locked
Direct Access Windows 2012 (without UAG) - Not working completely. RRS feed

  • General discussion

  • I have a LAB Setup to test DA (2 NICS) on Windows 2012. (This is without UAG etc). Everything is virtualized using HyperV

    Auto Enrollment is done and working.

    1. Domain Controller, DNS, DHCP, CA - Single NIC - DC1.dom.local
    2. Web Server - Single NIC - Web1.dom.local
    3. DA Server 2012 - 2 NICS - One connected to the Internal Network and other to Internet (external - not real internet). - DA.dom.local
    4. Public DNS - 1 NIC - Connected to the Internet - It is in the same subnet as the External NIC of the DA server - DNS01 (Workgroup)
    5. Windows 7 Client - Has received all the certificates and the DA client policy. Now connected to the public Network, where it can connect to public DNS - DNS01 and DA Server external NIC.

    PUBLIC DA NAME = DA.Contoso.com - I have a entry in public DNS to resolve this to external NIC of the DA server. CRL is disabled.

    Now, when my client is outside the local network. I can ping all internal machines fine - DC, DNS, Webserver, DA server. So my infrastructure tunnel is fine. However I cannot connect to the webserver or any shares. Not sure why.

    One thing I noticed - When I run netsh name show policy - the Certification Authority is BLANK.

    DCA 2.0 - shows that the client is not connected the internet - user action. But when outside the network, as I said - I can ping everything but not access any resources.


    Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"

    Thursday, September 20, 2012 3:53 AM

All replies

  • Is the client able to access the CRL for the internal cert? I am assuming that you are using your own certificates in this lab.


    Hth, Anders Janson Enfo Zipper

    Thursday, September 20, 2012 8:00 AM
  • CRL check has been disabled, as this is LAB environment only.


    Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"

    Thursday, September 20, 2012 9:13 AM
  • Sorry 'bout that.... I missed that in your original post.

    Is this an IPv4 environment on the internal network? If so you need to enable inbound ICMPv4 Echo Requests on internal resources in order for Teredo to work. Easiest way to do this is to add this to a GPO. As this is a lab, you can add it to the Default Domain policy or for that matter create your own....


    Hth, Anders Janson Enfo Zipper

    Friday, September 21, 2012 9:13 AM
  • Yes, I have ICMPv4 and ICMPv6 - both enabled. Let me ask something very basic. Is it possible to simulate a LAB for Windows 2012 Direct Access without Internet Access in real? My machines are all part of a single HyperV server. This room has nothing to do with the Internet or connection to it. I am asking this, because DA is very delicate to network and does lot of mathematics before it can make a connection. Like - DCA shows that it was unable to connect to teredo.ipv6.Microsoft.com etc and disabled TEREDO (state was disabled).

    Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"

    Friday, September 21, 2012 11:05 AM
  • It it tries to connect to teredo.ipv6.microsoft.com, then I would say that your clients are not correctly configured. Your clients teredo configuration should point to your-da-server.yourdomain.tld (e.g. da.contoso.com).

    Do they get the correct GPO for client settings? Is the client computer account in the correct group in order to get the GPO?

    You can confirm your settings with the command:

    netsh interface teredo show state

    (from a command/ps prompt)


    Hth, Anders Janson Enfo Zipper

    Tuesday, September 25, 2012 8:16 AM
  • I got this working in this way.

    I eventually installed another server - TMG 2010. Changed DA to a single NIC. Server Published (HTTPS) the DA server in TMG.


    Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"

    Wednesday, September 26, 2012 9:02 AM
  • I have everything in LAB and it works very good, even in NLB mode.

    Only thing that does not work, for me, is RDP from internal servers to DA external clients.

    Tuesday, October 2, 2012 1:57 PM
  • Vuk,

    Have you verified the following:

    - does the client, when on the outside, register in DNS with its external IP?

    - have you created the necessary inbound rules on the client that allows traffic to the client (incl enabling edge traversal)?

    For reference on how to configure manage-out, see:

    http://technet.microsoft.com/en-us/library/jj574200.aspx


    Hth, Anders Janson Enfo Zipper

    Wednesday, October 3, 2012 12:05 PM
  • The issue is resolved as mentioned earlier.

    I installed TMG and server published the DA server (single NIC)


    Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"


    • Edited by Vik Singh Wednesday, October 3, 2012 12:31 PM
    Wednesday, October 3, 2012 12:30 PM
  • So I noticed... :)

    I was actually responding to Vuk Kadija's post.


    Hth, Anders Janson Enfo Zipper

    Wednesday, October 3, 2012 2:13 PM
  •  

    - does the client, when on the outside, register in DNS with its external IP? - no, it is registered with Teredo or IP-HTTPS or 6to4 IPv6 address.

    - have you created the necessary inbound rules on the client that allows traffic to the client (incl enabling edge traversal)? - yes I followed this reference (http://blogs.technet.com/b/tomshinder/archive/2010/10/29/test-lab-guide-demonstrate-uag-sp1-rc-directaccess-remote-management-blog-version.aspx). I can RDP from DA server to DA ext client, but from inside corp network NO. Also, I enabled Windows firewall logging and I can see only ICMP packets no RDP 3389 is in the log. I can ping client from SCCM or any other server that is configured in application tunnel. 

    I have read that article, thank you, but no progress. Any suggestions? 

    Wednesday, October 3, 2012 2:23 PM
  • The first problem you need to focus on is why the client does not register in DNS. For manage-out, you need the client IPv6 address in DNS.

    Things to look at;

    - Client event logs

    - Event logs on DNS server

    - Make a Network Monitor/Wireshark trace when a client connects and see if it even attempts to register in DNS.

    - After a client has connected and DNS registration failed, attempt a manual registration in DNS and verify event logs and also trace the registration.

    Hopefully that would point you in the right direction.


    Hth, Anders Janson Enfo Zipper

    Thursday, October 4, 2012 10:48 AM
  • No no, client automatically registers AAAA record in DNS. Maybe we did not understand.

    If a client is Teredo or IPHTTPS or 6to4, it always registers with new IPv6 address.

    Thursday, October 4, 2012 1:04 PM
  • Have you configured ISATAP? That is needed in order for the management machines to know where to find the client and how to get there.

    Jason Jones has written an excellent blog entry on implementing a limited version ISATAP without turning your entire internal network into an ISATAP based IPv6 network.

    http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html


    Hth, Anders Janson Enfo Zipper

    Friday, October 5, 2012 6:12 PM
  • I have Created Detail Videos and want to share on How to Install Windows Server 2012 Direct Access with Single Network Card Configuration and windows 8 Clients

    http://www.youtube.com/watch?v=CNJOziif03k

     And Windows Server 2012 Direct Access with Basic PKI Configuration and Windows 7 Clients

    http://www.youtube.com/watch?v=_jgamV0XDiM

    Hope this will help

    If you like these video please subscribe, like, and Share
    Monday, October 8, 2012 6:26 AM