Hello,
I have configured Server 2012 as a DirectAccess + Remote Management (no VPN) gateway using a single NIC (assined 10.10.4.181/24). The Server is running on a 2008R2 Hyper-V host using a single VNIC.
Clients can connect and access the company network as expected without issues. Windows Firewall blockes internal hosts (not always the same hosts, not all at the same time) intermittently. For example our monitoring service reported the host as:
2013-03-15 16:01 - UP
2013-03-15 16:28 - DOWN
2013-03-15 17:13 - UP
2013-03-15 17:48 - DOWN
2013-03-15 18:28 - UP
2013-03-15 19:03 - DOWN
No Windows Firewall related GPOs except the DirectAccess Server GPO are applied to this host. Event log reports the dropped Packets as:
The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: Inbound Source Address: 10.10.3.41 Source Port: 0 Destination Address: 10.10.4.181 Destination Port: 0 Protocol: 0 Filter Information: Filter Run-Time ID: 73370 Layer Name: IP Packet Layer Run-Time ID: 0
wpfdiag.xml contains this:
<filters numItems="1"><item><filterKey>{0dd2351d-f3ae-4014-8387-e9f5553eaffd}</filterKey><displayData><name>Windows NAT IP layer filter</name><description>Filters IP packets that require translation in the external to internal direction</description></displayData><flags/><providerKey/><providerData/><layerKey>FWPM_LAYER_INBOUND_IPPACKET_V4</layerKey><subLayerKey>{c217705d-2fe6-462f-8b3f-ecfb4771b8bb}</subLayerKey><weight><type>FWP_EMPTY</type></weight><filterCondition/><action><type>FWP_ACTION_CALLOUT_TERMINATING</type><calloutKey>{54da5466-5271-4ec1-8c5e-996fe8481ff2}</calloutKey></action><rawContext>0</rawContext><reserved/><filterId>73370</filterId><effectiveWeight><type>FWP_UINT64</type><uint64>0</uint64></effectiveWeight></item></filters>and the related drop event (10.10.3.41 is our linux based monitoring host, different subnet):
<netEvent><header><timeStamp>2013-03-16T06:59:28.382Z</timeStamp><flags numItems="4"><item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item><item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item><item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item><item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item></flags><ipVersion>FWP_IP_VERSION_V4</ipVersion><ipProtocol>0</ipProtocol><localAddrV4>10.10.4.181</localAddrV4><remoteAddrV4>10.10.3.41</remoteAddrV4><localPort>0</localPort><remotePort>0</remotePort><scopeId>0</scopeId><appId/><userId/><addressFamily>FWP_AF_INET</addressFamily><packageSid/></header><type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type><classifyDrop><filterId>73370</filterId><layerId>0</layerId><reauthReason>0</reauthReason><originalProfile>0</originalProfile><currentProfile>0</currentProfile><msFwpDirection>MS_FWP_DIRECTION_IN</msFwpDirection><isLoopback>false</isLoopback><vSwitchId/><vSwitchSourcePort>0</vSwitchSourcePort><vSwitchDestinationPort>0</vSwitchDestinationPort></classifyDrop></netEvent>
another one (windows 8 worktstation, also different subnet):
<netEvent><header><timeStamp>2013-03-16T06:59:28.351Z</timeStamp><flags numItems="4"><item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item><item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item><item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item><item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item></flags><ipVersion>FWP_IP_VERSION_V4</ipVersion><ipProtocol>0</ipProtocol><localAddrV4>10.10.4.181</localAddrV4><remoteAddrV4>10.10.10.171</remoteAddrV4><localPort>0</localPort><remotePort>0</remotePort><scopeId>0</scopeId><appId/><userId/><addressFamily>FWP_AF_INET</addressFamily><packageSid/></header><type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type><classifyDrop><filterId>73370</filterId><layerId>0</layerId><reauthReason>0</reauthReason><originalProfile>0</originalProfile><currentProfile>0</currentProfile><msFwpDirection>MS_FWP_DIRECTION_IN</msFwpDirection><isLoopback>false</isLoopback><vSwitchId/><vSwitchSourcePort>0</vSwitchSourcePort><vSwitchDestinationPort>0</vSwitchDestinationPort></classifyDrop></netEvent>
Any help is appreciated!
Regards,
Mathias