none
Client not able to connect to direct access

    Question

  • hello,

    We have set up Direct Access and GPO is applied on the client machine, but when testing it is stuck on CONNECTING>

    The directaccess-WebProbeHost is added correctly it seems, no firewall problem that i don't see that could be the problem. Any other places we may have forgotten?

    I ran netsh interface httpstunnel show interface on client machine and i see this error

    failed to connect to the IPHTTPS server Waiting to Reconnect which seems to be our issue.



    Best regards,<br/> <br/> <strong>Joe C<br/> </strong>Partner Online Technical Community<br/> -----------------------------------------------------------------------------------------<br/> We hope you get value from our new forums platform! Tell us what you think:<br/> <a href="http://social.microsoft.com/Forums/en-US/partnerfdbk/threads"><span style="color:#0033cc">http://social.microsoft.com/Forums/en-US/partnerfdbk/threads<br/> </span></a>------------------------------------------------------------------------------------------<br/> This posting is provided &quot;AS IS&quot; with no warranties, and confers no rights <hr>

    Monday, May 14, 2018 12:25 PM

All replies

  • Hi,

    Thanks for your question.

    DirectAccess clients may not be able to connect to DirectAccess server by using IP-Https connections with this error.

    We’ll need to determine this error code firstly. May I know more information about this error?

    You may type the command “Get-NetIPHttpsState” “Get-NetIPHttpsConfiguration” to check this IP-Https connection. Please refer to the following article,

    DirectAccess Troubleshooting PowerShell Commands

    https://directaccess.richardhicks.com/2017/07/10/top-5-directaccess-troubleshooting-powershell-commands/

    Furthermore, please try the following link to see if it could be resolved.

    DirectAccess clients may not be able to connect to DirectAccess server with error code 0x103, 0x2AFC, or 0x2AF9 when using IP-HTTPS

    https://support.microsoft.com/en-sg/help/2980635/directaccess-clients-may-not-be-able-to-connect-to-directaccess-server

    For this issue, we can try these suggestions as above link.

    1)Try to connect to the server through telnet by using the external IP address or name of the DirectAccess server on port 443. If it fails to connect, this may be because the packet is being dropped somewhere on the network, or the NAT rules are not created correctly on the external NAT device behind which DirectAccess is configured.

    2)The external name should be resolvable from the client. Try to ping the name of the IP-HTTPS site name (the DirectAccess server public name), and check whether the name resolution is succeeding. If the name does not resolve, fix the name resolution.

    3)If a telnet connection is successful, then look at a network trace. The SSL handshake should be successful.

    4)Use the netsh winhttp command to reset the local system proxy settings. It is also possible to manipulate these settings by viewing the proxy settings in Internet Explorer. You must open Internet Explorer under the local system context rather than by using a normal account.

    In addition, here is a link talks about troubleshooting for Direct Access issues, it may be helpful.

    7 Steps for Troubleshooting DirectAccess Clients

    http://techgenix.com/7-steps-troubleshooting-directaccess-clients/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Hope above information can help you. I look forward hearing your good news.

    Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.

    Best regards, 

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, May 15, 2018 7:47 AM
  • Microsoft assisted they added a public IP. The problem now is getting sccm to work, i cant remote control or push packages on a machine with direct access. I added the ipv6 prefix for boundary, there a manage access area that sccm server IP needs to be added? Same with WSUS?

    Best regards,<br/> <br/> <strong>Joe C<br/> </strong>Partner Online Technical Community<br/> -----------------------------------------------------------------------------------------<br/> We hope you get value from our new forums platform! Tell us what you think:<br/> <a href="http://social.microsoft.com/Forums/en-US/partnerfdbk/threads"><span style="color:#0033cc">http://social.microsoft.com/Forums/en-US/partnerfdbk/threads<br/> </span></a>------------------------------------------------------------------------------------------<br/> This posting is provided &quot;AS IS&quot; with no warranties, and confers no rights <hr>

    Wednesday, May 16, 2018 1:29 AM
  • so on SCCM server we cannot remote into a client machine thats in the DA Clients group, but we can under the Direct Access server, we lose packets drop by firewall  with 212091

    There a nat rule we need to possibably add?


    Best regards,<br/> <br/> <strong>Joe C<br/> </strong>Partner Online Technical Community<br/> -----------------------------------------------------------------------------------------<br/> We hope you get value from our new forums platform! Tell us what you think:<br/> <a href="http://social.microsoft.com/Forums/en-US/partnerfdbk/threads"><span style="color:#0033cc">http://social.microsoft.com/Forums/en-US/partnerfdbk/threads<br/> </span></a>------------------------------------------------------------------------------------------<br/> This posting is provided &quot;AS IS&quot; with no warranties, and confers no rights <hr>

    Monday, May 21, 2018 6:44 PM