Quantcast
Channel: Forefront Edge Security – DirectAccess, UAG and IAG フォーラム
Viewing all 1485 articles
Browse latest View live

Direct Access Clients accessing IPv4 resources NOT in DNS

September 14, 2017, 7:11 am
$
0
0

Our current VPN solution is Direct Access for any and all windows 7 and windows 10 PCs. Being a network engineer I am not sold on it and find it hard to protect when the network is not IPv6 ready. 

For me Direct Access doesn't work for what I need to do my job. When connected via direct access I still need traditional VPN to be able to access my IPv4 addresses for network devices that we do not keep in DNS, for valid reasons of security. How is there not a way to make Direct Access clients capable of connecting to IPv4 addresses with a simple task of something like SSH to 10.0.0.1? I find it hard to believe that Microsoft felt that networks were all IPv6 and all resources were in DNS when they created this solution. 

My systems guy tells me Direct Access clients to access raw IPv4 address is not possible. Is this true?

Search

.Net Framework 4.5.2 on UAG 2010

January 7, 2019, 5:19 am
$
0
0

Hi,

Can anyone help me in suggesting if we can upgrade to .NetFramework4.5.2 from .NetFramework4.5.1 on  UAG 2010 servers. If yes, Could anyone provide the steps if possible with 4 servers in an array.

Please suggest me.

Ankit Singh


AlwaysOn VPN Profile Settings Change Back

January 17, 2019, 10:34 am
$
0
0

I am setting up AlwaysOn VPN on server 2016.  I can get it to work after I put in my credentials and set everything to run under UserName and password.  Of course I would like to run under certificates.  Upon new profile setup, I am always asked for credentials before first logon.

I proceed to Change Adapter settings, properties and security tab.  In properties of the EAP section, the NPS server is always gone, the 'Notification before connecting' is changed back to "Tell User" and  to 'use smart card or certificate' are changed back to Secured password.

Anyone have insight as to why settings will not persist?

DirectAccess "An IPsec main mode negotiation failed."

November 16, 2017, 12:35 pm
$
0
0

Hello everyone,  I've spent a lot of time trying to get a DirectAccess implementation off the ground, but I've been stuck on a problem with the infrastructure tunnel for a long time now.  From my troubleshooting I have more or less pinpointed where the problem is, I just haven't been able to figure out the solution. I'm pretty sure it's a problem with IPSec and/or my certificate configuration.  Just a quick run through of my troubleshooting steps:


1) The IPHTTPS interface is established when running netsh interface httpstunnel show interfaces


2)netsh namespace show effectivepolicy shows the correct configuration for intranet DNS, and NLS… although IPSec appears as “disabled”.

3) IPv6 address of the DNS server from the aforementioned command replies to ping.

4) DNS resolutions sent to the aforementioned IPv6 address time out

5) wf.msc > "Monitoring" > "Connetion Security Rules" shows DirectAccess rules applied, howeverDirectAccess Policy-ClientToDnsDcthat I have heard about is missing?

6) wf.msc > "Monitoring" > "Security Associations" > “Main Mode” is completely blank

7) Event Viewer has a bunch of logs titled “An IPsec main mode negotiation failed.

From what I've read, IPSec failures for DirectAccess are usually caused by certificate configuration.  I'm not sure how to troubleshoot this as my SSTP VPN connection hosted on another server works fine... this includes publishing of the CRL to an internet accessible location.  I have been getting mixed message from the internet on which certificate templates should be used for DirectAccess ... but right now I have separate templates for DirectAccess Client and DirectAccess Server.  Both include intended purposes for "Server Authentication", "Client Authentication", and "IKE security IKE intermediate"

Any thoughts?  I appreciate any information, or further troubleshooting steps you guys can provide!



IP-HTTPS adapter not created in DirectAccess server

February 4, 2019, 6:38 pm
$
0
0
Brand new 2016 server in a 2008 R2 domain.  I have not installed anything else on this but DirectAccess.  Chose DirectAccess only in setup.  Ports 80-, 443 and 62000 are open on the Windows Firewall, and being port forwarded on the edge device.  IP-HTTPS is not working. Status page says it is taking some time.  Over an hour so far.  Additionally the Dashboard says Configuration received from the domain controller cannot be applied.  I look in Device Manager, and there is no IP-HTTPS under network adapters, even when showing hidden devices.  There are 2 ISATAP devices, fwiw.

Direct Access Multisite Issues

March 22, 2018, 3:44 am
$
0
0

Okay here is one for you.

We have two direct access appliances - Both have been configured seperately to ensure that they are functioning correctly (Network etc).

I have then removed the configuration for Direct Access and reconfigured, we are operating in multisite.

Clients will connect to the first Site fine DA1 and when I select the second site DA2 the clients will not connect completely.

I can see the client in the remote access connections but but there is no user tunnel or infrastructure tunnel created.

The client has an active IP-HTTPS interface, but no connection to any resources.

The configuration was completed via the Remote Access GUI on the server.

Since then I have reconfirmed that both appliances work by removing the configuration and setting them up one in turn and testing as singular devices.

Da1 - setup and tested on own - worked

Da1 - Configuration removed and gpo updated on all respective machines

Da2 - setup and tested on own worked

da2 - Configuration removed and gpo updated on all respective machines

Then the current configuration is

Da1 Setup first and multisite enabled with da1 as only entry point - working fine

Da2 - configured as second entry point using wizzard - configuration fine  - all showing green for both servers, but clients cannot connect to da2 just show in remote connections with no authentication and an active IP-HTTPS adapter.

Any pointers would be appreciated.

Windows 10 1607 LTSB wont connect via Direct access

September 11, 2018, 10:09 pm
$
0
0

We have a Windows Server 2012 DA server setup which is working fine. We have a few clients which for whatever reason stop connecting via DA and the only fix seems to be to re-install the OS. I've tried removing/joining to the domain, resetting the winsock ... but nothing seems to work.

If i go into control panel there is also no Direct Access icon at all.

The below is from a problematic machine. Any tips on what i can try

Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> Get-DAClientExperienceConfiguration


Description                      : DA Client Settings
CorporateResources               :
IPsecTunnelEndpoints             :
CustomCommands                   :
PreferLocalNamesAllowed          : False
UserInterface                    : False
PassiveMode                      : False
SupportEmail                     :
FriendlyName                     :
ManualEntryPointSelectionAllowed : True
GslbFqdn                         :
ForceTunneling                   : Enabled



PS C:\Windows\system32> Get-DAConnectionStatus


Status    : ConnectedLocally
Substatus : None

PS C:\Windows\system32> Get-DAConnectionStatus


Status    : Error
Substatus : MissingDAClientExperienceConfiguration




PS C:\Windows\system32> Get-DAConnectionStatus


Status    : Error
Substatus : MissingDAClientExperienceConfiguration



PS C:\Windows\system32> netsh dnsclient show state

Name Resolution Policy Table Options
--------------------------------------------------------------------

Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                        if the name does not exist in DNS or
                                        if the DNS servers are unreachable
                                        when on a private network

Query Resolution Behavior             : Resolve only IPv6 addresses for names

Network Location Behavior             : Let Network ID determine when Direct
                                        Access settings are to be used

Machine Location                      : Outside corporate network

Direct Access Settings                : Configured and Enabled

DNSSEC Settings                       : Not Configured

PS C:\Windows\system32> netsh int https show int
There are currently no active IP-HTTPS profiles. To view the configured
IP-HTTPS profiles, execute the following Powershell command -
'Get-NetIPHTTPSConfiguration'.

Interface IPHTTPSInterface (Group Policy)  Parameters
------------------------------------------------------------
Role                       : client
URL                        : https://RAServer.com:443/IPHTTPS
Last Error Code            : 0x10df
Interface Status           : IPHTTPS interface creation failure

PS C:\Windows\system32> netsh dns show state

Name Resolution Policy Table Options
--------------------------------------------------------------------

Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                        if the name does not exist in DNS or
                                        if the DNS servers are unreachable
                                        when on a private network

Query Resolution Behavior             : Resolve only IPv6 addresses for names

Network Location Behavior             : Let Network ID determine when Direct
                                        Access settings are to be used

Machine Location                      : Outside corporate network

Direct Access Settings                : Configured and Enabled

DNSSEC Settings                       : Not Configured


PS C:\Windows\system32> netsh name show effective

DNS Effective Name Resolution Policy Table Settings


Settings for DAserver.com
----------------------------------------------------------------------
DirectAccess (Certification Authority)  :
DirectAccess (IPsec)                    : disabled
DirectAccess (DNS Servers)              :
DirectAccess (Proxy Settings)           : Use default browser settings



Manage Out devices not receiving an IPv6 address from ISATAP router

November 6, 2017, 2:48 am
$
0
0

We have a working DirectAccess solution in place with no issues for inbound connections from DA clients. We are wanting to manage these clients from SCCM and so I've looked at setting up manage out for this.

I have configured a group policy linked to a security group for manage out clients where I have enabled an ISATAP router and set this as a DNS entry for the internal IP address of our DA server (we only have one). I have also enabled ISATAP in the same group policy, as suggested in the various walkthroughs of this set up.

I have checked clients and the ISATAP interface is enabled via group policy, but they are not receiving an IPv6 address on their tunnel adapter from the ISATAP router. They only have an IPv6 link-local address defined.

Can anyone point me into the direction of why this would be the case?

Search

What is the difference in DirectAccess (Connectivity/Settings/Architecture) in Windows 7 Vs Windows 10

August 31, 2018, 7:28 am
$
0
0


How does the Direct Access differs in terms of the architecture/settings/connectivity etc in the Windows 7 and Windows 10 clients.

We are having issues with the Applications connecting to the License Servers hosted internally over the DirectAccess in Windows 10.

With Windows 7 Clients, the applications are connecting to the License servers without any issues over the same DirectAccess enviroment. When the same application installed on Windows 10 Client and connect over DirectAccess, it gives that the License server is not found.

Is there any difference in the way Windows 7 and Windows 10 client handles the IPv4 and IPv6 addressing etc.

I have added some environment variables like FNP_IP_ENV and FNP_IP_PRIORITY etc on the Windows 10 client machines, however, still it is not working...I can ping the license server and it resolves to the IPv6 address.

Thank you

RK


+91-8107429992 Black Magic Specialist Baba Ji Usa

February 17, 2019, 10:55 pm
$
0
0
Motlee Jangid Meenajhaulo Champa Das

Replacing existing IP-HTTPS DirectAccess server/client certificates with new PKI?

December 18, 2016, 8:41 am
$
0
0

Hello,

We have deployed a Server 2012 R2 DirectAccess infrastructure, single server and we only use IPHTTPS. Our clients are a mix of Windows 7 and Windows 10.

  • Our DA server uses a public certificate on the IP-HTTPS tunnel
  • We've deployed a new PKI to replace our existing one. 
  • I need to migrate our DA implementation (server/clients) to use certificates from the new PKI.

What would this process be?

I think I need to push computer certificates from the new PKI to all of our domain joined laptops that are enabled for DA before I change the certificates on the DA server itself otherwise how else can clients connect back?

  1. Are there any issues that could happen if a client computer has two certificates, one from old PKI and one from new? Will this break existing DA connectivity or will DA know which certificate to use?
  2. When I change the certificate on the DA server, to the new one from our new PKI, it will probably need to apply these updates to the GPOs; now will the DA clients need the updated GPO settings along with the updated certificates to work?

How can I do this with minimal downtime to our DA clients? I don't want to break DA connectivity for our mobile users on laptops, but i need to replace our existing PKI and get the DA infrastructure to use the new PKI.

Anyone done this before?


Direct Access OTP ISAPI Extension Issue - DAOTPAuth.dll

February 28, 2019, 7:16 am
$
0
0
Hello,

We've recently deployed two DirectAccess setups (Individual setup contains two nodes with ELB) with OTP running on 2012 R2. Everything is working fine, expect that we have started errors from DA OTP Monitor on one of the DA node on each setups. 

Error Text (image will be added once my account is verified):

1. Check for relevant errors in the Windows Event Viewer.

2. Ensure that OTP is configured correctly in the Remote Access Management console.

3. Apply DirectAccess policy with OTP disabled and then enable OTP again.

4. Verify that OTP settings have been activated on the Remote Access server.

5. Ensure that IIS is installed and running.

6. In a browser, type https://localhost/DaOtpApp/DaOtpAuth.dll to verify that the ISAPI extension application page opens correctly.

1. OTP is configured incorrectly on the Remote Access server.

2. IIS is not running on the Remote Access server.

3. ISAPI is not installed on the Remote Access server.

4. ISAPI extension is not configured correctly

Despite this OTP Monitor error, OTP is working fine. We see successful events on DA Server (Event 10041 - DirectAccess OTP Authentication)  and DA Client (Event - OTPCredentialProvider).

 

DAOTPAuth.dll is accessible from DA Server and DA Client (after OTP validation). 

Iexplorer https://localhost/DaOtpAuth.dll: DirectAccess OTP ISAPI extension is running. Local time on server: 16:14:22.500

(Image will be added once my account is verified)


Time is Sync'd.

DA Servers are patched and up to date.

RAMgmtSvc.exe - 6.3.9600.17725

RAMgmtSvc.dll - 6.3.9600.16523

RAmgmtapi.dll - 6.3.9600.16384



I've also tried BMR Restore after formatting disks but still, OTP monitor issue persists.

Is this a known Issue? Any suggestions how to fix this?

Regards

Harmandeep Saggu

Remote Access Manager crashes when I click Reporting

February 16, 2016, 4:57 am
$
0
0

Hello good people,

I have been using reporting for Direct Access for a while without problems.
Now, when I click Reporting it throws an execption:

Problem Event Name:    CLR20r3
  Problem Signature 01:    RAMgmtUI.exe
  Problem Signature 02:    6.3.9600.17725
  Problem Signature 03:    54ff8267
  Problem Signature 04:    mscorlib
  Problem Signature 05:    4.0.30319.34209
  Problem Signature 06:    53489fcf
  Problem Signature 07:    459
  Problem Signature 08:    2e
  Problem Signature 09:    System.ArgumentOutOfRange
  OS Version:    6.3.9600.2.0.0.400.8
  Locale ID:    1044
  Additional Information 1:    a703
  Additional Information 2:    a703861e34b58524d2be268a0be15e60
  Additional Information 3:    dac2
  Additional Information 4:    dac2b69a4b166e2929a07381a6a9f7ed

There's also a  Application error event ID 1000 (faulting module KERNELBASE.DLL) followed by a .NET Runtime error event ID 1026

I did some research and found out that this might be caused by a courrupt or damaged .NET installation.

I ran the .NET installation verification tool without any problems so .NET seems to be ok.
Any clues to solve this annoying problem would be greatly appreciated.

60 second *Connecting* times on DirectAccess, versus 30 seconds on UAG

March 7, 2019, 3:52 am
$
0
0

Hi folks

Weird one here.

1.    I have around 600 Windows 7 people connecting through one Windows 2008 UAG box, Teredo OR IPHTTPS is *connected* within 25-30 seconds of an Internet connection being available.

2.   Conversely, I have 50 or so Windows 10 people connecting through *up-to-4* Windows 2016 DA servers,ONLY using IPHTTPS (Teredo disabled), and it takes at least 55-60 seconds of an Internet connection being available before they are *Connected*.

3.   Finally. If I point the Windows 10 clients at the old UAG setup, and if I DISABLE Teredo on these Win10 clients (So that they just use IPHTTPS), they actually connect within 25-30 seconds.

It's pointing to behaviour via the New Direct Access setup, but the best I know it's been configured to best practises.

On the Windows 10 Laptops the 6TO4 tunnel is already disabled via GPO, Teredo is inactive (I alsodisabled it on my laptop, still took 60 seconds).

It's now becoming very noticable as more and more people get moved onto Windows 10. AlwaysOnVPN is on the horizon but it'll be months and months yet.

Has anyone experienced this sort of behavour and been able to improve that 60 seconds until *connected*?

DMZ DirectAccess Servers - Services monitor has gone from UNHEALTHY state to HEALTHY

March 12, 2019, 5:49 am
$
0
0

Hi,

 We have 2 DA appliances in our DMZ. They're physical Celestix Edge appliances running Windows 2012 R2. Both servers intermittently display errors about the DC monitor. This has been going on for months. DA is working fine though. 

Both servers resolve the domain FQDN OK, in addition, both servers can browse to sysvol and netlogon shares on all DCs. Nltest /dsgetdc:domainname from DA servers works correctly. DCdiag shows AD as healthy.

There's one thing which come to mind that may or may not be related:

1. We haven't listed all our IP subnets into the IP sites and services. We only have a single site, so I'm not sure this is needed.

Error:

IP sites and services (only the DA server subnet listed, lots of subnets not entered)

Search

Window Server 2016 Direct Access without Internal IP

March 12, 2019, 7:35 pm
$
0
0

My boss want me to configure Direct Access in our "Cloud base" Dedicated Server which doesn't have an "internal ip" just 1 nic with external IP on it. I can only connect client through VPN. and made it so far till vpn and direct access are both connected but when I disconnect VPN i also loose connection to direct access. and when i try to explore the configuration the status become worst.

which lead mo to my question. Can I really use Direct Access without any internal IP?

  

Direct Access is connecting when connected to VPN

March 14, 2019, 10:04 am
$
0
0

Hi team,

While connecting to VPN in our environment, Microsoft Direct Access is getting established in user machine.. 

May I know why Windows Behaves like this? Is there any change needed from registry?

UAG with Windows 10 (And IE 11)

July 28, 2015, 6:49 am
$
0
0

It does not seem to work as it should in IE 11.

I do not get prompted for a plugin install.

Changing the user agent settings a bit I was able to get the plugin installed, but this changed nothing. The plugin still does not appear to work properly.

Any advice on how to get this working?

IPSec: not working properly after DirectAccess configuration wizard

August 13, 2012, 3:01 am
$
0
0

Hi;

I've setup test lab, at the end of the configuration wizard there is an error on IPSec Opertion status

the certificate is well configured but the client is not able to receive the NRP table

does someone know what could be the issue?

thank in advance


DirectAccess Deprecation

March 29, 2019, 3:53 am
$
0
0

According to numerous articles online Microsoft is gradually trying to convince customers to transition from DirectAccess to Always On VPN. For example:

https://directaccess.richardhicks.com/directaccess-end-of-life-eol/

Always On VPN seems more complicated to set up and doesn't have the management capabilities of DirectAccess - it has to be managed using scripts, Intune or SCCM. Does anyone have an idea of the Microsoft plans to support DirectAccess in the future and why it will eventually be deprecated? 

Viewing all 1485 articles
Browse latest View live
Search