Good morning.
I have tried to set up Direct Access from what I see is pretty much a 30-40 minute job, but has turned out to be something of a pain. Having followed the video on youtube for Windows Server 2012 with Basic PKI configuration and Windows 7 clients. I have set up a working DA server with no issues and all green ticks.
Here's a run down.
- I have a DC (2012) with the CA already installed.
- I have a virtual DA (2012) set up with the advanced settings.
- I have a a TMG 2010 server as the firewall with a Non-Web Publishing rule designed to forward HTTPS requests to the DA on the internal network.
The set up went as planned and I followed the instruction to set up the PKI and all computers have picked up a computer Certificate for the CA so that the internal root is validated.
The Certificates that I chose for the DA server were as follows;
DirectAccess-NLS.mydomain.local
remote.my-external-domain-name.co.uk
both published from my internal CA so that the root of the certificates were valid.
I have a Third party wildcard cert ( *.my-external-domain-name.co.uk ) for TMG to allow other connection such as VPN and web access.
DA Config:
Step 1: Remote Clients
I set up the DA server as per the video, set the DirectAccessClient group, and in theNetwork Connectivity Assistant The resource was filled in with thehttp://diectaccess-WebProbeHost URL.
Step 2: Remote Access Server
The Network Topology was set to Behind an edge device (with single network adapter), and then is says to type in the 'PUBLIC NAME' used by clients to connect to the Remove Access Server. Here I typed in the external DNS name remote.my-external-domain-name.co.uk.
Network Adapters had the one ethernet and an IPv6 address. TheSelect Certificate sued to authenticate IP-HTTPS connections has the CN=remote.my-external-domain-name.co.uk.
Authentication is set to AD and I used the root certificate of the CA foruse computer certificates. I also Enabled windows 7 client computers to connect via DirectAccess.
Step 3: Infrastructure Servers
Network Location Sevrer had the NLS is deployed on this server with theDirectAccess-NLS cert.
DNS had the internal domain and the DirectAccess-NLS. the Internal domain was pointing to the IPv4 address of the DA. I read that I need to put the external name suffix of remote.my-external-domain-name.co.uk entry in and pointed that to the internal DA IPv4 address also.
DNS Suffix List was set automatically and I also added my external domain name just in case.
Managerment was straight forward and I pointed to our System Centre 2012 R2 server.
Upon clicking finish and applying the GPO policies everything went according to plan. All green ticks. I did a GPupdate on the client I was testing and the GPO policies came through.
Now the issue I have is that on the internal network I get the Last Error 0x80190190 unable to connect to server. Now I am sure that this should say active as it is inside the network. I get the same error out side. When I check the DA server fornetsh int https sh int it returns the value that client authentication = NONE. I set it up to use computer certificates and even is I uncheck that it does not change.
It there a straight forward thing I missed or is it to do with publishing in TMG. Internally the direct access client will not connect as it will find the NLS in the internal DNS as I have the host record for both the server FQDN and the DirectAccess-NLS potining to the IPv4 address. I also have the external remote.my-external-domain-name.co.uk entry in the internal DNS to point to the internal IPv4.
I have opened the ports for 443, 62000 on the DA for the IIS inbound and outbound.
I have a windows 8 client but need to test it as Windows 8 is supposed to work just like that.
What am I doing wrong here?? Any ideas would be much appreciated.