none
Cannot remotely manage computers connected to UAG/Directaccess RRS feed

Answers

All replies

  • Have you configured the managing clients (support staff PCs) with IPv6 addressing information? Manage out requires IPv6 on the intranet hosts...

    Also, you don't need to add the support staff PC's to the managements servers group, this is used for inbound only... 

    http://blogs.technet.com/b/edgeaccessblog/archive/2009/11/17/deep-dive-into-uag-directaccess-manage-out-basics.aspx


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

     


    Friday, May 27, 2011 12:30 AM
    Moderator
  • All the staff PC have IPV6 installed, but not enabled.  I do see ISATAP addressess working and the can ping the name of the DA client and get the correct address returned.

     

     


    • Edited by Red01Z06 Wednesday, June 1, 2011 1:53 PM
    Friday, May 27, 2011 2:16 PM
  • Ah, you should have mentioned you were using ISATAP, that would have helped ;)

    Sounds like a good summation...maybe you defined the firewall rules with an incorrect or typo'd IPv6 prefix scope setting???

    Also, what about IP-HTTPS clients? 


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

     


    Friday, May 27, 2011 2:23 PM
    Moderator
  • Have not tried the IP-HTTPS yet, but would the IPv6 prefix be the same for the 6to4 as it is for the TEREDO?
    Friday, May 27, 2011 2:32 PM
  • No, they would normally be:

    First Public IPv4=WW.XX.YY.ZZ
    2001:0:WWXX:YYZZ::/64 (Teredo)
    2002:WWXX:YYZZ:8000::/64 (ISATAP)
    2002:WWXX:YYZZ:8100::/56 (IP-HTTPS)
    2002:WWXX:YYZZ::/[16+IPv4 CIDR] (6to4)


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Friday, May 27, 2011 2:34 PM
    Moderator
  • Ok, I have been testing with the client.  I do not see 6to4 working.  I only see connect from the UAG server to remote clients.  None of the other workstations or server can connect.  Pings do not work from server or workstations.

    I have edited the Firewall GPO's to allow any IP in, no scope in order to test.

    What else should I be looking at?

    Friday, May 27, 2011 8:38 PM
  • Name Group Profile Enabled Action Override Program Local Address Remote Address Protocol Local Port Remote Port Allowed Users Allowed Computers 
    File and Printer Sharing (Echo Request - ICMPv4-In) File and Printer Sharing Private, Public Yes Allow No Any Any Any ICMPv4 Any Any Any Any 
    File and Printer Sharing (Echo Request - ICMPv6-In) File and Printer Sharing Private, Public Yes Allow No Any Any Any ICMPv6 Any Any Any Any 
    File and Printer Sharing (LLMNR-UDP-In) File and Printer Sharing All Yes Allow No %SystemRoot%\system32\svchost.exe Any Any UDP 5355 Any Any Any 
    File and Printer Sharing (NB-Datagram-In) File and Printer Sharing Private, Public Yes Allow No System Any Any UDP 138 Any Any Any 
    File and Printer Sharing (NB-Name-In) File and Printer Sharing Private, Public Yes Allow No System Any Any UDP 137 Any Any Any 
    File and Printer Sharing (NB-Session-In) File and Printer Sharing Private, Public Yes Allow No System Any Any TCP 139 Any Any Any 
    File and Printer Sharing (SMB-In) File and Printer Sharing Private, Public Yes Allow No System Any Any TCP 445 Any Any Any 
    File and Printer Sharing (Spooler Service - RPC) File and Printer Sharing Private, Public Yes Allow No %SystemRoot%\system32\spoolsv.exe Any Any TCP RPC Dynamic Ports Any Any Any 
    File and Printer Sharing (Spooler Service - RPC-EPMAP) File and Printer Sharing Private, Public Yes Allow No Any Any Any TCP RPC Endpoint Mapper Any Any Any 
    Remote Desktop (TCP-In) Remote Desktop All Yes Allow No System Any Any TCP 3389 Any Any Any 

    These are the rules I have it the GPO.  No scope and edge trans allowed.

    Friday, May 27, 2011 8:52 PM
  • Ok to recap,

    UAG server seems to be working for in bound Direct Access.  IPv4 internal network, so UAG is the ISATAP router.

    I do see in the web monitor 2 connections from the clients, teredo and ip-https. 

    I cannot ping or remote to the clients from inside the network.

    I can RDP to the clients from the UAG server, but cannot ping from there either.

    Saturday, May 28, 2011 10:17 PM
  • Hi Amigo. Have you set the "allow edege traversal" in the advanced properties of the Inbound Firewall Rule?

    Regards


    // Raúl - I love this game
    Tuesday, May 31, 2011 1:24 PM
  • I have, I have also removed those rules that were listed above and created new custom rules for RDP and ICMPv6 with edge traversal. 
    Tuesday, May 31, 2011 1:28 PM
  • What are the steps to trace were I am losing this connection?
    Wednesday, June 1, 2011 1:52 PM
  • Have you tried using tracert from an internal client? Do you reach the UAG server?

    What IPv6 routes do you have on the internal ISATAP clients?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, June 2, 2011 12:15 AM
    Moderator
  • Ok, I have rebuilt the UAG system from a clean OS and fresh install.  UAG with SP1.  Before I had UAG and applied SP1 to it.

    UAG is performing ISATAP router.  Internal IPv4 network.  I created a custom GPO to allow RDP and ICMPv6 with edge traversal.

    I can ping the remote machines from any internal computer, but cannot RDP to them.  I can ping and RDP from the UAG server.  What am I missing? 

    Thursday, June 16, 2011 3:03 PM
  • Have you tried using tracert from an internal client? Do you reach the UAG server?

    What IPv6 routes do you have on the internal ISATAP clients?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Can you please answer this?
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, June 16, 2011 3:20 PM
    Moderator
  • Yes, tracert works, it goes to UAG then client.

    I found this thread, it ll\ooks like the same thing as me:

    http://social.technet.microsoft.com/Forums/zh/forefrontedgeiag/thread/ac17fd54-fc87-44af-b399-9aeacbba7e14

     

    Thursday, June 16, 2011 3:35 PM
  • Is there any TMG logs I can view to see trafic from internal to DA?  I have installed wireshark on the UAG server and when I ping from internal to DA client, I see packets comming in on internal interface but no return packets.  On public interface of UAG I see return packets, but no send packets.  At the internal client I see both sed and return.  Of course this is all ICMP.

    When I use wireshark and try RDP, I see packets leave the internal client, and no returns.  I see packets come in at UAG internal interface with no returns.  I see nothing on the public UAG interface.

    Thursday, June 16, 2011 3:54 PM
  • Ok, I have enabled a web site on the client to try other protocols, same result, cann access from UAG, but not from internal systems.

    As with the other thread I linked above, I am seeing these errors also:

    ERROR_IPSEC_IKE_QM_ACQUIRE_DROP

    ERROR_IPSEC_IKE_QUEUE_DROP_MM

    ERROR_IPSEC_IKE_QUEUE_DROP_NO_MM

    ERROR_IPSEC_IKE_DROP_NO_RESPONSE

    ERROR_IPSEC_IKE_MM_DELAY_DROP

    ERROR_IPSEC_IKE_QM_DELAY_DROP

    ERROR_IPSEC_IKE_ERROR

    ERROR_IPSEC_IKE_CRL_FAILED

    ERROR_IPSEC_IKE_INVALID_KEY_USAGE


    So, How can I find out if I am having IPSEC problems?  Could I have tunnel problems that are only used for connections from internal generated apps?  I know ICMP are outs IPSEC....
    Thursday, June 16, 2011 4:45 PM
  • Ok, I also found out today that a DA client can RDP to another DA client.  This is starting to sound like I have a problem with the UAG/TMG firewall.  ICMP works from internal clients, UAG server, and external DA clients.  Other protocols, ie RDP, HTTP, Work from UAG server and DA connected machines.  No internal machine can connect to DA connected macines with anything other than ICMP.

     

    Friday, June 17, 2011 1:47 PM
  • Are you sure TMG isn't denying the outbound connections? What did you get in the TMG realtime monitor when attempting outbound RDP sessions?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, June 17, 2011 3:36 PM
    Moderator
  • I am not sure, I am not getting anything in the TMG logs when I filter for RDP....
    Friday, June 17, 2011 4:19 PM
  • You may not see RDP if the data is encapsulated; can you try and filter on source or destination IPv6 addresses?

    Odd problem, not seen this happen yet...

     


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

     


    Friday, June 17, 2011 4:28 PM
    Moderator
  • I do not see in TMG logs where I can flter on IPv6 source or destination
    Friday, June 17, 2011 4:31 PM
  • Ok, when I filter on the client IPv4, I see the first Initiate Connection IPv6 over IPv4 Tunnel request come in to TMG with the opperation completed sucessfully.  Then later the Close connection.  I need to try to capture the data in between.  The data sent or trying to send down that tunnel.
    Friday, June 17, 2011 4:42 PM
  • Should there be a TMG rule allowing internal trafic to DA clients?
    Friday, June 17, 2011 5:18 PM
  • I've just done some tracing on our system and see traffic using the DirectAccess Allow NATPT rule...


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, June 17, 2011 5:34 PM
    Moderator
  • I have that rule, it is set for allow to internal on my system.
    Friday, June 17, 2011 5:36 PM
  • Have you tried using RDP from one of your servers that are defined as Management Servers in your DA setup?
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, June 17, 2011 5:39 PM
    Moderator
  • Yes, and I have added the workstation that want to RDP to the clients in a management group.
    Friday, June 17, 2011 5:42 PM
  • I kinda sounds like you only have an inbound IPSec tunnel...this really is very odd...

    Where are you seeing the IPSec errors? Do you get these at exactly the same time as you try to connect?


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, June 17, 2011 5:56 PM
    Moderator
  • I get them at the client.  I have not looked into timming of that.  I think it is ipsec tunnel problems because ICMP are ipsec exempt also.  Just cannot find out why or where or...
    Friday, June 17, 2011 5:59 PM
  • Any ideas on how to track down ipsec tunnel problems?  Or where else I should look?
    Monday, June 20, 2011 1:08 PM
  • Ok, when I whatch the security event log on the DA client, I see one Event id 5451 ipsec quick mode, the three sets of 5058/5061?  Does this relate?  I looks like it make an IPSEC tunnel, chcks the  Key storage then ......
    Monday, June 20, 2011 1:31 PM
  • Ok, the 5058 is read machine key - Read persisted key from file - Return code 0x0

         the 5061 is key storage - Open Key - Return code 0x0

     

    Monday, June 20, 2011 1:40 PM
  • Also, I am seeing the DA client doing DNS lookups for ISATAP.  Whay would he be looking for ISATAP while external and connected via Teredo?
    Monday, June 20, 2011 2:04 PM
  • Ok, on the UAG server, when attempting a RDP connections from internal machine to external DA client, I see WFP event id: 1009 and 1005  IPsec Extended Mode Failure. 

     

    1009 failureErrorCode 2148074252   FailurePoint 2   Flags 1

    1005 FailureErrorCode 13825    FailurePoint 1

    Monday, June 20, 2011 2:25 PM
  • This is from the wfpfilters log from a netsh

    - <item>
      <filterKey>{dd37ba7d-6571-456f-9f79-940a46917539}</filterKey>
    - <displayData>
      <name>UAG DirectAccess Client - Clients Access Enabling Tunnel - All</name>
      <description>Policies to enable access granting resources(DC, DNS, NAP, etc.) over IPsec. Generated on Wednesday, 15 June 2011 20:25 UTC.</description>
      </displayData>
    - <flags numItems="1">
      <item>FWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT</item>
      </flags>
      <providerKey>{1bebc969-61a5-4732-a177-847a0817862a}</providerKey>
      <providerData />
      <layerKey>FWPM_LAYER_IPFORWARD_V6</layerKey>
      <subLayerKey>FWPM_SUBLAYER_IPSEC_TUNNEL</subLayerKey>
    - <weight>
      <type>FWP_UINT8</type>
      <uint8>0</uint8>
      </weight>
    - <filterCondition numItems="2">
    - <item>
      <fieldKey>FWPM_CONDITION_IP_SOURCE_ADDRESS</fieldKey>
      <matchType>FWP_MATCH_EQUAL</matchType>
    - <conditionValue>
      <type>FWP_V6_ADDR_MASK</type>
    - <v6AddrMask>
      <addr>2002:18f9:eca4:8000:0:5efe:10.1.126.212</addr>
      <prefixLength>128</prefixLength>
      </v6AddrMask>
      </conditionValue>
      </item>
    - <item>
      <fieldKey>FWPM_CONDITION_ARRIVAL_INTERFACE_PROFILE_ID</fieldKey>
      <matchType>FWP_MATCH_EQUAL</matchType>
    - <conditionValue>
      <type>FWP_UINT32</type>
      <uint32>2</uint32>
      </conditionValue>
      </item>
      </filterCondition>
    - <action>
      <type>FWP_ACTION_CALLOUT_TERMINATING</type>
      <calloutKey>FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6</calloutKey>
      </action>
      <providerContextKey>{99098652-1bc1-4149-a4d5-d6e6ace25c68}</providerContextKey>
      <reserved />
      <filterId>259103</filterId>
    - <effectiveWeight>
      <type>FWP_UINT64</type>
      <uint64>288230376151711745</uint64>
      </effectiveWeight>
      </item>
     
    The internal machine trying to connect to the da client is ISATAP address 10.1.126.212
     
    Monday, June 20, 2011 5:56 PM
  • Hi Red,

    I cannot reproduce this, so not sure what else to suggest apart from recommending that you log a Microsoft support call for some assitance...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Friday, August 26, 2011 11:54 PM
    Tuesday, June 21, 2011 12:25 PM
    Moderator