none
DirectAccess 2012 forced tunnel breaks computer GPO deployment RRS feed

  • Question

  • We are running into an issue with a Server 2012 DirectAccess deployment. The split tunnel deployment works great but we have an issue with forced tunneling.

    The client wants to test the forced tunnel to send Internet browsing back through their web filtering solution. When configuring the DA policy for forced tunnel, the web browsing behaves as expected and all traffic goes through the filtering appliance. However, the DA client can no longer get computer based group policy updates. The issue appears to be related to the forced tunneling NRPT record added to address the "." all domain record. With this NRPT entry in place, I get the following when attempting a gpupdate:

    ---------------

    C:\Windows\system32>gpupdate

    Updating Policy...

    User Policy update has completed successfully.

    Computer policy could not be updated successfully. The following errors were encountered:

    The processing of Group Policy failed. Windows could not determine the computer account to enforce Group Policy settings. This may be transient. Group Policy settings, including computer configuration, will not be enforced for this computer.

    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

    ----------------

    If I manually remove the "." or replace the "." with the domain.local record that is included in the split tunnel configuration, the results go back to the expected:

    -----------------------

    C:\Windows\system32>gpupdate

    Updating Policy...

    User Policy update has completed successfully.

    Computer Policy update has completed successfully.

    ----------------------

    I know the "." is required to force all traffic back over the DA tunnel but I was hoping to find why this is causing the computer side policies not to update. Any suggestions would be greatly appreciated.


    Eric J. Inch | C/D/H | MCITP EA/EMA/LYNC/VA | CISSP | CEH | GSEC | VCP | CCNA


    • Edited by eric-apex Friday, June 22, 2012 6:17 PM
    Friday, June 22, 2012 6:17 PM

All replies

  • Hi,

    When you enable force tunneling, the default domain NRPT entry is deleted and converted to the Any suffix ("."). At this time, DirectAccess and corporate connectivity should still work correctly.

    However, in order to complete the force tunneling configuration, you must assign the Any entry (".") a web proxy. This must be done using the Set-DAClientDnsConfiguration cmdlet. When doing this change, you must also add the domain's DNS suffix as an additional NRPT entry. This is due to the fact that you don't want traffic meant for the intranet to go through the web proxy.

    These steps should be added to the TechNet documentation sometime soon.

    • Marked as answer by eric-apex Monday, July 2, 2012 6:30 PM
    • Unmarked as answer by eric-apex Monday, August 20, 2012 6:17 PM
    Sunday, June 24, 2012 11:54 AM
  • Yaniv,

    How would a client go about this configuration if they didn't have a traditional web proxy server providing filtering? I have a client that uses a Palo Alto firewall for all outbound traffic which also provides the URL filtering. It doesn't use the traditional web proxy configuration and dedicated port.

    1) I have attempted to use the DNS name that maps to the IP of the Palo Alto within the DAClientDnsConfiguration but the web traffic is not filtered. I'm assuming since the Palo Alto just examines all outbound traffic and determines which traffic is HTTP/HTTPS and doesn't do the traditional proxy, the web proxy setting will not work in this scenario.

    2) I also removed the DAClientDnsConfiguration setting for web proxy and configure DirectAccessProxyType back to 0 and it then defaults back to correctly filtering all web traffic with the Palo Alto URL filtering policies but then we are back to GPOs not getting applied even with a separate domain DNS NRPT entry.

    My question back to you is - Is it possible to force tunnel all web traffic to the internal network and out a non-web proxy device while still separating intranet traffic?

    Thanks.


    Eric J. Inch | C/D/H | MCITP EA/EMA/LYNC/VA | CISSP | CEH | GSEC | VCP | CCNA

    Monday, August 20, 2012 3:27 PM
  • In reading over your previous reply, you state that:

    "the default domain NRPT entry is deleted and converted to the Any suffix ("."). At this time, DirectAccess and corporate connectivity should still work correctly."

    However, when the "." entry is present, corporate connectivity doesn't work completely and this is when I get the following message after running a gpudpate:

    ---------------

    C:\Windows\system32>gpupdate

    Updating Policy...

    User Policy update has completed successfully.

    Computer policy could not be updated successfully. The following errors were encountered:

    The processing of Group Policy failed. Windows could not determine the computer account to enforce Group Policy settings. This may be transient. Group Policy settings, including computer configuration, will not be enforced for this computer.

    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

    ---------------

    Any suggestions?


    Eric J. Inch | C/D/H | MCITP EA/EMA/LYNC/VA | CISSP | CEH | GSEC | VCP | CCNA

    Monday, August 20, 2012 6:33 PM
  • Ericcdh, I'm troubleshooting the same issue. Did you find a solution?
    I'll let you know if I find anything...
    Wednesday, September 26, 2012 12:40 PM
  • Was this resolved?
    Wednesday, May 22, 2013 1:23 PM
  • Hi,

    Had the same problem and found this which seems to have solved the problem for us: http://geek.martinwahlberg.com/problem-using-forced-tunneling-mode-in-directaccess

    We only modified the "use local name resolution for any kind of DNS resolution error (least restrictive)" setting, and then gpupdates started working on our DA connected clients.

    Rgrds

    Johan

    • Edited by Johan_vv Thursday, May 23, 2013 9:09 AM Added more info
    Thursday, May 23, 2013 8:54 AM