none
DirectAccess Management Servers are unable to ping, \\ or RDP to DirectAccess clients. RRS feed

  • Question

  • Greetings,

    I am experiencing issues connecting to my DirectAccess clients from my DirectAccess server as well as the management servers defined in the DirectAccess setup.

    Presently, clients are functioning normally.  The clients are able to hit internal resources.

    When attempting to ping one of my test Windows 7 Ultimate machines from the DirectAccess Management Server I receive the following...

    PS C:\Users\administrator.DOMAIN> ping da-2

    Pinging da-2.domain.com [2001:0:3fff:7c1c:10a2:24e9:51ee:91a] with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    According to an IPCONFIG on the client, the above 2001 address is correct.  I have tried removing the DNS entry and allow the client to reapply it's record, I have also tried pinging the address directly.

    Errors occur during a \\da-2\c$ as well as RDP attempts.  Errors for the \\ and RDP are similar to the machine being powered off or their Firewall blocking the incoming traffic.

    I have verified that rules for incoming traffic to the clients allows for SMB, Ping(echo) RDP and several other protocols to test on.  All seem to fail.

    This issue can be reproduced on all clients.

    I have also verified all clients have received the GPO defining the Management servers.

    Wednesday, June 20, 2012 3:13 PM

All replies

  • Are the management servers IPv6 capable? Do they have valid IPv6 addresses (not link-local FE80)?

    Have a look here too: http://blogs.technet.com/b/tomshinder/archive/2010/10/01/is-isatap-required-for-uag-directaccess.aspx


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Wednesday, July 4, 2012 11:36 AM
  • No, we have not implemented IPv6 in our network.

    Thursday, July 5, 2012 2:44 PM
  • No, we have not implemented IPv6 in our network.

    Did you read the article I provided above?

    You need some form of IPv6 communications in order to manage DA clients from the inside; the NAT64 process only works inbound, not outbound...


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Thursday, July 5, 2012 2:48 PM
  • If I am reading this correctly, native IPv6 or a transition technology such as ISATAP is required.

    " It also allows your ISATAP capable management servers to support the manage out scenario where those servers need to initiate connections to the DirectAccess clients. "

    ISATAP is deployed.

    Thursday, July 5, 2012 3:14 PM
  • I didn't say native IPv6, I said IPv6 capable ;) Yes, ISATAP is fine for manage out...

    So, can you ping the ISATAP address of the UAG server?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Thursday, July 5, 2012 4:10 PM
  • Can you provide details on the Windows Firewall configuration you have applied to DA clients?

    If you watch the TMG logs, can you see connection from internal management client passing through the firewall to the IPv6 address of the DA clients?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk



    Thursday, July 5, 2012 4:12 PM
  • The clients are able to ping into everything internal that has an ISATAP address.  (Some servers have their ISATAP disabled do to incompatibility with other apps)

    This is not a TMG deployment, this is DirectAccess Native to Windows Server 2008R2.

    Aside from the default firewall rules applied by the DA server, I have enabled Remote Desktop, ICMPv4 and v6 Echo Requests, and honestly; just about everything else after the fact in an attempt to get some sort of connection to the DA Clients.

    Thursday, July 5, 2012 4:28 PM
  • I wish I could offer some help to Mr.Pancake. However Im new to this DA/TMG stuff as well.

    I am using UAG/TMG as my DA server.  I am able to ping into the network from outside to everything.  I can even browse my shared folder on the server.  However I can not browse to my dfs name space which is my domain.net\fs, and points to that same server.  I can browse to domain.net though and get the sysvol and netlogon folders just fine.  I also can not ping the client computer by name from anywhere on the corp network.  I have isatap on the UAG server and it has an IP. I also have it enable on the client but it looks like its not getting an IP. 

    We have not officially deployed IPv6 but I do have servers that I registered their IPv6 addresses in DNS.  

    All I know at this point is I am totally frustrated and am ready to look at a DA appliance from IVO Networks just to get this thing up and running.  Im so close but yet feel so very far from it working the way I need to.


    Dusty

    Tuesday, July 17, 2012 10:27 PM
  • Did you ever get this figured out?
    Tuesday, January 28, 2020 7:23 PM