My Experience with DirectAccess

Recently I had to troubleshoot DirectAccess for a customer.


This is the summary of what I did:

1- on public NIC:
- removed the dns settings on public NIC

2- On private NIC:
- change the order of NIC cards, LAN should be above Public in list! (ref #1)
- remove the default GW from Private NIC

3- Fixed IPv6 from previous setup and routing with netsh command

4- Symantec Antivirus had conflict with Windows firewall which is important for DA to work (uninstalled)

5- When they setup CRL (Certificate Revocateion List) url, they had missed "/" in the url and preventing IP-HTTPS to come up (fixed it in DC04 -> CA)

6- The IIS on DA shouldn't have 443 configured (confilcts with DA), [REMOVED]

7- Directory browsing needed to be enabled on DA's IIS, so clients can see /CRLD folder remotely over HTTP.

8- There is a bug in Win2008 which preventing system to accept a new cert once you run the setup in DA! (ref #2)

9- Generating proper certifications for DA and Clients

10- Installing DA connectivity assistant which monitor DA connection and can generate advanced logs.
(configuration has to be done in GroupPolicy editor and documents comes in the setup files) (ref# 5 )


On the client:

1- join the laptop to domain

2- add the computer name to da_clients group

3- make sure the laptop cert is correct,

4- install direct access connectivity assistance


More troubleshooting:

here are 3 methods of communications between clients and server and you can disable one to force

the other one:



1- 6TO4: if user has a public IPv4


netsh interface 6to4>set state state=enabled

netsh interface 6to4>set state state=disabled

netsh interface 6to4> show relay


2- Teredo: if users is behind NAT but has access to UDP port 3544



to disable/enable Teredo to see if it will fail over to IPHTTPS method


netsh interface teredo>set state disabled

netsh interface teredo>set state client 1.2.3.4

netsh interface teredo>show state


ping -6 file01


3- IPHTTPS: if user is behind NAT but no access has given in FW for UDP/3544 (slowest method)


netsh interface httpstunnel show interfaces

Interface IPHTTPSInterface (Group Policy) Parameters
---------------------------------------------------
Role : client
URL : https://da-gw.mydomain.com:443/IPHTTPS
Last Error Code : 0x0
Interface Status : IPHTTPS interface active


On the client:

nslookup -q=aaaa file01.mydoamin.com [ipv6 address of DNS]

ping -6 file01

To monitor IPSec tunnels:

netsh advfirewall monitor show mmsa

netsh advfirewall monitor show qmsa





Ref:

1- blog.concurrency.com/infrastructure/uag-directaccess-ip-addressing-the-server/

2- support.microsoft.com/kb/973982/en-us

3- blogs.technet.com/b/edgeaccessblog/archive/2009/10/27/deep-dive-into-uag-directaccess-certificates.aspx

4- www.techrepublic.com/blog/10things/10-things-you-should-know-about-directaccess/1371

5- www.microsoft.com/download/en/details.aspx?displaylang=en&id=10322

Callback in Android!

Whenever one class might need notifications of changes in another—
especially if the association changes dynamically, at runtime—consider implementing
the relationship as a callback. If the relationship is not dynamic, consider using
dependency injection—a constructor parameter and a final field—to make the required
relationship permanent.

Programming Android By Zigurd Mednieks (Page 137)

IPSET and IPTABLES

I really need to do more study on ipset . This post is just a reminder for
myself.

Example #1:

ipset -N myset iphash
ipset -A myset 1.1.1.1
ipset -A myset 2.2.2.2
iptables -A INPUT -m set --set myset src -j DROP

Example #2:

ipset -N routed_nets nethash
ipset -A routed_nets 10.30.30.0/24
ipset -A routed_nets 10.40.40.0/24
ipset -A routed_nets 192.168.4.0/23
ipset -A routed_nets 172.22.0.0/22
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 \
-m set ! --set routed_nets dst -j MASQUERADE


Ref: Linux Journal (October 2011)

Launch ASDM in Linux

root@ipng:/# cat /bin/asdm
#!/bin/bash

/usr/bin/javaws https://<ASA_IP>/admin/public/asdm.jnlp 2>&1 >/dev/null &

root@ipng:/# chmod u+x /bin/asdm


root@ipng:/# asdm