DirectAccess partially working.
Rebuilt DirectAccess due to NIC failure and have some frustating points that I can't seem to get past. Basic scenario is three server running Server 2008 Enterprise and Windows 7 Ultimate clients. Server 1 is Domain Controller (DC1) with associated services on it. Server 2 is File Server (APP1) with TS sesseions for clients to connect to. Server 3 is DirectAccss Server (DA1) with two NIC's, one internal (static inside IP) and one external with two consecutive public static IP's assigned. Setup system sometime ago using the TLG Base configuration and TLG Demonstrate DirectAccess guides. System has been working fine since setup. Due to a possible NIC failure on the intranet side of the DA1 server, the DA configuration went haywire. Repairing the adapter started showing the network as being in a "Work" profile environment. In order to get it back to the "Domain" profile, I had to disjoin the domain, reboot, join the domain again using the same name, reboot and the NIC showed the correct "Domain" profile. Sometimes the repair of the adapter shows the iphttpstunnel in lowercase in the Device Manager with the yellow exclamation icon. Generally I have to disable and uninstall the iphpptstunnel adapters, uninstall the problematic NIC as well, rescan the hardware in order to get the adapter to rebuild properly. Funny thing is that both NICs are on the same motherboard and both are from the same manufaturer (Marvel), yet only one has ever gone south on me. The "Internet" facing NIC has never failed or needed rebuilding. I've regenerated the certificates for the DA IP-HTTPS portion, but not the CA Root since the domain didn't crash. After re-running the DA setup and verifying that DA monitoring has all the interfaces up (at least the arrow icon is pointing up), off to the client. Using the DA Connectivity Assistant for verification of the service, I have collected this information for anyone who can help. Part 1: In-house on the LAN, client's all connect fine and the Assistant agrees - of course. Part 2: Client outside the LAN, on the Internet using a Verizon USB modem, DA Assistant shows connectivity to the DA server and internal resources as expected. Seems to be using the 6TO4 adapter with the 2002: addresses and ISATAP fe80: address. Has a Teredo 2001: address as well but I'm not sure it's using it. IPHTTPS shows diconnected Part 3: Same client outside the LAN, on the Internet using either a Droid phone hotspot or connected to remote office LAN (no domain servers in outlying offices), DA Assistant shows failures on connection. Has no 6TO4 address, no ISATAP address, has Teredo 2001: address (still not sure if it's used). IPHTTPS shows disconnected. Part 4: DA Connectivity working probes on in-house LAN connection DirectAccess Connectivity Assistant Logs GREEN: Corporate connectivity is working correctly. Probes List PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6503 PASS - PING: SCFD4-DC1-2K8.DO.SCFD4.ORG PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6505 PASS - PING: SCFD4-FS1-2K8.DO.SCFD4.ORG PASS - FILE: \\2002:42ef:7032:1:0:5efe:c0a8:6505\files\DA_Connection_Text.txt PASS - FILE: \\SCFD4-FS1-2K8.DO.SCFD4.ORG\files\DA_Connection_Text.txt PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6507 PASS - PING: SCFD4-DA1-2K8.DO.SCFD4.ORG DTE List PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6507 Part 5: DA Connectivity working probes using Verizon USB Modem DirectAccess Connectivity Assistant Logs GREEN: Corporate connectivity is working correctly. Probes List PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6503 PASS - PING: SCFD4-DC1-2K8.DO.SCFD4.ORG PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6505 PASS - PING: SCFD4-FS1-2K8.DO.SCFD4.ORG PASS - FILE: \\2002:42ef:7032:1:0:5efe:c0a8:6505\files\DA_Connection_Text.txt PASS - FILE: \\SCFD4-FS1-2K8.DO.SCFD4.ORG\files\DA_Connection_Text.txt PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6507 PASS - PING: SCFD4-DA1-2K8.DO.SCFD4.ORG DTE List PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6507 Part 6: DA Connectivity working probes using either Droid hotspot or external LAN (or other connections) DirectAccess Connectivity Assistant Logs RED: Corporate connectivity is not working. Your computer cannot connect to the DirectAccess server. If the problem persists, contact your administrator. Probes List PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6503 FAIL - PING: SCFD4-DC1-2K8.DO.SCFD4.ORG PASS - PING: 2002:42ef:7032:1:0:5efe:c0a8:6505 FAIL - PING: SCFD4-FS1-2K8.DO.SCFD4.ORG FAIL - FILE: \\2002:42ef:7032:1:0:5efe:c0a8:6505\files\DA_Connection_Text.txt FAIL - FILE: \\SCFD4-FS1-2K8.DO.SCFD4.ORG\files\DA_Connection_Text.txt FAIL - The server name resolved successfully, but failed to access PING: 2002:42ef:7032:1:0:5efe:c0a8:6507 FAIL - PING: SCFD4-DA1-2K8.DO.SCFD4.ORG DTE List FAIL - PING: 2002:42ef:7032:1:0:5efe:c0a8:6507 Part 7: All Machine Location tests determine correct placement of clients either inside or outside the network. Windows Advanced Firewall tests show SA's populated when Verizon USB is used. SA's are missing anytime the connection shows failed. All Teredo Show State show client on the client's and server on the DA server. Interesting note that I can't figure out is httpstunnel show state: netsh int httpstunnel show interfaces *************************************************************************** Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32\LogSpace\{9D9DBD90-FC71-456C-B222-E8E330F7C51C}>netsh int httpstunnel show interfaces Interface IPHTTPSInterface (Group Policy) Parameters ------------------------------------------------------------ Role : client URL : https://scfd4-da1-2k8.scfd4.org:443/IPHTTPS Last Error Code : 0x2afc Interface Status : failed to connect to the IPHTTPS server. Waiting to reconnect This shows up on the client's when they don't connect. In-house the error code is 0x0, interface status is IPHTTPS interface deactivated. I believe is is my client's connection problem and why some can connect and some cant. It seems to be related to the client's connection the Internet and whether certian types of IPv6 traffic are allowed or not. How do I troubleshoot this IPHTTPS problem?
November 16th, 2011 8:29pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics