Quantcast
Channel: Forefront Edge Security – DirectAccess, UAG and IAG フォーラム
Viewing all 1485 articles
Browse latest View live

The certificate does not contain the EKU Client Authentication

November 17, 2016, 1:51 am
$
0
0

Hi,

I've recently configured DirectAccess on a new Sererv2012 R2 server.
Checked the box for certificate authentication.

On my Windows 8.1 client I have a computer certificate with Client Authentication and Server Authentication.

When i run the troubleshoot tool it give a warning at the certificate:

The certificate does not contain the EKU Client Authentication

Since it is the default computer certificate it does have the Client Authentication.
Also tried to duplicate the cert template and issue that to my laptop, but that certificate is not accepted as it only shows 1 certificate.

Can anyone point me in the proper direction?

Thanks!

Search

DirectAccess connection issue when outside of the corporate network (error 0x2745 with Teredo)

September 29, 2016, 3:36 pm
$
0
0

Hello everybody,

I am writing this message as one of our end users in my company suddenly lost his ability to connect to our company network via the DirectAccess technology.
This end user is based in Asia and works outside our main company premises all year.

Obviously, the problem started happening right after he changed his password.
I searched the Web before posting this message and I could find some troubleshooting guides.

We are using an IP-HTTPS tunnel and sometimes, Teredo is used when the end user is behind NAT or not.

Here are the tests I could do (by the way, the end user is having the DirectAccess Connectivity Assistant version 2.0 installed on his PC at the moment) :

- Generated logs from the DirectAccess Connectivity Assistant :

The main error message is stating (some addresses were changed for security reasons) :

RED: Corporate connectivity is not working.
Your computer cannot connect to the DirectAccess server. If the problem persists, contact your administrator.
28/9/2016 14:50:28 (UTC) 

Probes List
FAIL - HTTP: http://mycompanywebsite

DTE List
FAIL - The server name resolved successfully, but failed to access PING: fd2b:xxxx:xxxx:xxxx::1
FAIL - The server name resolved successfully, but failed to access PING: fd2b:xxxx:xxxx:xxxx::2

Here is the rest of the log and different tests :

***************************************************************************
ipconfig /all
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>ipconfig /all
Windows IP Configuration

   Host Name . . . . . . . . . . . . : hostname   Primary Dns Suffix  . . . . . . . : corp.mycompany
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : corp.mycompany
                                      

Ethernet adapter Bluetooth Network Connection:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth (PAN)
   Physical Address. . . . . . . . . : DC-53-60-DE-50-5C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wireless Network Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-N 7265
   Physical Address. . . . . . . . . : DC-53-60-DE-50-58
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.103(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, September 28, 2016 10:35:52 PM
   Lease Expires . . . . . . . . . . : Thursday, September 29, 2016 12:43:48 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 215765856
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-21-2D-42-DC-4A-3E-5F-2B-E2
   DNS Servers . . . . . . . . . . . : 192.168.1.1
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local Area Connection:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection (3) I218-LM
   Physical Address. . . . . . . . . : DC-4A-3E-5F-2B-E2
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter iphttpsinterface:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : iphttpsinterface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{33420098-E978-49D4-99F8-803C726FAC4A}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{36D48669-8A75-483C-B2B7-F42F6B3806FC}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

--------------------------------------------------------

***************************************************************************
netsh int teredo show state
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh int teredo show state
Teredo Parameters
---------------------------------------------
Type                    : client
Server Name             : teredo.ipv6.microsoft.com.
Client Refresh Interval : 30 seconds
Client Port             : unspecified

--------------------------------------------------------

***************************************************************************
netsh int httpstunnel show interfaces
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh int httpstunnel show interfaces

Interface IPHTTPSInterface (Group Policy)  Parameters
------------------------------------------------------------
Role                       : client
URL                        : https://mycompanyportal:443/IPHTTPS
Last Error Code            : 0x2745
Interface Status           : failed to connect to the IPHTTPS server. Waiting to reconnect

--------------------------------------------------------

***************************************************************************
netsh dns show state
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh dns show state
Name Resolution Policy Table Options
--------------------------------------------------------------------
Query Failure Behavior                : Always fall back to LLMNR and
                                        NetBIOS for any kinds of errors
Query Resolution Behavior             : Resolve only IPv6 addresses for names
Network Location Behavior             : Let Network ID determine when Direct
                                        Access settings are to be used
Machine Location                      : Outside corporate network
Direct Access Settings                : Configured and Enabled

DNSSEC Settings                       : Not Configured

--------------------------------------------------------

***************************************************************************
netsh name show policy
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh name show policy

DNS Name Resolution Policy Table Settings

I cannot disclose the entries here but I can confirm that I see all items for the NRPT table listed with IPv6 address for each of them.

--------------------------------------------------------

***************************************************************************
netsh name show effective
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh name show effective

DNS Effective Name Resolution Policy Table Settings

Same as above here. I cannot disclose the full list but all the items are listed with their IPv6 addresses (I can confirm that after having compared values on a working PC).

--------------------------------------------------------

***************************************************************************
netsh adv mon show mmsa
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh adv mon show mmsa

No SAs match the specified criteria.

--------------------------------------------------------

***************************************************************************
netsh nap client show state
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh nap client show state
The "Network Access Protection Agent" service is not running.

--------------------------------------------------------

***************************************************************************
wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true

Same thing here where I cannot list the full certificate détails.

I can see all the details related to the certificate and after checking the MMC console, I can find the certificate (PKI) for the personal store like any working PC for DirectAccess.

--------------------------------------------------------

***************************************************************************
netsh int ipv6 show int level=verbose
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh int ipv6 show int level=verbose
Interface Loopback Pseudo-Interface 1 Parameters
----------------------------------------------
IfLuid                             : loopback_0
IfIndex                            : 1
State                              : connected
Metric                             : 50
Link MTU                           : 4294967295 bytes
Reachable Time                     : 21000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 0
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : disabled
Neighbor Unreachability Detection  : disabled
Router Discovery                   : enabled
Managed Address Configuration      : disabled
Other Stateful Configuration       : disabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled
Interface Wireless Network Connection Parameters
----------------------------------------------
IfLuid                             : wireless_0
IfIndex                            : 12
State                              : connected
Metric                             : 20
Link MTU                           : 1500 bytes
Reachable Time                     : 36500 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 1
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : enabled
Managed Address Configuration      : enabled
Other Stateful Configuration       : enabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled
Interface Local Area Connection Parameters
----------------------------------------------
IfLuid                             : ethernet_6
IfIndex                            : 11
State                              : disconnected
Metric                             : 5
Link MTU                           : 1468 bytes
Reachable Time                     : 44000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 1
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : enabled
Managed Address Configuration      : disabled
Other Stateful Configuration       : disabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled
Interface iphttpsinterface Parameters
----------------------------------------------
IfLuid                             : tunnel_7
IfIndex                            : 17
State                              : disconnected
Metric                             : 50
Link MTU                           : 1280 bytes
Reachable Time                     : 22000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 1
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : enabled
Managed Address Configuration      : enabled
Other Stateful Configuration       : enabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled
Interface Bluetooth Network Connection Parameters
----------------------------------------------
IfLuid                             : ethernet_9
IfIndex                            : 14
State                              : disconnected
Metric                             : 50
Link MTU                           : 1500 bytes
Reachable Time                     : 39500 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 1
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : enabled
Managed Address Configuration      : disabled
Other Stateful Configuration       : disabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled
Interface isatap.{33420098-E978-49D4-99F8-803C726FAC4A} Parameters
----------------------------------------------
IfLuid                             : tunnel_10
IfIndex                            : 21
State                              : disconnected
Metric                             : 50
Link MTU                           : 1280 bytes
Reachable Time                     : 17000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 0
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : disabled
Router Discovery                   : enabled
Managed Address Configuration      : disabled
Other Stateful Configuration       : disabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled
Interface isatap.{36D48669-8A75-483C-B2B7-F42F6B3806FC} Parameters
----------------------------------------------
IfLuid                             : tunnel_11
IfIndex                            : 20
State                              : disconnected
Metric                             : 50
Link MTU                           : 1280 bytes
Reachable Time                     : 26000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 0
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : disabled
Router Discovery                   : enabled
Managed Address Configuration      : disabled
Other Stateful Configuration       : disabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled

Interface Teredo Tunneling Pseudo-Interface Parameters
----------------------------------------------
IfLuid                             : tunnel_16
IfIndex                            : 18
State                              : disconnected
Metric                             : 50
Link MTU                           : 1280 bytes
Reachable Time                     : 31000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 0
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : enabled
Managed Address Configuration      : enabled
Other Stateful Configuration       : enabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled

--------------------------------------------------------

***************************************************************************
netsh advf show currentprofile
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh advf show currentprofile
Public Profile Settings:
----------------------------------------------------------------------
State                                 ON
Firewall Policy                       BlockInbound,AllowOutbound
LocalFirewallRules                    N/A (GPO-store only)
LocalConSecRules                      N/A (GPO-store only)
InboundUserNotification               Enable
RemoteManagement                      Disable
UnicastResponseToMulticast            Enable
Logging:
LogAllowedConnections                 Disable
LogDroppedConnections                 Disable
FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize                           4096

Ok.

--------------------------------------------------------

***************************************************************************
netsh advfirewall monitor show consec
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>netsh advfirewall monitor show consec
Global Settings:
----------------------------------------------------------------------
IPsec:
StrongCRLCheck                        0:Disabled
SAIdleTimeMin                         5min
DefaultExemptions                     ICMP
IPsecThroughNAT                       Never
AuthzUserGrp                          None
AuthzComputerGrp                      None
StatefulFTP                           Enable
StatefulPPTP                          Enable
Main Mode:
KeyLifetime                           480min,0sess
SecMethods                            DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
ForceDH                               No
Categories:
BootTimeRuleCategory                  Windows Firewall
FirewallRuleCategory                  Windows Firewall
StealthRuleCategory                   Windows Firewall
ConSecRuleRuleCategory                Windows Firewall

Quick Mode:
QuickModeSecMethods                   ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
QuickModePFS                          None
Security Associations:
No SAs match the specified criteria.

--------------------------------------------------------

***************************************************************************
Certutil -store my
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\WINDOWS\system32\LogSpace\{4F1887AE-E9B1-4498-BA67-6F44D4C3D70C}>Certutil -store my
my

I cannot disclose information here but I can guarantee that all the relevant information for the certificate is present in this section.

--------------------------------------------------------

Systeminfo and whoami /groups are returning normal information and I can see the relevant security group listed as well.

---------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------

As you may have noticed, the "netsh int httpstunnel show interfaces" is returning error 0x2745 and I do not understand why (I searched the Web for this exact error code but could not find anything similar).

Anyway, I can confirm that after having checked manually, both DirectAccess Connectivity Assistant and related services are set correctly, checking the "gpedit.msc" is returning all the NRPT entries, DirectAccess firewall rules are in place in the Windows Firewal configuration and that IPv6 is enabled and returning a valid address.

Also, the end user has a working connection on the Internet and has the same symptoms when trying a connection behind a router or a mobile hotspot.

The "Registry.pol" for Global Policies is still present as well.

Have you already seen such an issue in the past ?

Do you know if it is possible to extract a full DirectAccess configuration from a working PC to the one impacted by this issue (considering it is outside the company and that the end user will not have the opportunity to come back on site immediately) ?
I know there is a guide to do this on the Technet but this does not solve my issue, should I move the teredo status from client to enterprise client for instance.

Thanks in advance.

Julien

 

Throughput of Microsoft DirectAccess is directly linked to client latency on server side upload

November 24, 2016, 5:16 am
$
0
0

I seem to have a fundamental issue with Microsoft DirectAccess.

I will list what hardware I am using first

2 x Servers with Xeon E5-2667 v3 @ 3.2GHz with 32GBs RAM and 10K SAS Disks

1 x Cisco ASA firewall performing just NAT for 443 and 80 to the above servers in an NLB

lots of laptops (new ones with latest generation Core i7's and 16GB RAM with SSD's)

I am using machine certificates with ECC suite B and Windows 7 - Note this issue also happens with Windows 8.1 and Windows 10 as I have also tested this.

Connections to the DirectAccess are fine and are all working - logging in and communicating with the domain fine in both directions using IPHTTPS.

Our problem is directly related to client latency it we plug in a client right at the front door of the DirectAccess solution so the client has less than 1ms of latency then we get throughput of 600Mbs+. So i know that it is not an issue with IPHTTPS and double encryption or using ECC certificates or any issue with the configuration of the server

As the latency of the line is increased by every single millisecond throughput is dropped to the point where at 20ms with is most peoples minimum latency when connection from home to work throughput is now down to exactly 2MB's or aprox 20Mb's.

This only happens when the server is uploading data to the client.

This has been tested with a WAN emulator and I can provide exact metrics for throughput if required.

Note this this does not happen with the client is uploading data to the server.

It seems to me that the client is able to scale its TCP Window to the server, but the server is not able to do the same.

Please can anyone provide a fix or a work around for this issue. There seems to be a lot of people on this forum that seems to have similar issues but have not nailed the correlation to latency or tested with WAN emulation - also note I have tried two different WAN emulators and also correlated this data with users at home.

Additional information can be provided on request.

Any help would be appreciated or even how to raise with with Microsoft directly.

Martin 

DirectAccess 2012 & Windows 7 - 0x80092013 Error

November 28, 2016, 3:06 am
$
0
0

I have recently upgraded approx. 4000 Windows 7 Enterprise laptops from UAG DA 2010 to DA 2012.

Most work OK, but some laptops are failing to connect... and are giving an IP-HTTPS 0x80092013 error, which I am given to understand means that the client cannot reach the CRL list for its computer certificate.

However the CRL list is accessible from the laptop (the URL for the CRL has been added as an NRPT exception) and if there was anything wrong with the published CRL I would expect it to affect all clients.

Also clients should be using Teredo as their preferred protocol with IP-HTTPS as the fallback.

If I run the DA Client Troubleshooting Tool, the IP Connectivity Tests show:

  IPHTTPS interface is not operational - last error code 0x80092013

  Teredo is used as IPv6 transition technology

  Successfully connected to endpoint

  No response received from <domain_name>

Then both the user and Infrastructure tunnel tests fail.

I have 2 laptops, which as far as I can see are identical in DA config, connected to the same ADSL line, one works the other doesn't. 

Anyone have any ideas what is going on here... or have any advice as to what I could try?

I have tried disabling the IP-HTTPS interface to force it to use Teredo... and disabling the Teredo interface to force IP-HTTPS. Have tried reapplying GPOs etc.

Store Reports On database

November 28, 2016, 10:36 pm
$
0
0

hi,

I have to store the reporting to the database that is on Remote Access Management Console. so is there any way to store that reports.

thanks,

Roshan

DirectAccess Inquiry, Enterprise deployment

November 28, 2016, 6:20 am
$
0
0

Hello,

Our Agency is interested in DirectAccess. We are planning a deployment of Windows To Go drives and we are interested in DirectAccess Offline Domain Join. Currently we are planning to have our vendor provision our Windows To Go drives, ship them directly to the assigned user instead of it coming to our location to be imaged. Can DirectAccess offline domain join be enforced on the drives during the vendors provisioning and once the user receives the drive they can connect to the VPN and pull down everything else hands off?


Thank you,




Any replacements for UAG or TMG or ISA?

January 13, 2015, 3:32 am
$
0
0

Hi Guys,

Are there any replacements for UAG which will provide the same functionalities as UAG/TMG - reverse proxy, VPN, Direct Access, RDP etc? We need to use that in SharePoint environment to provide secure application publishing. 

KR, Sarath

GlassWire monitoring on DirectAccess Client

November 29, 2016, 12:03 pm
$
0
0
I am trying to use GlassWire on a DirectAccess client laptop to monitor how much bandwidth is being used to different corporate resources.  It just lumps all the DirectAccess traffic into "Host Process for Windows Services", a single connection to the DirectAccess endpoint instead of breaking it out by application or port or host. Is this just the way it is? Is there something that I should look for in the configuration? Is there another product that would allow me to do this on Win7?
Search

UAG NLB array issue

November 30, 2016, 7:23 am
$
0
0

Dear Partner,

I have issue in UAG array servers, we get message stating “The array manager server cannot verify the availability of array member XXX” which is the second server in the array the server is not reachable but when we check the server its working fine and can ping the array manager.

Regard,

Magdy

NLB setting could not be configured.unexpected error. Error(s) occurred while activation the configuration

December 2, 2016, 2:12 am
$
0
0

Hi Expert,

I have installed Threat Management gateway 2010 and after 1 year i plan to install the UAG 2010 ,I have installed the UAG 2010 on TMG 2010 after installation the UAG Activation gives an error.

--NLB setting could not be configured.unexpected error.

--Error(s) occurred while activation the configuration.

Kindly suggest the the solution

possible? force tunnel DirectAccess and VPN 2FA?

December 3, 2016, 3:41 am
$
0
0

Hi,

We have a functional DirectAccess Server(2012R2) with force tunnel configuration.

The plan would be: all DA-Clients should use our "Updates-Services","Configurations","Surfing over our proxy" nothing more!

If the User needs more, he has to use a 2 factor authentication (VPNv2?,..)to get access to files and other services.

I Found this Scenario:
http://danstoncloud.com/simplebydesign/2016/06/01/breaking-the-myth-of-directaccess-end-to-end-scenario-part-1/
Until now I could not get it to run. :|

I also tested it, connect to DA. Then established a VPN connection but this ends shortly, after successfully connected to SRV2. Client Event: Error 829 (ERROR_LINK_FAILURE)

SRV1 = DA Server - Force Tunnel
SRV2 = VPN Server- SSTP

I think, with VPN Connection the systems checks, i am inside the corporation network -> disconnect DA (VPN lost) and reconnect DA...

would this possible?

thank you
Klü

UAG NLB no work

March 14, 2013, 12:02 am
$
0
0

I have two UAG SP3 (TMG 7.0.9193.575) servers on VMWare:

1. Define Internal, External networks (UAG - Admin - Network Interfaces)

2. Set array manager (UAG - Admin - Array managment)

3. Add second member to array (UAG - Admin - Array managment)

4. Apply, reload servers

5. Add Vitrual IP (UAG - Admin - Network Load Balancing - External,Multicast)

6. Apply, reload servers

7. Set static ARP in my Cisco

In servers ipconfig I see my VIP address, but nlb not start in TMG console. TMG alerts register event: "Forefront TMG detected Windows Filtering Platform filters that may cause policy conflicts on the server UAG1. The following providers may define filters that conflict with the Forefront TMG firewall policy: UAG-DA NLB." If manualy start nlb - its work some time and stop without error. If create test trunk in UAG - no work from external, work only fron localhost. How I can correctly configure NLB on UAG servers? Why no work?
In TMG console my VIP address set on External network, maybe this incorrect? Maybe I need create DMZ network with my Internet IP and set VIP on this DMZ network? How UAG work if I change config TMG?


DirectAccess ManageOut Failing with Unicast NLB

December 6, 2016, 6:38 am
$
0
0

Hi,

 I'm trying to configure manage out as per the blogs below:

https://www.packtpub.com/books/content/configuring-manage-out-directaccess-clients

I've tried the limited isatap approach and ensuring that the isatap router and DNS record are OK, but this hasn't worked. From my management server I cannot ping or access DA clients.

 I'm using a DirectAccess array of 3 Windows 2012 R2 servers all on the same subnet with dual NICs. Each server has an external and internal NIC. I'm using NLB for both internal and external VIPs.

The Internal unicast VIP details are as follows:

10.133.171.127 02-BF-0A-85-AB-7F

I can't ping the unicast VIP from a different subnet. I've tried "arp -s 10.133.171.127 02-BF-0A-85-AB-7F" and seeing if I can contact the VIP, but that doesn't work.

From the DA server I can ping DA clients which are directly connected to that particular array member. I can't RDP or perform remote management to clients.

Please advise.

Thanks

IT Support/Everything

UAG - Issue Joining to an array

July 12, 2013, 3:10 pm
$
0
0

Hello,

I have a clean UAG 2010 SP1 Box running 2k8 R2 that I'm trying to join to an array.  The array manager is another box running UAG 2010 SP1 with 2k8 R2.

Every Time I attempt to join to the array, I get an error message, "The server is not operational."

I did tell the array manager that a member will be joining.

Could it be a rule in TMG that is blocking the process?  My UAG/TMG skills are pretty weak.

Thanks.

DirectAccess 2016 Certificate Confusion

December 8, 2016, 11:57 am
$
0
0

Hi All,

I'm configuring DirectAccess on a fresh install of Server 2016.  This is a single server, single NIC, behind NAT environment with no UAG in the mix.  Only Windows 8/10 clients will be connecting to this environment.  No Windows 7 PKI clients to keep things simple.

I believe I have everything in place except for some confusion on the certificate parts.  I'm using a public CA certificate from Digicert and under the Configuration > DirectAccess and VPN > Remote Access Server (Step 2) area, I enter in the public name of my DA server (da.domain.com).  I assume this is the correct thing to enter in there and not the internal IPv4 address of my NIC?

Anyways, I get to the Network Adapters section where I can select a certificate.  By default, it has the self-signed cert.  I've since changed this to the Digicert certificate which has a common name of 'da.domain.com'.  I then go to the Authentication section and under User Authentication, I have 'Active Directory Credentials (username/password)' selected and everything else is unchecked.  In this single server scenario, do I need to select the 'Use computer certificates' or the Intermediate Certificate? If so, what certificate do I use for those?  Self-signed from our Enterprise CA server, or from the public Digicert CA? 

My Windows 10 laptop is getting the updated DirectAccess Client GPO, but it will not connect.  I've downloaded and ran the DirectAccess Client Troubleshooter tool, but I'm not sure if I need to run that when connected to the local domain, or when connected from an outside network?  It tells me I have a certificate problem as one of the errors.  What type of troubleshooting needs to be done to determine why it's not connecting?

Rory Schmitz

Search

2012R2 and 2106 Staged Miration with BOTH in place - one domain

December 12, 2016, 8:50 am
$
0
0

All clever people!

(Not 100% sure this is in the right place, but here goes)

I hope someone could please help as I can find very little information out there?

We have a single DirectAccess 2012R2 remote access solution in place and it works great! The plan is to upgrade the clients to Win10 and we thought at the same time we would upgrade the DirectAccess to 2016 to give us ample tech support as these are server that you do not really touch until the OS becomes unsupported and everyone freaks out (no, we do not have any 2003 servers anymore!)

Anyway, my question is:

Is it possible to run a 2016 DirectAccess solution completely separate (different public domain name, servers, networks etc.) with the existing 2012 R2 solution while we slowly migrate the users over to the newer version?

Anyone have any thoughts?

Publish project web app(project server 2013) through UAG 2010

December 13, 2016, 7:29 pm
$
0
0

Hi expert,

 I have installed the Unified Access Gateway 2010 and published share point,Remote Server successfully but the problem is that when i published the PWA (Project web App) through UAG 2010 the site not open.

Error: 404 not found

Need help

2012 R2 DirectAccess multi domain forest: Is it possible Limit Auto-discovery of domain controllers?

November 13, 2014, 7:39 am
$
0
0

I've just successfully implemented Multisite server 2012 R2 DirectAccess in a child domain of a global company with numerous sub domains.  I'd like to limit the scope of the auto discovery of management servers in 2012 R2 DA is anyone aware of any way of doing this?

During the default initial configuration of DirectAccess Auto-discovery of domain controllers is performed for all domains in the same forest as the DirectAccess server and client computers.

In my scenario the number of sub domains and multinational nature of the company means that the DA servers cannot contact all DCs for every child domain in the forest.

This means the Operations Status page in the Remote Access Management console always shows the status of the Domain Controller check as "critical" leaving a red X amongst my nice green ticks. It's untidy and at first glance it looks like there are major problems with the service.

The DA servers, Client machines and users are in a single sub domain so we have no need to contact the other child domain DCs.

I looked into using the Remove-DAMgmtServer PowerShell cmdlet however this is not applicable since it cannot be used to remove automatically configured management servers such as DCs.

Also the child domain DCs don't actually appear in the management servers list.

Managing HTTP Headers for DirectAccess

December 16, 2016, 1:15 am
$
0
0

Hi, Does anyone have any ideas on how to add additional HTTP headers such as Strict-transport-security etc for the DirectAccess service?

Thanks,

Replacing existing IP-HTTPS DirectAccess server/client certificates with new PKI?

December 18, 2016, 8:41 am
$
0
0

Hello,

We have deployed a Server 2012 R2 DirectAccess infrastructure, single server and we only use IPHTTPS. Our clients are a mix of Windows 7 and Windows 10.

  • Our DA server uses a public certificate on the IP-HTTPS tunnel
  • We've deployed a new PKI to replace our existing one. 
  • I need to migrate our DA implementation (server/clients) to use certificates from the new PKI.

What would this process be?

I think I need to push computer certificates from the new PKI to all of our domain joined laptops that are enabled for DA before I change the certificates on the DA server itself otherwise how else can clients connect back?

  1. Are there any issues that could happen if a client computer has two certificates, one from old PKI and one from new? Will this break existing DA connectivity or will DA know which certificate to use?
  2. When I change the certificate on the DA server, to the new one from our new PKI, it will probably need to apply these updates to the GPOs; now will the DA clients need the updated GPO settings along with the updated certificates to work?

How can I do this with minimal downtime to our DA clients? I don't want to break DA connectivity for our mobile users on laptops, but i need to replace our existing PKI and get the DA infrastructure to use the new PKI.

Anyone done this before?


Viewing all 1485 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>