locked
DirectAccess 2012 - Force Tunneling IP-HTTPS: Windows 8 Client Reports No Internet Access, however the DirectAccess tunnel & Internet access is working RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello Everyone,

    I'm hoping someone who is using Force Tunneling over IP-HTTPS connection in DirectAccess 2012 has come across this issue.

    What I've found is when Force Tunneling is enabled, Windows 8 DirectAccess clients report "No Internet Access" on their connection state, and also in the DirectAccess Properties, the status shows "No Internet Access" however, the Windows 8 Client is able to successfully connect to the internet as well as Intranet resources.

    This issue does not appear to occur on Windows 7. With the same client settings applied to a Windows 7 machine, the network connectivity assistant (2.0) indicates DirectAccess is working properly.

    Force tunneling is a requirement for us as Management wants all end user traffic to be routed over the DirectAccess connection and do not want users to access their local network resources using their corporate issued laptops.

    DirectAccess is currently setup in a single server/single NIC environment behind a firewall. The NLS is running on a separate server.

    Thursday, November 7, 2013 4:03 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    I was able to resolve this by selecting the DNS option "Use local name resolution for any kind of DNS resolution error (least restrictive)".

    Once I did this, the error message was gone. I am suspecting that there is some sort of record lookup that is failing on the internal DNS servers. I will try to run WireShark and see if I have time.

    But for now, the error is gone. We are using the 'Force Tunneling' option along with TMG web proxy where we log each user's activity anyways. So even if a user's machine uses local DNS for a lookup, the traffic still flows through the corporate network so we are ok from a compliance perspective. 

    Hope this helps you as well.

    SinghP80

    • Proposed as answer by SinghPalwinder Friday, November 15, 2013 3:47 PM
    • Marked as answer by Susie Long Wednesday, November 20, 2013 2:30 AM
    Friday, November 15, 2013 3:47 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Firstly, I recommend you check if there are any related error messages.

    Besides, please make sure that the DA client side is IPv6 aware and the UDP port 3544, UDP port 500 and TCP port 443 are opening.

    More information:

    More on DirectAccess Split Tunneling and Force Tunneling

    http://blogs.technet.com/b/tomshinder/archive/2010/03/30/more-on-directaccess-split-tunneling-and-force-tunneling.aspx

    Best regards,

    Susie

    • Marked as answer by Susie Long Wednesday, November 13, 2013 1:51 AM
    • Unmarked as answer by Amardeep Juneja Wednesday, November 13, 2013 1:37 PM
    Friday, November 8, 2013 6:37 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Susie,

    Thanks for your reply. I don't see how opening ports would resolve this issue. The DirectAccess tunnel does come up on the Windows 8 client and the Windows 7 Clients connect just fine with port 443 open. It's just the Windows 8 client reports the wrong status.

    What is the purpose for opening UDP 3544 and UDP 500? I have 6to4 and Teredo disabled in my configuration.

    Wednesday, November 13, 2013 1:37 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello Amardeep,

    I am seeing the exact same issue. Everything is working fine but the status on Windows 8 and (in my case) also on Windows 7 shows "No Internet Access". If someone has any ideas, please advise.

    Thanks,

    SinghP80

    Friday, November 15, 2013 3:20 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I was able to resolve this by selecting the DNS option "Use local name resolution for any kind of DNS resolution error (least restrictive)".

    Once I did this, the error message was gone. I am suspecting that there is some sort of record lookup that is failing on the internal DNS servers. I will try to run WireShark and see if I have time.

    But for now, the error is gone. We are using the 'Force Tunneling' option along with TMG web proxy where we log each user's activity anyways. So even if a user's machine uses local DNS for a lookup, the traffic still flows through the corporate network so we are ok from a compliance perspective. 

    Hope this helps you as well.

    SinghP80

    • Proposed as answer by SinghPalwinder Friday, November 15, 2013 3:47 PM
    • Marked as answer by Susie Long Wednesday, November 20, 2013 2:30 AM
    Friday, November 15, 2013 3:47 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    This issue is explainable.

    Windows uses a feature called NCSI (Network Connectivity Status Indicator). In fact Windows tries to connect to http://www.msftncsi.com/ncsi.txt. If it can reach that URL then it indicates you have an internet connection availble. There are many reasons for it to fail.

    But since you are using Force Tunneling; Windows will try to use NCSI before the DirectAccess tunnel is established, and the NCSI with therefor fail to connect.

    See the following link for more information:

    Network Connectivity Status Indicator and Resulting Internet Communication

    http://technet.microsoft.com/en-us/library/cc766017(WS.10).aspx


    Boudewijn Plomp | BPMi Infrastructure & Security

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".

    Wednesday, November 5, 2014 1:08 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I too am having this problem. My DA clients can connect to both intranet and internet resources with Force tunneling enabled, but both the NIC and DirectAccess Connections report "No Internet" (despite the fact that I can browse external web sites).

    I tried to select the DNS option "Use local name resolution for any kind of DNS resolution error (least restrictive)", but this did not resolve it for me.

    I also tried to disable the NCIS probing as suggested in regedit, but that did not totally resolve it either. The NIC states "connected" but the DirectAccess connection states "No internet"

    Any other way to resolve this?

    Wednesday, June 8, 2016 9:18 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Just to vote this up a little, im seeing the same thing in windows 10 1511 and 1607 builds. DA https tunnel is up, and says connected, but the NCI which displays when you click the wi-fi tray icon says "No Internet Connection"

    I managed to get the "get-daconnectionstatus" cmdlet to stop moaning about internetconnectivitydown by adding a firewall rule to the public and private firewalls to allow the NCI service access to all IP's on port 80 and 53, but further testing is needed to see if this was just a fluke :(

    Id be interested if anyone knows how the NCIS service connects to the web, does it use the system proxy (if not, then its always going to get blocked by the firewall rules, as they block all outbound connectivity unless it matches a rule) and web traffic gets routed back to the internal proxy via configured pac files. This may explain why my additional nci service rule helped a little, but still doesnt explain why the tray icon still says "no internet".


    • Edited by FluxboxUK Friday, September 23, 2016 10:12 PM
    Friday, September 23, 2016 10:10 PM