locked
Is it possible to use QOS in combination with UAG DirectAccess? RRS feed

  • Question

  • Is it possible to use QOS in combination with UAG DirectAccess?

    We backup our laptops which are connected via DirectAccess with Microsoft DPM 2010. In the DPM console it is possible to throttle the DPM client. This throttling works when the client is connected to the LAN but is doesn’t work when the client connects via DirectAccess.

     

    To troubleshoot this I configured a local QOS policy (Computer configuration > Windows Settings > Policy-Based Qos) and tested with the DPM client exe and destination ipv6 address and again this only works when connected to the LAN and not when connected via DirectAccess.

     So is it possible to use QOS in combination with UAG DirectAccess?

    Monday, October 18, 2010 12:39 PM

Answers

  • It depends on how QoS checks for an enterprise network interface.

    If it looks for only domain profiled interfaces, then this will not work in DirectAccess, since in DirectAccess you don't have a special physical interface for corp connectivity, so the actual profile stays public or private. Even though you can reach the domain, as long as the inside/outside detection returns OUTSIDE, you cannot be marked as domain profile.

    Unlike other VPN solutions that create a different interface, which is able to connect to the domain and connect to the inside/outside server and therefore be categorized as domain profile.

    We will try to find out if this solution indeed relies on the profile or not.

    Wednesday, October 20, 2010 3:53 PM
  • Hi Mr. Iks,

    It seems to be an issue with domain detection and firewall policy.

    Not sure if there is a fix at this time, but I'll see what I can find out.

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Monday, December 27, 2010 11:54 PM
    Wednesday, November 24, 2010 11:08 AM

All replies

  • I am not well versed in using QoS policies, but maybe you can apply it to the connection between UAG and DPM?  If you are using NAT64 the UAG server is standing between the client and DPM and might not match your policy and therefore not apply.
    MrShannon | TechNuggets Blog | Concurrency Blogs
    Tuesday, October 19, 2010 2:19 PM
  • Interesting question. How are you configuring the QoS policy?

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Tuesday, October 19, 2010 3:00 PM
  • At first I tried to configure this via the DPM 2010 console

    http://img840.imageshack.us/img840/3954/throttle.jpg

    This only works when a laptop is connected directly at the LAN and it is not working for laptops connected via DirectAccess. Therefore I started testing with a local QOS policy on a test laptop.

    This is what I configured on a test laptop

    MMC

    File - Add/Remove snap-in

    Add “Group Policy Object Editor” and select local Computer

    In the Local Computer Policy Editor browse to :  Computer Configuration  > Windows Settings > Policy-based QoS

    Create a new policy and give it suitable a name

    Disable “Specify DSCP” value

    Enable “Specify Outbound Throttle Rate” and set it to 25 KBps

    Next

    Enable “only applications with this executable name: “ and typed
    C:\Program Files\Microsoft Data Protection Manager\DPM\bin\DPMRA.exe

    This is the exe of the DPM client

    Next

    This QoS policy applies to: Any source IP address and Any destination IP address

    Next

    Selected protocol is TCP and UDP from any source and any destination port

    Finish

     

    This policy has no effect on the transfer rate of the DPM client.  This can be easily checked in the windows 7 resource monitor on the network tab.

    Tuesday, October 19, 2010 8:36 PM
  • I've just come accros this document. It is written for Vista, but I think it is safe to assume it also applies to windows 7.

    "Windows Vista Policy-based Quality of Service (QoS)" http://www.microsoft.com/downloads/en/details.aspx?FamilyID=59030735-8fde-47c7-aa96-d4108f779f20&DisplayLang=en

    In this document the following is written:

    Advanced Settings for Roaming and Remote Users
    With Policy-based QoS, the goal is to manage traffic on an enterprise's network. In mobile scenarios, users might be sending traffic on or off the enterprise network. Because QoS policies are not relevant while away from the enterprise's network, QoS policies are enabled only on network interfaces connected to the enterprise for Windows Vista.

    For example, a user might connect her portable computer to her enterprise's network via VPN from a coffee shop. For VPN, the physical network interface (such as wireless) will not have QoS policies applied. However, the VPN interface will have QoS policies applied because it connects to the enterprise. If the user later enters another enterprise's network that does not have an Active Directory trust relationship, QoS policies will not be enabled.


    Could it be possible that the DirectAccess connection is not seen by the OS as a VPN connection and therefore the QoS rules don't apply?

    Wednesday, October 20, 2010 12:39 PM
  • It depends on how QoS checks for an enterprise network interface.

    If it looks for only domain profiled interfaces, then this will not work in DirectAccess, since in DirectAccess you don't have a special physical interface for corp connectivity, so the actual profile stays public or private. Even though you can reach the domain, as long as the inside/outside detection returns OUTSIDE, you cannot be marked as domain profile.

    Unlike other VPN solutions that create a different interface, which is able to connect to the domain and connect to the inside/outside server and therefore be categorized as domain profile.

    We will try to find out if this solution indeed relies on the profile or not.

    Wednesday, October 20, 2010 3:53 PM
  • On my test laptop the wireless connection was configured as  "Home network". I changed it to "Work network" (and rebooted) but this does not make any difference.

    I then plugged in the LAN cable. DA disconnects automatically and I restarted the transfer. Then the QOS policy kicks in and the transfer is limited to the specified throttle speed.

    The physical LAN adapter is recognized as "Domain network"

    So yes, maybe indeed it is the network profile that is the cause.

    Wednesday, October 20, 2010 4:17 PM
  • I see.

    by the way, "Work network" is simply another name for the private profile. The only difference from "Home network" is the icon :)

    Thursday, October 21, 2010 5:28 PM
  • It indeed looks like the QOS policies are not enforced because of the connection profile. When DA is active this is not detected as a domain network connection.

    Is this something MS is going to look into or should I open a support ticket at MS?

    Tuesday, October 26, 2010 8:36 AM
  • Hi Mister Iks,

    I believe that in order to enforce QoS the client needs to apply the domain profile - which can't happen when the client is acting as a DirectAccess client, since the DirectAccess client settings are only available when the client is using the Public or Private profiles.

    We're looking into this. I don't think we'll have a fix soon - but if something happens like a workaround, we'll post to the Team Blog and the Edge Man blog.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Thursday, October 28, 2010 2:29 PM
  • I've run into this issue. It's quite a serious problem. Remote users using DirectAccess are by their nature often on slow networks, and worse still asynchronous ones. I have a user who since I enabled DPM backups, each time the scheduled backup kicks in his ping times go up to over 1000ms, his VoIP calls drop and his net connection becomes unusable.

    It's a real pity as DPM over DA for laptop users would be a neat solution, but I can't use it until there is some mechanism for throttling the bandwidth.

    Tim

    Monday, November 22, 2010 10:56 PM
  • I'm glad I’m no longer the only one struggling with this issue.

    Can someone from MS give an update on this?

    Tuesday, November 23, 2010 3:34 PM
  • Hi Mr. Iks,

    It seems to be an issue with domain detection and firewall policy.

    Not sure if there is a fix at this time, but I'll see what I can find out.

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Monday, December 27, 2010 11:54 PM
    Wednesday, November 24, 2010 11:08 AM
  • Hi Thomas,

    Do you have any news on this?

    Thanks!

    Friday, January 7, 2011 2:27 PM
  • Hi Mister Iks,

    From what I can tell, we don't have a fix for this because of how DirectAccess works.

    However, I still don't have any information about any possible workarounds.

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Saturday, January 8, 2011 12:02 AM
  • OK - from what I understand, we really don't have a workaround for this at this time.

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, January 10, 2011 3:52 PM