I have a load-balanced pair of DA 2012 R2 servers... the Operations Status of both servers is all good.
Configured as an edge topology with 2 NICs and 2 consecutive public-facing IPs for Teredo on the external NIC.
'Enable Windows 7 client computers to connect via DirectAccess' IS ticked and force tunneling is NOT enabled.
A Windows 7 client establishes an infrastructure tunnel with the DA 2012 R2 server(s) and I can see it listed under Remote Client Status (sometimes connected as IPHTTPS and other times Teredo) but no user tunnel is ever established.
When running the DA Client Troubleshooting tool...
Interface Tests (pass), Network Location Tests (pass), IP Connectivity Tests (warning - no response received from xxx.yyy.gov.uk), Windows Firewall Tests (pass), Certificate Tests (pass), Infrastructure Tunnel Tests (fail - failed to connect to domain sysvol share \\xxx.yyy.gov.uk\sysvol\xxx.yyy.gov.uk\Policies), User Tunnel Tests (fail - failed to connect to HTTP probe at http://directaccess-WebProbeHost.xxx.yyy.gov.uk)
When the infrastructure tunnel is established, if I ping an internal (IPv4) resource, the host name is resolved to an IPv6 address (so it appears that DNS64 is working OK) but the pings always time out.
'netsh adv mon show mmsa' shows 2 security associations. Both Auth1: ComputerCert, Auth2: UserNTLM
I am assuming these are for the infrastructure tunnel and I should also be seeing an SA for Auth1: ComputerCert, Auth2: UserKerb for the Kerberos authenticated user tunnel. However nothing I can see gives any clues as to why this has failed to establish.
Anyone know what is going on here and why the user tunnel would fail to establish? I am not seeng anything particularly useful in the Troubleshooting Tool trace log, or from the Advanced Diagnostics created by the DA Connectivity Assistant.
Or just any suggestions what I could try next.
Is it likely to be a certificate issue? Seems unlikely to me when the infrastructure tunnels are establishing ok.
