none
UAG DirectAccess and NAP enforcement bug RRS feed

  • General discussion

  • Not sure if posting this here is the right way to report a "bug", but this might help anyone experiencing this issue.

    Scenario: UAG DirectAccess with NAP enforcement on the intranet tunnel.

    When selecting "Accept connections only from computers that are compliant with NAP policy", the authentication is not properly set in the GPO.
    Specifically "Apply Authorization" is not set in the policy, so the Health Certificate requirement is not enforced.

    Without UAG, netsh has to be used to set NAP enforcement: http://technet.microsoft.com/en-us/library/ee649156%28WS.10%29.aspx
    The netsh command must issue "applyauthz=yes", which the UAG created script doesn't do.

    I fixed this by running the following after applying UAG DirectAccess policy:
    (change yourdomain.com to your AD domain, and the policy name to reflect any custom policy name for the DA server)

    Netsh
    netsh> Advfirewall
    netsh advfirewall> set store gpo="yourdomain.com\UAG DirectAccess: DaServer{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}"
    netsh advfirewall> consec set rule "UAG DirectAccess Gateway - Clients Corp Tunnel" new applyauthz=yes

    David
    Thursday, February 18, 2010 11:07 AM

All replies

  • Hi David,

    From my uderstanding, the NAP enforcement is enabled on the intranet tunnel (UAG DirectAccess Gateway - Clients Corp Tunnel) by defining the HealthCert=True property in the GPO (it is also in the PS script as auth1healthcert=yes or similar).  

    In my experience, to get UAG to actually block non-compliant NAP clients, you need to add the following registry key to the UAG server:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\NetworkAccessProtection\ClientConfig\IkeNapUseHeuristic registry value (REG_DWORD) to 1.

    Source: http://technet.microsoft.com/ja-jp/library/ee382256(WS.10).aspx 

    For some reason, this key has been removed from the US technet site, but it is vital I think :\

    Maybe the netsh command does something similar???

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    Thursday, February 18, 2010 3:06 PM
    Moderator
  • Hi Igor,
    You are right. In order to enforce health on DirectAccess clients, IPsec requires also authorization on the Corp Tunnel.
    You can use the netsh commands you specified to enable that authorization (applyauthz=yes).

    This issue will be fixed as soon as the first Microsoft Update for UAG is released.
    Tuesday, February 23, 2010 9:33 PM
  • Hi Yaniv,

    So the registry key works, but is not the most efficient fix?

    Does the netsh for applyauthz command need to be added after every UAG DA policy generation or activation?

    Cheers

    JJ
    Jason Jones | Forefront MVP | Silversands Ltd
    Wednesday, February 24, 2010 12:44 AM
    Moderator
  • Yes, If you reapply the policy the AllowAuthz flag is reset to default "no", so you'll have to remember running the netsh command afterwards.

    Good to see that it'll be fixed! :)

    David
    Thursday, February 25, 2010 4:26 PM