    IfLuid                             : loopback_0
    IfIndex                            : 1
    State                              : connected
    Metric                             : 50
    Link MTU                           : 4294967295 bytes
    Reachable Time                     : 30500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface isatap.corp.contoso.com Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_4
    IfIndex                            : 11
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 17000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface 6TO4 Adapter Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_5
    IfIndex                            : 12
    State                              : connected
    Metric                             : 5
    Link MTU                           : 1280 bytes
    Reachable Time                     : 34500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface Local Area Connection Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_6
    IfIndex                            : 10
    State                              : connected
    Metric                             : 5
    Link MTU                           : 1500 bytes
    Reachable Time                     : 21000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface Teredo Tunneling Pseudo-Interface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_6
    IfIndex                            : 13
    State                              : connected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 22000 ms
    Base Reachable Time                : 15000 ms
    Retransmission Interval            : 2000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : enabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface iphttpsinterface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_7
    IfIndex                            : 14
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 22000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled


    C:\Windows\system32\LogSpace\{7DD421E4-6845-4E22-BE36-3735EE121388}>netsh advf show currentprofile

    Public Profile Settings:
    ----------------------------------------------------------------------
    State                                 ON
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Enable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable

    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Disable
    FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    MaxFileSize                           4096

    Ok.


    C:\Windows\system32\LogSpace\{7DD421E4-6845-4E22-BE36-3735EE121388}>netsh advfirewall monitor show consec

    Global Settings:
    ----------------------------------------------------------------------
    IPsec:
    StrongCRLCheck                        0:Disabled
    SAIdleTimeMin                         5min
    DefaultExemptions                     ICMP
    IPsecThroughNAT                       Never
    AuthzUserGrp                          None
    AuthzComputerGrp                      None

    StatefulFTP                           Enable
    StatefulPPTP                          Enable

    Main Mode:
    KeyLifetime                           60min,0sess
    SecMethods                            DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    ForceDH                               No

    Categories:
    BootTimeRuleCategory                  Windows Firewall
    FirewallRuleCategory                  Windows Firewall
    StealthRuleCategory                   Windows Firewall
    ConSecRuleRuleCategory                Windows Firewall


    Quick Mode:
    QuickModeSecMethods                   ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
    QuickModePFS                          None

    Security Associations:

    Main Mode SA at 04/23/2012 17:49:25                     
    ----------------------------------------------------------------------
    Local IP Address:                     2002:836b:66::836b:66
    Remote IP Address:                    2002:836b:3::836b:3
    Auth1:                                ComputerCert
    Auth2:                                UserNTLM
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          6a02f7bffbf7d59f:43fad71c9c326efc
    Health Cert:                          No

    Quick Mode SA at 04/23/2012 17:49:25                    
    ----------------------------------------------------------------------
    Local IP Address:                     2002:836b:66::836b:66
    Remote IP Address:                    2002:836b:3::836b:3
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None

    Quick Mode SA at 04/23/2012 17:49:25                    
    ----------------------------------------------------------------------
    Local IP Address:                     2002:836b:66::836b:66
    Remote IP Address:                    2002:836b:3::836b:3
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None


    IPsec Statistics
    ----------------

    Active Assoc                : 2
    Offload SAs                 : 0
    Pending Key                 : 0
    Key Adds                    : 4
    Key Deletes                 : 3
    ReKeys                      : 0
    Active Tunnels              : 2
    Bad SPI Pkts                : 0
    Pkts not Decrypted          : 0
    Pkts not Authenticated      : 0
    Pkts with Replay Detection  : 0
    Confidential Bytes Sent     : 178,800
    Confidential Bytes Received : 387,200
    Authenticated Bytes Sent    : 196,272
    Authenticated Bytes Received: 387,200
    Transport Bytes Sent        : 0
    Transport Bytes Received    : 0
    Bytes Sent In Tunnels       : 196,272
    Bytes Received In Tunnels   : 387,200
    Offloaded Bytes Sent        : 0
    Offloaded Bytes Received    : 0

    Ok.


    C:\Windows\system32\LogSpace\{7DD421E4-6845-4E22-BE36-3735EE121388}>Certutil -store my 
    my
    ================ Certificate 0 ================
    Archived!
    Serial Number: 1c5ddfbe00000000000a
    Issuer: CN=CORP-DC1-CA, DC=CORP, DC=CONTOSO, DC=COM
     NotBefore: 4/6/2012 12:35 PM
     NotAfter: 4/6/2013 12:35 PM
    Subject: CN=CLIENT11.CORP.CONTOSO.COM
    Certificate Template Name (Certificate Type): Machine
    Non-root Certificate
    Template: Machine, Computer
    Cert Hash(sha1): 50 41 ea b8 86 59 69 b7 43 5e f3 9f 36 49 53 1e 23 b3 47 40
      Key Container = 852a3985676aa9ba755855f47548b7ff_382894c5-ff02-4802-9f4c-5d2001bc5027
      Simple container name: le-Machine-7c44310b-fa2e-443b-93d7-d91d3ca7cd42
      Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed

    ================ Certificate 1 ================
    Archived!
    Serial Number: 17fdd026000000000007
    Issuer: CN=CORP-DC1-CA, DC=CORP, DC=CONTOSO, DC=COM
     NotBefore: 4/5/2012 4:12 PM
     NotAfter: 4/5/2013 4:12 PM
    Subject: CN=CLIENT1.CORP.CONTOSO.COM
    Certificate Template Name (Certificate Type): Machine
    Non-root Certificate
    Template: Machine, Computer
    Cert Hash(sha1): 33 88 99 74 eb ca da 03 8e 54 ad 6b 74 47 5c 9c cf bd 92 71
      Key Container = 234137c65124c0a36814b70e5dfa93dd_382894c5-ff02-4802-9f4c-5d2001bc5027
      Simple container name: le-Machine-5e1b908b-cfbe-478c-8bfa-12751e68c66b
      Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed

    ================ Certificate 2 ================
    Serial Number: 6105f53500000000000d
    Issuer: CN=CORP-DC1-CA, DC=CORP, DC=CONTOSO, DC=COM
     NotBefore: 4/19/2012 6:49 PM
     NotAfter: 4/19/2013 6:49 PM
    Subject: CN=CLIENT1.CORP.CONTOSO.COM
    Certificate Template Name (Certificate Type): Machine
    Non-root Certificate
    Template: Machine, Computer
    Cert Hash(sha1): 11 4c e9 bd 52 9e 28 92 1c fe ae 39 a2 88 02 e6 fa 51 f6 f6
      Key Container = e27b180359735f8436d3d5b86f2fcb5f_382894c5-ff02-4802-9f4c-5d2001bc5027
      Simple container name: le-Machine-cda5bf42-165a-41a0-ad99-73c09a1d822e
      Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed
    CertUtil: -store command completed successfully.

     

    C:\Windows\system32\LogSpace\{7DD421E4-6845-4E22-BE36-3735EE121388}>whoami /groups 

    GROUP INFORMATION
    -----------------

    Group Name                             Type             SID          Attributes                                       
    ====================================== ================ ============ ==================================================
    BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group owner   
    Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
    Mandatory Label\System Mandatory Level Label            S-1-16-16384 


    Bill

    Monday, April 23, 2012 11:09 PM

Answers

All replies

  • Found a few threads out there that indicate I should be okay to leave the 'archived!' certs out there on my clients. I did have some success with HOMENET and teredo. Re-issued my computer cert on uag1.corp.contoso.com, and corrected the split-dns on INET1 (Was set as corp.contoso.com zone). I'm getting correct main mode tunnels now, but still some issues with IP-HTTPS. I issued a new IP-HTTPS cert for the listener on UAG1, and on the HOMENET clients, I've disabled the teredo tunnel in order to force IP-HTTPS. But ipconfig /all shows 'Media Disconnected' on the 'tunnel adapter iphttpsinterface'. On UAG1 I cannot get anything but teredo (transition mode) in DA Monitor. I never see IP-HTTPS as a transition mode, and the tunnel never spins up on the client. Any thoughts greatly appreciated.


    Bill

    Tuesday, April 24, 2012 8:17 PM
  • netsh int httpstunnel show interfaces - shows IPHTTPS Interface Deactivated with a last error code of 0x0.

    Bill


    • Edited by Beachnut_ Tuesday, April 24, 2012 9:55 PM had wrong command listed
    Tuesday, April 24, 2012 8:31 PM
  • I'm thinking that the IP-HTTPS cert is okay, but that there may be issue with client finding the CRL?

    I followed the TLG to a tee and as can be seen below, share permissions in place.

    Even though I can get to \\dc1\files okay, when I browse from windows explorer to \\app1\crldist it fails.


    Bill


    • Edited by Beachnut_ Tuesday, April 24, 2012 8:45 PM
    Tuesday, April 24, 2012 8:45 PM
  • I've verified that the clients can ping crl.corp.contoso.com successfully.

    netsh int https show interface on the UAG1 server results in the following output:

    role: server

    url: https://uag1.corp.contoso.com:443/iphttps

    client authentication mode: certificates

    last error code: 0x0

    interface status: IPHTTPS interface active

    --------------------------------------

    On the client side: same command yields the following:

    role: client

    url: https://uag1.corp.contoso.com:443/iphttps

    last error code: 0x2afc

    interface status: failed to connect to the IPHTTPS server. Waiting to reconnect

    thanks for anyones help out there ...


    Bill


    • Edited by Beachnut_ Tuesday, April 24, 2012 10:17 PM
    Tuesday, April 24, 2012 10:16 PM
  • Anybody???

    Bill

    Thursday, April 26, 2012 7:11 PM
  • Many threads out there related to failed IP-HTTPS tunnels back to intranet, and most seemed to point to the cert. That was what my issue turned out to be. I did walk through this post, and believe it helped.   http://blogs.technet.com/b/tomshinder/archive/2010/05/28/uag-directaccess-step-by-step-guide-crl-check-update.aspx. But in the end, I believe my problem was that the IP-HTTPS cert was issued to uag1.corp.contoso.com ... when it should have been uag1.contoso.com. Anyway, I'm working now on IP-HTTPS, teredo, and 6to4 back into intranet.


    Bill

    • Marked as answer by Beachnut_ Friday, April 27, 2012 5:15 PM
    Friday, April 27, 2012 5:15 PM