locked
Problem with Direct Access - Ipsec problem RRS feed

  • Question

  • Hello

    I have problem with deployment Direct Access in our company. We have DC set on SBS2008 (on SBS there are: ADDS, ADCS, DNS, Certification authority)

    Direct Access Server is set on Win2012 Essentials RC. I created security group on DC with only 1 computer with Windows 8.

    Everything is working great when I don't highlight the option "Enable Windows 7 Client computers to connect Via Direct Access". Then I don't have to choose Root CA and Direct Access on  Windows 8 works OK. I can connect to my company from the Internet.

    The problem starts when I add 1 computer for testing purposes only with Windows 7 Ultimate. I added that computer to my security group on DC, highlighted option "Enable Windows 7 Client computers to connect Via Direct Access" and now I have to choose Root CA. I chose the only Root Certificate that I have in my CA "acs-SBS2008-CA". Every server/computer recieves that certificate when he joins domain.

    http://imageshack.us/photo/my-images/692/61796845.jpg/

    Of course I added CRL to CA as stated in DA step by step guide.

    Configuration goes with no problem but then I have IPSec error.

    http://imageshack.us/photo/my-images/525/59786044.jpg/

    After typing gpupdate on Windows 8 and Windows 7, Windows 8 lost connection to DA and Windows 7 won't work neither.

    So it's obvious that there is problem with my Root CA. I have no idead what I'm doing wrong.

    Here:

    http://www.enterprisenetworkingplanet.com/windows/article.php/3899621/Ditch-Your-VPN-for-DirectAccess.htm

    I read that DC with CA must be set on Win2008R2. Is that true? I don't think so. I think that only DA Server must be set on win2008r2/2012. Am I right?

    And by the way I didn't enroll any Machine Certificates but I don't think it will help because I would still have to choose Root CA in DA Deployment Wizard.

    Please help.

    Is there option to force Windows 7 not to use any certificate like Win 8?

    Thursday, September 13, 2012 4:48 PM

Answers

  • Sorry, thread closed. Enrolling computer certificates fixed my case.
    • Marked as answer by tom8823 Friday, September 14, 2012 10:58 AM
    Friday, September 14, 2012 10:58 AM

All replies