none
Remote Access (DirectAccess) Windows 2012 - Problems connecting with win8 client

    Question

  • Hey!

    First post here.

    I'm working on Remote Access in windows 2012, but having connectivity issues with a Win8 client. The client has the configuration needed to connect, but fails to connect to the DA server.

    I do have an external firewall with the required ports open (except protocol 41, is this required on the external firewall?)

    Here are some logs:

    (I can point out right away that there is a problem with IPHTTPS)


    IP Configuration (Get-NetIPConfiguration -All -Detailed)

    ComputerName                : OSL-C-WIN8-3
    InterfaceAlias              : Ethernet
    InterfaceIndex              : 12
    InterfaceDescription        : Microsoft Hyper-V Network Adapter
    NetAdapter.LinkLayerAddress : 00-15-5D-00-AA-06
    NetAdapter.Status           : Up
    NetProfile.Name             : Network  3
    NetProfile.NetworkCategory  : Public
    NetProfile.IPv6Connectivity : LocalNetwork
    NetProfile.IPv4Connectivity : Internet
    IPv6LinkLocalAddress        : fe80::48da:8453:9e6f:338a%12
    IPv4Address                 : 192.168.1.102
    IPv6DefaultGateway          : 
    IPv4DefaultGateway          : 192.168.1.1
    NetIPv6Interface.NlMTU      : 1500
    NetIPv4Interface.NlMTU      : 1500
    NetIPv6Interface.DHCP       : Enabled
    NetIPv4Interface.DHCP       : Enabled
    DNSServer                   : 192.168.1.1
                                  192.168.1.1
    ComputerName                : OSL-C-WIN8-3
    InterfaceAlias              : Teredo Tunneling Pseudo-Interface
    InterfaceIndex              : 17
    InterfaceDescription        : Teredo Tunneling Pseudo-Interface
    NetAdapter.LinkLayerAddress : 00-00-00-00-00-00-00-E0-00-00-00-00-00-00-00-00-0
                                  0-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    NetAdapter.Status           : Up
    IPv6Address                 : 2001:0:5ef5:79fd:28f5:1a4c:fd69:efdb
    IPv6LinkLocalAddress        : fe80::28f5:1a4c:fd69:efdb%17
    IPv6DefaultGateway          : ::
    NetIPv6Interface.NlMTU      : 1280
    NetIPv6Interface.DHCP       : Enabled
    DNSServer                   : 
    ComputerName                : OSL-C-WIN8-3
    InterfaceAlias              : isatap.{1B2C9817-3E26-4D48-8AE7-85E9F8791C9B}
    InterfaceIndex              : 15
    InterfaceDescription        : Microsoft ISATAP Adapter #3
    NetAdapter.LinkLayerAddress : 00-00-00-00-00-00-00-E0-00-00-00-00
    NetAdapter.Status           : Disconnected
    ComputerName                : OSL-C-WIN8-3
    InterfaceAlias              : iphttpsinterface
    InterfaceIndex              : 16
    InterfaceDescription        : iphttpsinterface
    NetAdapter.LinkLayerAddress : 00-00-00-00-00-00-00-E0-00-00-00-00-00-00-00-00-0
                                  0-00-00-00-00-00-00-00
    NetAdapter.Status           : Disconnected

    Teredo Configuration (Get-NetTeredoConfiguration)
    Description            : Teredo Configuration
    Type                   : Default
    ServerName             : teredo.ipv6.microsoft.com.
    RefreshIntervalSeconds : 30
    ClientPort             : 0
    ServerVirtualIP        : 0.0.0.0
    DefaultQualified       : False

    ServerShunt            : False

    Teredo State (Get-NetTeredoState)
    Error : NONE

    State : qualified

    IP-HTTPs Configuration (Get-NetIPHttpsConfiguration)
    PolicyStore       : ActiveStore
    ConfigurationType : GroupPolicy
    Profile           : 
    ProfileActivated  : 
    State             : Default
    ServerURL         : https://<a-public-IP-is-here:sensured!>/IPHTTPS
    Type              : Client
    AuthMode          : 
    StrongCRLRequired : False

    IP-HTTPs State (Get-NetIPHttpsState)
    LastErrorCode   : 0x800b010f
    InterfaceStatus : Failed to connect to the IPHTTPS server; waiting to reconnect

    Is this a certificate or ports problem?

    Cheers in advance for any kind of help!


    edit:

    Ports that are currently open in the GPO:

    -Protocol 41 in and out

    - ICMPv4 Echo request and ICMPv6 Echo request in and out

    Ports that are currently open in the external firewall

    - Port UDP 3544 in and out

    - Port TCP 443 in and out

    - *Port UDP 500

    - *Port UDP 4500

    * not sure if needed, but put them up anyway for testing.


    • Edited by OrPhe0 Monday, September 10, 2012 12:11 PM
    Monday, September 10, 2012 9:25 AM

Answers

  • Hi again,

    A lot of questions, I will try to answer in the same order you posted them. But first a question about your setup.

    Is your DA behind a NAT?
    If so, I would suggest that you configure your client so Teredo is disabled.
    This was the reason I asked about the GPO settings.

    Regarding IP/Hostname for IPHTTPS.
    The main issue is that as long as you get a certificate error your client will not establish the IPHTTPS tunnel since it does not trust the webserver.
    I would personally make sure to get a hostname (if you dont have any domains that you can use, register a name at dyndns.org or a similar service) and create a certificate for that hostname.

     

    The firewall could of course block traffic, but start by making sure the client trusts the certificate used for the IPHTTPS interface before you look at anything else.


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    • Marked as answer by OrPhe0 Wednesday, September 19, 2012 12:26 PM
    Tuesday, September 18, 2012 12:30 PM
  • Did you move your client to the internal LAN so it could have the new GPOs applied?
    (When you use a selfsigned certificate it is added to a client as a trusted certificate through the GPO)

    Another thing, always good to do a reboot or an iisreset on the server if you strange errors (like the one that the certificate was issued for a different website's address).

    If you do a deployment behind NAT, the computer should NOT have the external IP configured.
    But the external DNS record should of course point to the external IP and your NAT firewall should forward HTTPS traffic from that IP to your internal host.


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    • Marked as answer by OrPhe0 Wednesday, September 19, 2012 12:26 PM
    Wednesday, September 19, 2012 7:37 AM

All replies

  • Hi,

    My first suggestion would be to verify that
    a) The GPO contains the settings for the clients that you expect?
    (The correct URL you entered for IPHTTPS and valid server(s) for Teredo)

    b) That the GPO is applied to this client.
    (Run gpresult /r /scope:computer in an elevated cmd.exe and check that the GPO is listed)

    The Teredo settings looks like you have the standard settings from a newly installed machine (Connecting to microsofts teredo relay).
    And the IPHTTPS should be a hostname, not an IP address so you can secure it with a certificate.

    Can you try browsing to the URL listed in the IPHTTPS interface and se if/that your browser actually considers it to be valid?

    Best wishes,
    Jonas Blom


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Monday, September 17, 2012 6:42 PM
  • Thanks Jonas for answering!

    The client has received the GPO DirectAccess Client Settings and the GPO contains the settings I want it to.

    I can access the URL listed in the IPHTTPS interface, however i do get a certificate error first. But if I continue it will take me to the site and all I get is 404 - file or directory not found.

    You're correct, it is a newly installed machine. Should I change the standard settings? Haven't looked into this yet! 

    Does the IPHTTPS have to be a hostname? I don't have any external hostname at the moment, so wondering if it is possible to try and get this up and going with just a public IP for now.

    I'm behind a really strict firewall so wondering if this can cause problems? All the traffic that listens to the ports I wrote above will be directed to my Remote Access server. Not sure if any traffic goes the other way, from the Remote Access server and out. 

    Tuesday, September 18, 2012 12:00 PM
  • Hi again,

    A lot of questions, I will try to answer in the same order you posted them. But first a question about your setup.

    Is your DA behind a NAT?
    If so, I would suggest that you configure your client so Teredo is disabled.
    This was the reason I asked about the GPO settings.

    Regarding IP/Hostname for IPHTTPS.
    The main issue is that as long as you get a certificate error your client will not establish the IPHTTPS tunnel since it does not trust the webserver.
    I would personally make sure to get a hostname (if you dont have any domains that you can use, register a name at dyndns.org or a similar service) and create a certificate for that hostname.

     

    The firewall could of course block traffic, but start by making sure the client trusts the certificate used for the IPHTTPS interface before you look at anything else.


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    • Marked as answer by OrPhe0 Wednesday, September 19, 2012 12:26 PM
    Tuesday, September 18, 2012 12:30 PM
  • Yes the DA is behind a NAT router, and I've now gotten a hostname. Doesn't the remote access configuration automatically create a certificate for the new hostname? 

    Question about the topology, if I choose behind a NAT router with a single adapter, do I use the public IP as the computers IP? Doesn't seem logical to use a public IP in a NAT enviroment. 

    Tried it again now:

    The security certificate presented by this website was not issued by a trusted certificate authority.

    The security certificate presented by this website was issued for a different website's address.

    And now I can't even get passed this page, stuck on loading.

    Strange.. I've redone the configuration, checked if I had the correct name in certificate console (which I had) and still it showed up like that. This was with the certificate that was automatically created for me by the Remote Access server.

    Tuesday, September 18, 2012 2:41 PM
  • Did you move your client to the internal LAN so it could have the new GPOs applied?
    (When you use a selfsigned certificate it is added to a client as a trusted certificate through the GPO)

    Another thing, always good to do a reboot or an iisreset on the server if you strange errors (like the one that the certificate was issued for a different website's address).

    If you do a deployment behind NAT, the computer should NOT have the external IP configured.
    But the external DNS record should of course point to the external IP and your NAT firewall should forward HTTPS traffic from that IP to your internal host.


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    • Marked as answer by OrPhe0 Wednesday, September 19, 2012 12:26 PM
    Wednesday, September 19, 2012 7:37 AM
  • Hei Jonas, thanks for helping me out here. 

    I removed the configuration and did it again, but this time full deployment with DirectAccess+VPN and with the new hostname for my external IP. Also did a restart of the server (which I hadn't done in a long time) and went over the firewall settings with the network administrator, checked to see if the traffic from my external IP went to my internal one and if the ports were open (only need 443 i guess for IPHTTPS). 

    It seems to work now, opened up my client and it says connected. Going to make a share inside and a website to double check since ping is disabled.

    Kudos to you!




    • Edited by OrPhe0 Wednesday, September 19, 2012 12:27 PM
    Wednesday, September 19, 2012 12:24 PM