Quantcast
Channel: Forefront Edge Security – DirectAccess, UAG and IAG フォーラム
Viewing all 1485 articles
Browse latest View live

Streamlining Direct Access for Minimal Infrastructure Setup (Accessing intranet solely for File Sharing)

September 28, 2015, 4:02 pm
$
0
0

Very New Here.

Hope I'm in the right place.

I am looking at setting up Direct Access for a very small client, 10 employees.

The only reason they currently have an intranet (other than for internet connectivity) is for printing and file sharing / backups to fault tolerant storage on a central server running MS Server 2012 standard (the physical server is well provisioned as we anticipate setting up many other features).

I have read through the Base Lab Configuration as well as the Direct Access Lab configuration documents from MS.

One thing I could not really put together based on what was given and by searching a myriad of other sites is this:

What is my minimum infrastructure footprint to enable Direct Access for this intranet?

To Clarify, how few servers (or virtual servers) can I set up to carry out direct access to this file-sharing server? 

From what I gather, it doesn't seem possible to do it with one server instance, ie have all the server roles necessary to run Direct Access (IIS, DC, DNS, DA) running on the physical server, while at the same time functioning as a normal file share... (One other consideration is that I am running Win 7 Ultimate on all client computers so PKI might need to be running somewhere too - from what I have read?)

I am willing to be proven wrong (In fact, I would love it!), but I'm thinking that this is not only impossible but probably not the best idea for reasons that I have some basic grasp of but am certainly not an expert on.

Can someone enlighten me with a topology that would minimize the server instances as much as possible by appropriately condensing server roles down to the minimum number of machines that could make this work? 

For Example: If Direct Access and Domain Control cannot be run on the same server (I don't know if this is true, this is just to set up the example) then we have at minimum to run at least two server instances. If those two were run separately and it was possible to run IIS, DNS, and PKI each concurrently with Direct Access or Domain Control, then we would be able to keep only 2 distinct instances of MS Server running:

eg:

Server1 -> DA + IIS + File Sharing

Server2 -> DC + DNS + PKI

Or some other version of that (which would be great because that's the maximum possible of instances with a standard MS Server 2012 license)

All this being said, I'm not exactly sure that this is even a complete list of the separate server roles that are necessary to run Direct Access, which is another reason I'm posting. It would be awesome to have this list of necessary server roles and then another physical machine breakdown stating which roles can be run concurrently on which instances.

I would like to know this because if I can, I would like to avoid buying another license but I would also just like to keep unnecessary Virtual Servers from running because it's very likely that I will need to build in additional virtual servers for applications in the near future; although, as I stated earlier my physical machine is no tin can.

Thanks in advance for any direction.


Search

Windows Server 2012 R2, Direct Access with OTP and Windows 10 Enterprise

September 29, 2015, 11:56 am
$
0
0

I have a direct access server configured for access via some windows 8.1 and windows 10 Enterprise laptops.

Direct Access works when OTP is disabled on both Windows 8.1 and Windows 10, however when OTP is enabled the Windows 8.1 Clients connect when OTP code is entered. However the Windows 10 Client fails with "Authentication failed due to an internal error (Error code: 0x80040002). Try again, or ask your administrator"

The OTP Server does not show any attempts to connect and authenticate, laptop has correct computer certificate as verified in non OTP test.

Error logs for CAPI2 show no errors, otpcredentialprovider logs confirm error as above A certificate for OTP authentication cannot be created. Error code: 0x80040002

Any Ideas

Thanks

Mike

Network Policy Server service stops after configuring Server 2008R2 machine as a DirectAccess client

September 30, 2015, 8:09 am
$
0
0

I have a windows server 2008 r2 domain joined machine that I would like to configure as a directaccess client to be deployed at a remote branch office. The server would also function as a remote desktop gateway server for users at that office to access it remotely over the internet as a terminal server(pre req for remote desktop gateway is Network Policy Server, IIS and remote desktop services). 

The server was installed initially as a workgroup server and I added the Network Policy Server role. NPS services started fine. I then performed a remote domain join and configured it as a direct access client. After configuring it as a directaccess client the NPS service stopped and cannot start. Getting the following error on the system log:

The Network Policy Server service terminated with the following error:

%%-2147013892

Is it that NPS cannot exist on a directaccess client because of some IPsec conflict?

Direct Access 2012

October 1, 2015, 6:35 am
$
0
0

How can we identify unsuccessful authentications/connections over windows server 2012 based  direct access? Is there any logs that can help us with it? 

Regards

Sunny

Direct Access 2012 and SCCM

October 1, 2015, 7:28 am
$
0
0
Can we use SCCM end point protection to protect the clients that are connected over direct access 2012? I also want to what all we have to configure on direct access to make it work? Do we need to configure ISATAP if we want to push the SCCM end point protection updates to client customers that are connected over direct access?

How is data verified when transferred through the Internet

October 4, 2015, 7:55 pm
$
0
0
How is data verified when transferred through the Internet

DirecAccess Client Session IPSec Tunnel reset at 00:57:01 mins

September 28, 2013, 12:43 pm
$
0
0

We are observing issue of frequent disconnection of DirectAccess Session. When go through DirectAccess reporting console and webmonitor, We find most of DA Session  are of 57 mins. Only few sessions are going more than 60 mins. After going through details, we found SA Quick Mode Data protection Key Lifetime is set to 60 mins in Client GPO.http://technet.microsoft.com/en-us/library/cc731752.aspx

Does any one have idea, is this the reason for frequent disconnection of DA IPsec tunnel,  Does this rekeying of SA have any impact on realtime applications running or like FileCopy or download happening on DA Clients from Intranet Servers.?

Can we increase this Key Lifetime value what will be impact on sessions?

Direct access break's wireless connection

October 7, 2015, 3:25 pm
$
0
0

Hello,

I have setup a direct access server for my system, and it is working as designed.  I also use use NPS as a radius server for our wireless network, which is working.

When I deploy the policy for direct access to the laptops, and the policy installs the direct access certificate it breaks the wireless connection.  This has been confirmed with two different radius servers.  If I remove the wireless configuration on the laptop and just use direct access it works fine.  If i remove the direct access policy from the laptop, wireless starts working again.

For some reason if I have two certificates installed on the laptop wireless is broken.

Any thoughts?

Dan.

Search

DirectAccess, Windows 10 & Network Access Protection (NAP)? Alternatives?

October 8, 2015, 1:12 am
$
0
0

Hey All, with NAP being removed from Windows 10 what alternatives are there if we still want a NAP solution? I am slightly bemused why MS would remove this simple but critical functionality? Would you not want your PC to have a basic almost seamless health check before accessing the network especially when you choose to e.g. enable split tunnel. I currently use NAP to check AV and Windows Update connectivity. Is there something I have missed? Are MS saying the Windows 10 client no longer needs this? Anyone thinking of an alternative? I know we will soon have a pile of surface books and pro 4's with Windows 10 arrive and I will have to put a new DA solution in just for them. :-<

DirectAccess Server 2012 Configuration cannot be retrieved from domain controller

June 13, 2013, 6:47 am
$
0
0

Hi everyone,

We are using DirectAccess over Server 2012. There is just one server, no load balancing.

Everything works fine, all clients can connect successfully and operations status page shows all in green. Nevertheless on the dashboard page in the configuration status section it say “Configuration for server [servername] cannot be retrieved from the domain controller.”

I found a few hints what could cause this problem:

In my case, the RAConfigTask, a scheduled task, was not enabled on the affected WS2012 server (DA entry point in a multisite deployment). After just enabling it, the errors has gone."http://blog.gocloud-security.ch/2013/01/11/ws2012-directaccess-and-the-configuration-for-server-server-name-retrieved-from-the-domain-controller-cannot-be-applied-error/

Group Policy was filtering out my DA server from the GPO object for some reason. To fix, I opened up Group Policy Management on the domain controller and made sure that my DA server was a part of the group."http://www.joedissmeyer.com/2012/12/more-issues-and-solutions-for.html

Server has no connectivity to the domain in order to update the policies. Run “gpupdate /force” on the server to force policy update. GPO replication might be required in order to retrieve the updated configuration.  This could be because there is no writable domain controller in the Active Directory site of the Remote Access server. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/56fedb17-1274-4e1a-b2d0-fea809f0bc45

I checked everything. Task is enabled and completed successfully, GPO is not filtered out, run gpupdate without any errors, could connect to domain controller, no errors on domain controller, domain controller is writable.

So, I have no idea what could cause this error. Any ideas or hints?

Thanks

Regards

Sebastian


Multi-site Direct Access 2012

October 13, 2015, 12:44 pm
$
0
0

Hello All,

We have configured a  multisite direct access cluster, and when we are trying to add a server in multisite cluster we see the following error "A device attached to the system is not functioning".

We have verified that we are able to ping the domain controller, default gateway and the dns server.

I have checked the event viewer and i don't see any errors in it.

Has anybody seen this kind of error? or what steps should be taken to troubleshoot this issue.

-Sunny

 


process for changing IP address on Direct Access Server Windows 2012 R2

October 9, 2015, 1:07 pm
$
0
0
Guys I have two Direct Access servers running Windows 2012 R2. I am getting ready to put these into a NLB configuration. So I need to move these servers over to a new subnet. I am using one nic on these servers running ihttps. If I change the internal ip address to a DA server everything breaks.I actually plugged one of my test clients into the lan and refreshed its policy. However, I can't get any of my test clients to connect now. So what is the deal with changing an ip address on Direct Access servers?

Offload DirectAccess Inbox Accounting

November 10, 2014, 10:50 am
$
0
0
We have an external load balanced cluster with DirectAccess running on a pair of 2012 R2 nodes.  We need the "Remote Access Reporting" usage reports, but the sqlserver.exe process is generating a significant amount of CPU usage.  Is there a way to offload the inbox accounting that is currently writing to the WID instance on the DA servers themselves perhaps to a remote SQL server?

DirectAccess, Proxies, Holding Pages & Force Tunnelling

July 21, 2014, 7:22 am
$
0
0

Hi. I wonder if anyone has come across this and has a solution for an issue I'm encountering. Basically we have UAG/DirectAccess up and running all happily. Force Tunelling is enabled due to security reasons and users web traffic is filtered through a web proxy which is set in users browsers by Group Policy. The issue we're having is when a user goes to a hotel or McDonalds, they cannot access the holding page where they need to enter their details for them to be granted internet access, as their browser cannot see the web proxy set by the Group policy

I've been looking into pac files but cannot see how i can get this to work to detect if it's on the corporate domain or not.

Any suggestions greatly appreciated.

Certificate to be used for DA Server

October 27, 2015, 12:45 am
$
0
0

Hi,

i have configured the Remote Access and my Direct Access Server is working Fine. I Have used the Split Tunneling and till now i was working on the Default Certificate which was issued by my Direct Access Server. But now i Want to Add the Certificate issued from my Certificate Server For This i made the Duplicate Web Server Template and issued to my DA Server and while Enabling for the Windows 7 client Computers to Connect Via Direct Access, Using that Certificate issued by My CA Server but while Applying the policy find the Below Error:



Is the error Coming because of my Certificate or i am planning for the Wrong Certificate or is there any other Error. Also Help me to use the Certificate issued from my CA Server. The Answer will be Appreciated

Thanks,

Roshan

 

Search

Direct Access Configuration Issues

October 29, 2015, 4:29 pm
$
0
0

Hi All

We are piloting DA and I just got the servers and DNS entries in place as well as internet facing access to the CRL. I have a laptop that I can get the HTTPS tunnel setup (we are planning on using this for production none of the other technologies). I have the "DirectAccess Client Troubleshooting Tool" from Microsoft and have been using it to try to identify issues. In the "Interface Test" everything is green. Under "Network Location Test" the DNS server address that it is trying to connect to is the IPV6 address of the DA server internally. I can't get it to display anything but the IPv6 address during setup under "Remote Access Server" the interface shows the same IPv6 address. I don't think that's how it's supposed to work, but I can't seem to stop it from doing that either. 

In EVERY example I can find of setting this up as a "behind an edge device with single adapter" the screenshots show the IPv4 address of the server, not the IPv6 address. I think this is the problem, but turning off the IPv6 on the adapter prevents me from completing any part of the setup wizards.

Anyone else run into this? How did you fix it?

Allen George - MCSE: Server Infrastructure

DirectAccess "Services" operation status is unknown

July 30, 2014, 10:28 pm
$
0
0

We have DirectAccess on Windows Server 2012 R2 configured with external load balancing. One some servers the "Services" operation status is "unknown" and stays unknown. What does the services node actually check for?

DirectAccess Multisite IPv6 required?

November 4, 2015, 7:46 am
$
0
0

Hi all,

I'm planning a multisite deployment and I have a question regarding IPv6 requirements. I was not able to get the full understanding based on documentation in TechNet.

For a basic single site deployment IPv6 in the internal network is not required. The DirectAccess server is configured with IPv4 addresses and for internal IPv4 resources the server does DNS64/NAT64.

Does the same also fit for a multisite deployment or is there an internal IPv6 configuration required? Within the TechNet articles about planning for multisite there are many information about IPv6 prefixes and stuff.

Thanks for your help.

If you need additional information, just ask.

Best regards

Sebastian

SCOM MP doesn't pick up DirectAccess

November 5, 2015, 8:01 am
$
0
0

Hello Everyone,

I seem to be having an issue with SCOM not picking up anything on my DA servers.

I've installed the Microsoft Windows Server Remote Access 2012 R2 MP, I've configured the RunAs accounts, limited it to the DA servers, the account has local Admin priv. on the DA servers. Nothing however is being picked up by SCOM. Am I missing something?

Any info would be appreciated.

Session time out in Direct access

November 6, 2015, 5:35 am
$
0
0

Hi,

I have users who are using Direct Access (DA server configured in Win2k12 server)  to connect to internal resources.Users are reporting their session is freezing if it is left idle for 5 - 10 minutes.    If you leave it for 5 - 10 minutes and come back to it the session will be frozen.  It will not say disconnected.  When you press any key it will wait for 10 seconds then say disconnected.  It will re-connect again straight away but for a user they have to crash out of CPA and re-open and they lose any work they had open.

I can see the network connection to the server is not dropping because if I have multiple sessions open and I am working in one that will be fine.  It is only the inactive sessions that are disconnecting.

Can anyone tell me what could be the possible issue here? Is there are session time out limits in Direct access server? if yes how can I change it ?

Thanks

Jathin

Viewing all 1485 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>