none
Business Ready Security Demo - UAG & DirectAccess RRS feed

  • Question

  • Hi,

    I downloaded and installed the BRS Demo. It comes preconfigured with UAG and DA. Unfortunately, DA does not work at all.

    I enabled autiting for ipsec on the client using auditpol.exe. This is the result:
    An IPsec main mode negotiation failed. Remote endpoint is IPv6 address of UAG's 6to4 adapter (I am using Hyper-V, my client has got a public IPv4 address). Failure reason: No policy configured. State: no state.

    In wf.msc I can see three connection security rules on the client and two on the UAG. When I try to access a ressource on the internal network, the clients send ICMPv6 echo request packets and AuthIP packets to the UAG's 6to4 IPv6 address. The client never receives any answer. When pinging with ICMPv4 to the external interface of the UAG, the TMG on the UAG reports the echo requests in its log. From the TMG logging I also learned that the client tries to connect to the internal network directly, without IPsec tunnel which in turn is blocked by TMG.

    Does anybody have any idea what's wrong with this configuration?

    Kind regards,

    Dagmar

     

     

     

     

     

    Tuesday, July 20, 2010 9:27 PM

Answers

  • I believe there is a updated version coming in the future. However, most admins should be using the updated Demonstrating UAG DirectAccess in a Test Lab Guide which will be coming out next week ;)

    Stay tuned to this channel!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Monday, July 26, 2010 10:55 PM
    Friday, July 23, 2010 11:46 AM
    Moderator

All replies

  • In wf.msc, did you see those connection security rules under the monitoring tree node? If not, please look if they exist there as well. Only IPsec and firewall rules that appear under monitoring are currently active.

    If they're indeed not active, maybe windows firewall is turned off?

    No policy configured means there is some mismatch between the IPsec rules on the client and the server. check if the active IPsec rules on the client and server match the IPv6 backend server you're trying to reach, check if the the Tunnel endpoints are identical.

    Wednesday, July 21, 2010 8:49 AM
  • Hi Dagmar,

    As Yaniv said, check the Connection Security Rules on both the client and the server. It might be that some of the services didn't start on the UAG server. Use the Services.msc and see if any of the Automatic start services didn't start, or just restart the UAG server.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Wednesday, July 21, 2010 6:10 PM
    Moderator
  • Thank you for your answers. I will try this and let you know.

    Regards,

    Dagmar

    Wednesday, July 21, 2010 7:32 PM
  • Hi,

    thank you for your answers. There must have been something wrong with the policies. I removed the link in GPMC for the original ones and recreated them with exactly the same settings and suddenly it worked.

    Regards,

    Dagmar

     

    Thursday, July 22, 2010 7:05 AM
  • Hi Dagmar,

    Great! Good to hear you got it working and thanks for the follow up!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Thursday, July 22, 2010 11:35 AM
    Moderator
  • Is there something wrong with the default demo setup then? Surely this is not good for other people?
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, July 22, 2010 1:37 PM
    Moderator
  • You are right, there seems to be something wrong with the demo setup.

    By the way, the description on http://www.microsoft.com/downloads/details.aspx?FamilyID=726F943E-D107-4B4D-A86E-DFB605E30CE5&displaylang=en&displaylang=en says:

  • Secure Endpoint - Protect client and server operating systems from emerging threats and information loss, while enabling secure access from virtually anywhere and on any device
    • Advanced threat protection with Forefront Threat Management Gaetway 2010 (TMG)
    • Malware protection when not connecting to the company network
    • Malware protection when using USB drives
    • DirectAccess with Forefront UAG

    Unfortunately, in the lab guides DirectAccess just mentioned but there is no lab.

    I did not change anything of the configuration, just removed the original policies and created new ones with exactly the same settings. Before I did that I spent 3 hours on comparing policies, rebooting, sniffing, I even enabled IPsec auditing etc.

    Regards,

    Dagmar

     

Thursday, July 22, 2010 1:45 PM
  • Tom/Yaniv - can you follow up on this?
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, July 22, 2010 4:16 PM
    Moderator
  • I believe there is a updated version coming in the future. However, most admins should be using the updated Demonstrating UAG DirectAccess in a Test Lab Guide which will be coming out next week ;)

    Stay tuned to this channel!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Monday, July 26, 2010 10:55 PM
    Friday, July 23, 2010 11:46 AM
    Moderator
  • As promised!

    http://blogs.technet.com/b/tomshinder/archive/2010/07/29/great-new-uag-directaccess-test-lab-content-available.aspx

    New and improve content supersedes the old UAG DirectAccess Step by Step guide.

    Have fun!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Thursday, July 29, 2010 12:55 AM
    Moderator