Recently I had to troubleshoot DirectAccess for a customer.
This is the summary of what I did:
1- on public NIC:
- removed the dns settings on public NIC
2- On private NIC:
- change the order of NIC cards, LAN should be above Public in list! (ref #1)
- remove the default GW from Private NIC
3- Fixed IPv6 from previous setup and routing with netsh command
4- Symantec Antivirus had conflict with Windows firewall which is important for DA to work (uninstalled)
5- When they setup CRL (Certificate Revocateion List) url, they had missed "/" in the url and preventing IP-HTTPS to come up (fixed it in DC04 -> CA)
6- The IIS on DA shouldn't have 443 configured (confilcts with DA), [REMOVED]
7- Directory browsing needed to be enabled on DA's IIS, so clients can see /CRLD folder remotely over HTTP.
8- There is a bug in Win2008 which preventing system to accept a new cert once you run the setup in DA! (ref #2)
9- Generating proper certifications for DA and Clients
10- Installing DA connectivity assistant which monitor DA connection and can generate advanced logs.
(configuration has to be done in GroupPolicy editor and documents comes in the setup files) (ref# 5 )
On the client:
1- join the laptop to domain
2- add the computer name to da_clients group
3- make sure the laptop cert is correct,
4- install direct access connectivity assistance
More troubleshooting:
here are 3 methods of communications between clients and server and you can disable one to force
the other one:
1- 6TO4: if user has a public IPv4
netsh interface 6to4>set state state=enabled
netsh interface 6to4>set state state=disabled
netsh interface 6to4> show relay
2- Teredo: if users is behind NAT but has access to UDP port 3544
to disable/enable Teredo to see if it will fail over to IPHTTPS method
netsh interface teredo>set state disabled
netsh interface teredo>set state client 1.2.3.4
netsh interface teredo>show state
ping -6 file01
3- IPHTTPS: if user is behind NAT but no access has given in FW for UDP/3544 (slowest method)
netsh interface httpstunnel show interfaces
Interface IPHTTPSInterface (Group Policy) Parameters
---------------------------------------------------
Role : client
URL : https://da-gw.mydomain.com:443/IPHTTPS
Last Error Code : 0x0
Interface Status : IPHTTPS interface active
On the client:
nslookup -q=aaaa file01.mydoamin.com [ipv6 address of DNS]
ping -6 file01
To monitor IPSec tunnels:
netsh advfirewall monitor show mmsa
netsh advfirewall monitor show qmsa
Ref:
1- blog.concurrency.com/infrastructure/uag-directaccess-ip-addressing-the-server/
2- support.microsoft.com/kb/973982/en-us
3- blogs.technet.com/b/edgeaccessblog/archive/2009/10/27/deep-dive-into-uag-directaccess-certificates.aspx
4- www.techrepublic.com/blog/10things/10-things-you-should-know-about-directaccess/1371
5- www.microsoft.com/download/en/details.aspx?displaylang=en&id=10322
No comments:
Post a Comment