none
DirectAccess knocks client off the Domain RRS feed

  • Question

  • I'm at my wits end, I've setup uag directaccess and when I put my computer in the directaccess security group to test to see if it's working. Before I even take it off my domian lan, I cannot ping any of my servers on my domain via the dns name, and it seems knock the client off the domain network. In the network and sharing center it changes from Domain network to Public. To get it all back to normal I have to remove my machine out of the directaccess security group, remove my machine off the domain then add it back again. Again this is before I've even tried it to see if it works elsewhere

    Am I missing something?

    Many thanks in advance


    • Edited by Data10 Sunday, July 8, 2012 5:43 PM
    Sunday, July 8, 2012 5:43 PM

Answers

  • Ok, that is the error you need to fix!

    Is the certificate issued from an internal CA?
    If so, does the client have the certificate for that CA in it's trusted root store?
    Is the name on the certificate the same as the URL you type in?
    Is the timestamps on the certificate correct ("valid from" and "valid to")

    You should be able to see some information on why the certificate is not trusted if you click "Certificate Error" and view the certificate.

    Best wishes,
    Jonas Blom

    • Marked as answer by Data10 Monday, July 9, 2012 9:13 PM
    Monday, July 9, 2012 7:38 PM

All replies

  • Hi,

    Sounds like the client thinks it is not on your LAN.

    Run netsh dnsclient show state in a commandprompt to see what it says?
    (Look for the line with "Machine location")

    If it says that you are "Outside corporate network" you have found the problem.

    To fix it, verify that you can reach the NLS  and that the DNS-record UAGDirectAccess-corpConnectivityHost is registered in the internal DNS servers.

    Best wishes,
    Jonas Blom

    • Proposed as answer by Jonas Blom Monday, July 9, 2012 6:28 AM
    Sunday, July 8, 2012 8:36 PM
  • Hi,

    Yes you are correct it does say "Outside corporate network" but I can ping my nls no problem. Cant ping my domain controllers/dns servers. All of the dns records as you say above are fine??

    Sunday, July 8, 2012 11:20 PM
  • Hi,

    You can ping internal systems because icmp are exempt from the IPSec tunnels.

    The important part is that you can reach the NLS server over HTTPS and verify the certificate, to test Type the URL in into a webbrowser on the client and try to browse to it. (Sorry, should have been clear about that)

    If you dont get to the page, post the result of the following commands:

    1: netsh namespace show policy

    2: ping <NLS FQDN>

    3: nslookup <NLS FQDN>

    (Alternatively, post a full DCA error log here)

    Best wishes,
    Jonas Blom

    Monday, July 9, 2012 6:28 AM
  • Hi,

    No problem I can do this for you this evening. But before I do that I cannot post a DCA error log as for some reason it only installed durring my first test. Once I removed it and removed myself from the security group to get my client back to normal, it never installed itself again when I tested further. Not figured this one out yet. Also I've just logged onto my domain controller remotely and tried to ping ISATAP.mydomain.com and I cannot ping it from any of my servers. I can ping my uag directaccess server though where this ISATAP.mydomain.com pointing too. I cannot rdp to it either I am having to access it through my vmware client as it is a virtual machine.

    Would this above have anyting to do with it Jonas?

    Kind Regards

    Monday, July 9, 2012 8:36 AM
  • Hi again,

    Should say that it is two separate problems.
    So focuse on why the client thinks it is outside of the corporate network first, always good to fix one problem at a time to know what change that fixed it :)

    If you have problems with ISATAP, why not remove the ISATAP record from the internal DNS and use DNS64/NAT64 instead?
    (If you need manageout capabilities, manually configure ISATAP through the hosts file on those specific machines.)

    BTW, RDP'ing to the UAG-host is probably just beeing blocked by the TMG rules..not something related to a problem/error.
    If you want to access the host over RDP, add an additional rule.

    Regarding DCA, are you using some version av ConfigMgr to deploy packages?
    Just do a manual installation on your client with the MSI?

    Best wishes,
    Jonas Blom

    Monday, July 9, 2012 11:57 AM
  • Hi,

    I'll sort out this info this evening for you. The DCA is distrubuted through GPO in the Software Installation section.

    Thanks

    Monday, July 9, 2012 3:52 PM
  • Ok,

    I'm back in the security group if I type in https://nls.mydomain.com I get presented with

    'There is a problem with this website's security certificate.

    The security certificate presented by this website was not issued by a trusted authority.'

    I have to click continue to this website and I get presented with the standard IIS welcome page.

    If I type in netsh namespace show policy, I get the following:

    Settings for uag.mydomain.com

    ----------------------------------------------------------------------

    Certification authority: DC=com, DC=mydomain, CN=mydomain.com

    DNSSEC (Validation): disabled

    DNSSEC (IPsec): disabled

    DirectAccess (DNS Servers):

    DirectAccess (IPsec): disabled

    DirectAccess (Proxy Settings): Use default browser settings

    Settings for .mydomain.com

    ----------------------------------------------------------------------

    Certification authority: DC=com, DC=mydomain, CN=mydomain.com

    DNSSEC (Validation): disabled

    DNSSEC (IPsec): disabled

    DirectAccess (DNS Servers): 2002:59ce:8b7e::59ce:8b7e

    DirectAccess (IPsec): disabled

    DirectAccess (Proxy Settings): Bypass proxy

    When I ping FQDN NLS.mydomain.com I get a response back no problem.

    When I nslookup NLS.mydomain.com I get the correct response also.

    I’ve manually installed the dca and it says that the direct access connectivity is working. I’ve generated the logs http://www.2shared.com/file/G6wiH1cy/DCA.html

    Many Thanks

    Monday, July 9, 2012 7:05 PM
  • Ok, that is the error you need to fix!

    Is the certificate issued from an internal CA?
    If so, does the client have the certificate for that CA in it's trusted root store?
    Is the name on the certificate the same as the URL you type in?
    Is the timestamps on the certificate correct ("valid from" and "valid to")

    You should be able to see some information on why the certificate is not trusted if you click "Certificate Error" and view the certificate.

    Best wishes,
    Jonas Blom

    • Marked as answer by Data10 Monday, July 9, 2012 9:13 PM
    Monday, July 9, 2012 7:38 PM
  • Would you recommend using a public certificate for the NLS? I prefer to use publics ones but my friend said it doesn’t matter for the NLS.

    Thanks

    Monday, July 9, 2012 8:23 PM
  • No, stick with a certificate from your internal PKI.. no need for a public one.

    Did you find out why it is listed as untrusted when you browse to https://nls.mydomain.com ?

    Monday, July 9, 2012 8:25 PM
  • You are correct Jonas, the cert was incorrect (must be those late IT nights making me do silly things) I've corrected the issue and all seems OKwhen I am plugged into the LAN. But I've tried the laptop in an external source. But DirectAccess still does not work!! There must be something else Jonas......

    Thanks

    Monday, July 9, 2012 9:07 PM
  • Glad to hear it works!

    A suggestion... start a new thread regarding the problems connecting externally.
    (That way someone that has the same problem as you had can follow the thread herein)

    Best wishes,
    Jonas Blom

    Monday, July 9, 2012 9:10 PM
  • Many Thanks Jonas
    Monday, July 9, 2012 9:13 PM