locked
DirectAccess Setup - IP-HTTPS: Not working properly RRS feed

  • Question

  • I've been trying to set up DirectAccess in Win Server 2012 RC and cannot seem to get rid of the following error. I've searched online, but almost all documentation is from UAG, and not Win Server 2012 as I know there are a lot of changes between the two.

    Here's the error:

    IP-HTTPS: Not working properly

    Error:
    The IP-HTTPS route does not have published property enabled.

    Causes:
    The publish property of the IP-HTTPS route has not been enabled. This is required for DirectAccess to work as expected.

    Resolution:
    Set the publish property on the IP-HTTPS route.

    How do I set the publish property on the route? There was another post having a similar issue, but that went dead: http://social.technet.microsoft.com/Forums/en-NZ/winserver8gen/thread/0fd8495e-7e41-4eee-a16c-b59341c6d114

    From that post, I tried the following:
    1. Can you try running Get-NetRoute and see if the IP-HTTPS prefix already exists on any interface? - tried this, and no, it did not exist on any interface

     2. This could possible be a stale interface. You'll be able to remove it using Device Manager, under Network Adapters (in the menu, tick Show hidden devices). Then simply uninstall all of the IP-HTTPS interfaces.

    Have Remote Access recreate and reconfigure the IP-HTTPS interface by running gpupdate /force.

    Tried this, but it got be right back to where I am now.

    Other information: RRAS Management - Configure and enable Routing and Remove Access is disabled

    Routing and Remote Access was disabled - enabled and started it, but that didn't solve it either.

    Any ideas? Thanks in advance!

    Edit: netsh interface ipv6 show interface results: IPHTTPSInterface disconnected


    Friday, June 29, 2012 9:20 PM

Answers

  • I had the exact same issues that you were having with IP-HTTPS, then the Remote Access console wouldn't display (showed an error). It turned out that I need to remove Remote Access config from the DA server first BEFORE attempting to incorporate a PKI infrastructure.

    Follow this YouTube video PRECISELY, from start to finish, in order to properly configure your DA 2012 server with a single NIC adapter, PKI, and Windows 7 support:

    http://www.youtube.com/watch?v=_jgamV0XDiM

    NOTE: If you already set up DA 2012 and it works just fine with Windows 8 Enterprise clients, but then you want to add in Windows 7 support, you MUST remove the Remote Access configuration from the DA server BEFORE setting up your PKI. You CANNOT simply change your self-signed cert configuration with the single NIC on your DA 2012 server over to PKI on-the-fly. You need to remove the DA settings, set up your PKI, then reconfigure Remote Access to use the CA certificate store when configuring it again. Use the YouTube link above for a step-by-step guide. If you cannot remove the Remote Access configuration from the DA server, you will have no choice but to remove the server from the domain, delete the server (or wipe the HDD that Win2012 is installed on) and re-build a new DA server from scratch (there is no proper documentation on how to remove DirectAccess 2012 configurations from your domain at this time...).

    • Marked as answer by Alex Lv Thursday, June 20, 2013 5:30 AM
    Tuesday, December 11, 2012 4:11 AM

All replies

  • Hi,

    try to run this : 

    netsh interface ipv6 add route IP-HTTPSPrefix::/64 IPHTTPSInterface publish=yes

    I think if you check the  the IP-HTTPS tunnel connection, it must be disconnect.

    you should try to do a Get-NetRoute, just to be sure the IP-HTTPS prefix not already exist on any interface

    Maybe it is a stale interface. You'll have to remove it (use Device Manager). Then uninstall all of the IP-HTTPS interfaces.

    then connect by Remote Access to recreate and reconfigure the IP-HTTPS interface by running gpupdate /force.


    Arnaud Buonaccorsi - GSX Corp http://www.buenoflex.com http://www.gsx.com <= The monitoring solution for Exchange and Sharepoint

    • Proposed as answer by buenoflex Monday, July 2, 2012 9:30 AM
    Monday, July 2, 2012 9:30 AM
  • I tried those, but it says the object already exists - which in turn leads me to the device manager and the removal of the IPHTTPS interface and a gpudate /force, but that didn't work.

    Wednesday, July 4, 2012 2:29 AM
  • so did you remove all IP HTTPS interface ?

    what di you get with the gpupdate ? an error ? if no error do you have all your IPHTTPS interface now? Even interface removed ?


    Arnaud Buonaccorsi - GSX Corp http://www.buenoflex.com http://www.gsx.com <= The monitoring solution for Exchange and Sharepoint

    Wednesday, July 4, 2012 9:48 AM
  • I had the exact same issues that you were having with IP-HTTPS, then the Remote Access console wouldn't display (showed an error). It turned out that I need to remove Remote Access config from the DA server first BEFORE attempting to incorporate a PKI infrastructure.

    Follow this YouTube video PRECISELY, from start to finish, in order to properly configure your DA 2012 server with a single NIC adapter, PKI, and Windows 7 support:

    http://www.youtube.com/watch?v=_jgamV0XDiM

    NOTE: If you already set up DA 2012 and it works just fine with Windows 8 Enterprise clients, but then you want to add in Windows 7 support, you MUST remove the Remote Access configuration from the DA server BEFORE setting up your PKI. You CANNOT simply change your self-signed cert configuration with the single NIC on your DA 2012 server over to PKI on-the-fly. You need to remove the DA settings, set up your PKI, then reconfigure Remote Access to use the CA certificate store when configuring it again. Use the YouTube link above for a step-by-step guide. If you cannot remove the Remote Access configuration from the DA server, you will have no choice but to remove the server from the domain, delete the server (or wipe the HDD that Win2012 is installed on) and re-build a new DA server from scratch (there is no proper documentation on how to remove DirectAccess 2012 configurations from your domain at this time...).

    • Marked as answer by Alex Lv Thursday, June 20, 2013 5:30 AM
    Tuesday, December 11, 2012 4:11 AM
  • just need to set the routes rather than add

    do "netsh interface ipv6 show route" to see your routes,

    note the ones that have the IPHTTPSInterface

    then netsh interface ipv6 set route <replace with existing routes> IPHTTPSInterface publish=yes

    after a reboot all was well for me.


    Jedi Hammond Dell Services

    • Proposed as answer by Ahmed.Maged Wednesday, November 9, 2016 10:19 AM
    Tuesday, July 8, 2014 6:06 AM
  • can you please have a look at the below and advise if your answer is applicable ?

    Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
    -------  --------  ---  ------------------------  ---  ------------------------
    No       System    256  ::1/128                     1  Loopback Pseudo-Interface 1
    No       Manual    1000  2002::/16                  16  6TO4 Adapter
    Yes      Manual    256  fdac:d49d:afe0::/48        12  Internal
    Yes      Manual    256  fdac:d49d:afe0:1::/64      13  isatap.{0D29A55D-2BCC-4310-AD0C-7FFFF4AB340F}
    No       System    256  fdac:d49d:afe0:1::/128     13  isatap.{0D29A55D-2BCC-4310-AD0C-7FFFF4AB340F}
    No       System    256  fdac:d49d:afe0:1:0:5efe:10.101.201.19/128   13  isatap.{0D29A55D-2BCC-4310-AD0C-7FFFF4AB340F}
    Yes      Manual    256  fdac:d49d:afe0:1000::/64   17  IPHTTPSInterface
    No       System    256  fdac:d49d:afe0:1000::/128   17  IPHTTPSInterface
    No       System    256  fdac:d49d:afe0:1000::1/128   17  IPHTTPSInterface
    No       System    256  fdac:d49d:afe0:1000::2/128   17  IPHTTPSInterface
    No       System    256  fdac:d49d:afe0:1000:650b:5f33:1df6:93dd/128   17  IPHTTPSInterface
    No       System    256  fdac:d49d:afe0:3333::1/128   12  Internal
    Yes      Manual    256  fdac:d49d:afe0:7777::/96   12  Internal
    No       System    256  fe80::/64                  12  Internal
    No       System    256  fe80::/64                  17  IPHTTPSInterface
    No       System    256  fe80::/64                  14  External
    No       System    256  fe80::5efe:10.101.201.19/128   13  isatap.{0D29A55D-2BCC-4310-AD0C-7FFFF4AB340F}
    No       System    256  fe80::5efe:169.254.175.209/128   15  isatap.{0F380164-E53C-4F2F-AD01-9135B0F23892}
    No       System    256  fe80::650b:5f33:1df6:93dd/128   17  IPHTTPSInterface
    No       System    256  fe80::b1ec:c347:1f9f:4888/128   12  Internal
    No       System    256  fe80::d0f2:ecf8:3e84:afd1/128   14  External
    No       System    256  ff00::/8                    1  Loopback Pseudo-Interface 1
    No       System    256  ff00::/8                   12  Internal
    No       System    256  ff00::/8                   17  IPHTTPSInterface
    No       System    256  ff00::/8                   14  External

    Wednesday, November 9, 2016 10:20 AM