Hi all, I set up a test lab and direct access as it is described in direct access step by step guide, but it seems that i've been mistaken somewhere or there is a mistake in a guide. Here is the issue. After all the steps from the guide performed I can't set up a direct access feature properly because i've got a error below: Googled many times but still can't resolve this problem. Any help is appreciated, thanks in advance! p.s. Here is the ipconfig /all of the direct access server: Windows IP Configuration Host Name . . . . . . . . . . . . : EDGE1 Primary Dns Suffix . . . . . . . : corp.contoso.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : corp.contoso.com isp.example.com Ethernet adapter Internet: Connection-specific DNS Suffix . : isp.example.com Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter #2 Physical Address. . . . . . . . . : 08-00-27-4C-E8-AD DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::7045:af4:2e73:58d%15(Preferred) IPv4 Address. . . . . . . . . . . : 131.107.0.2(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 IPv4 Address. . . . . . . . . . . : 131.107.0.3(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 131.107.0.1 DHCPv6 IAID . . . . . . . . . . . : 336068647 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-AF-FC-87-08-00-27-23-FA-AC DNS Servers . . . . . . . . . . . : 131.107.0.1 NetBIOS over Tcpip. . . . . . . . : Enabled Ethernet adapter Corpnet: Connection-specific DNS Suffix . : corp.contoso.com Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter Physical Address. . . . . . . . . : 08-00-27-7E-47-CB DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::782a:def6:8e50:fc78%11(Preferred) IPv4 Address. . . . . . . . . . . : 10.0.0.2(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DHCPv6 IAID . . . . . . . . . . . : 235405351 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-AF-FC-87-08-00-27-23-FA-AC DNS Servers . . . . . . . . . . . : 10.0.0.1 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter isatap.isp.example.com: Connection-specific DNS Suffix . : isp.example.com Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::200:5efe:131.107.0.2%12(Preferred) Link-local IPv6 Address . . . . . : fe80::200:5efe:131.107.0.3%12(Preferred) Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 131.107.0.1 NetBIOS over Tcpip. . . . . . . . : Disabled Tunnel adapter Local Area Connection* 9: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::8000:f227:7c94:fffd%13(Preferred) Default Gateway . . . . . . . . . : NetBIOS over Tcpip. . . . . . . . : Disabled Tunnel adapter isatap.corp.contoso.com: Connection-specific DNS Suffix . : corp.contoso.com Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2002:836b:2:1:0:5efe:10.0.0.2(Preferred) Link-local IPv6 Address . . . . . : fe80::5efe:10.0.0.2%14(Preferred) Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 10.0.0.1 NetBIOS over Tcpip. . . . . . . . : Disabled Tunnel adapter Local Area Connection* 12: Connection-specific DNS Suffix . : isp.example.com Description . . . . . . . . . . . : Microsoft 6to4 Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2002:836b:2::836b:2(Preferred) IPv6 Address. . . . . . . . . . . : 2002:836b:3::836b:3(Preferred) Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301 DNS Servers . . . . . . . . . . . : 131.107.0.1 NetBIOS over Tcpip. . . . . . . . : Disabled Tunnel adapter Local Area Connection* 11: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : IPHTTPSInterface Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2002:836b:2:2:60ad:f7b5:436c:b915(Preferr ed) Link-local IPv6 Address . . . . . : fe80::60ad:f7b5:436c:b915%17(Preferred) Default Gateway . . . . . . . . . : NetBIOS over Tcpip. . . . . . . . : Disabled

Hi, Thanks for posting here. So have we tried to run the command in prompt message in order to ensure IP-HTTP on DA server was up and what was the result ? It seems we also having high memory usage issue on DA server and that will probably effect the networking functionality, have we also verified that ? What about the current memory usage status on server ? I can’t see any obvious misconfiguration form current outputs .We usually will build a demonstration environment for testing direct access feature with following the guide below and we have also a corresponding troubleshooting guide for it : Test Lab Guide: Demonstrate DirectAccess http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=24144 Test Lab Guide: Troubleshoot DirectAccess http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=22210 For more information please refer to the link below: IPv6 and DirectAccess Troubleshooting Cheat Sheets http://blogs.technet.com/b/tomshinder/archive/2011/04/19/ipv6-and-directaccess-troubleshooting-cheat-sheets.aspx Troubleshooting DirectAccess Problems http://technet.microsoft.com/en-us/library/ee844139(WS.10).aspx DirectAccess http://technet.microsoft.com/en-us/network/dd420463.aspx Thanks. Tiger LiTiger Li TechNet Community Support

Hi, Thanks for posting here. So have we tried to run the command in prompt message in order to ensure IP-HTTP on DA server was up and what was the result ? It seems we also having high memory usage issue on DA server and that will probably effect the networking functionality, have we also verified that ? What about the current memory usage status on server ? I can’t see any obvious misconfiguration form current outputs .We usually will build a demonstration environment for testing direct access feature with following the guide below and we have also a corresponding troubleshooting guide for it : Test Lab Guide: Demonstrate DirectAccess http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=24144 Test Lab Guide: Troubleshoot DirectAccess http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=22210 For more information please refer to the link below: IPv6 and DirectAccess Troubleshooting Cheat Sheets http://blogs.technet.com/b/tomshinder/archive/2011/04/19/ipv6-and-directaccess-troubleshooting-cheat-sheets.aspx Troubleshooting DirectAccess Problems http://technet.microsoft.com/en-us/library/ee844139(WS.10).aspx DirectAccess http://technet.microsoft.com/en-us/network/dd420463.aspx Thanks. Tiger LiTiger Li TechNet Community Support

Hi, Thanks for posting here. So have we tried to run the command in prompt message in order to ensure IP-HTTP on DA server was up and what was the result ? It seems we also having high memory usage issue on DA server and that will probably effect the networking functionality, have we also verified that ? What about the current memory usage status on server ? I can’t see any obvious misconfiguration form current outputs .We usually will build a demonstration environment for testing direct access feature with following the guide below and we have also a corresponding troubleshooting guide for it : Test Lab Guide: Demonstrate DirectAccess http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=24144 Test Lab Guide: Troubleshoot DirectAccess http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=22210 For more information please refer to the link below: IPv6 and DirectAccess Troubleshooting Cheat Sheets http://blogs.technet.com/b/tomshinder/archive/2011/04/19/ipv6-and-directaccess-troubleshooting-cheat-sheets.aspx Troubleshooting DirectAccess Problems http://technet.microsoft.com/en-us/library/ee844139(WS.10).aspx DirectAccess http://technet.microsoft.com/en-us/network/dd420463.aspx Thanks. Tiger LiTiger Li TechNet Community Support

Hi, Tiger Li, Thanks for you reply! The thing I concerned about most of all is that this issue isn't in the resoueces shortage. Moreover command: netsh interface httpstunnel show interfaces performed on the DA server (EDGE1) shows us the following: Interface IPHTTPSInterface Parameters ------------------------------------------------------------ Role : server URL : https://edge1.contoso.com:443/IPHTTPS Client authentication mode : certificates Last Error Code : 0x0 Interface Status : IPHTTPS interface active So as I understand IPHTTPS interface is up and active but I still get an error that no IPHTTPS interface available. Actually I haven't any ideas of what can be wrong.

Hi, Thanks for update. Could you please try to uninstall iphttps interface from device management on host EDGE1 and reconfigure it to see how is going ? Please start the console with following the workaround in the article below if we can’t see form console with starting it in normal way : Device Management http://technet.microsoft.com/en-us/library/cc958122.aspx Thanks. Tiger LiTiger Li TechNet Community Support

Sorry for such a delayed answer, had no chance to try the solution you offered. Unfortunately it didn't help. After reconfiguring the problem in direct access remained. Tommorow I'll try to go through all the trouble shouting guide and will provide a difference between my output and between output from trouble shout guide. Hope it will help us to identify the problem. Tiger Li, thanks for your input! ======================= Update: It seems that I've understood the problem I have. Actually I have everything configured like in the direct access lab guide, but the internet subnet. The problem is that INET1 machine is configured as RRAS server and it provides internet on the EDGE1 machine and on the NAT1 machine, so they have a inet1 ip address as default gateway address, but they shouldn't have a default gateway at all (according to test lab guide). I think that's the problem which prevents my CLIENT1 lab from accessing intranet using direct access. I'm not sure if it is what cause an IPHTTPS interface issue, but I suppose so. Here is the question. Is it possible to set up somehow a direct access using NOT public ip addresses? (I mean addresses given by NAT, or other non-public addresses which provides an internet connection) If the difference between my lab and test lab described in lab guide doesn't matter, then i give up. Seems something wrong in my lab or in guide in general. ======================= Update: Mystery... At the third time the re installation of the iphttps interface resolved the problem, but that didn't make a direct access work. Because of some reason I can not get an access to the APP1's default Web page or folder with shared files. Any ideas? Tiger Li, thanks one more time for your help, I appreciate it! ======================== Update: When i run netsh interface httpstunnel show interfaces, I get the following output: Interface IPHTTPSInterface (Group Policy) Parameters ------------------------------------------------------------ Role : client URL : https://edge1.contoso.com:443/IPHTTPS Last Error Code : 0x103 Interface Status : no usable certificate(s) found Also I have no item in firewall security associations when client connected to the internet: Can it prevent me from using Direct access feature? Thanks.

Update: I found out that there are some problems with certificates on DC1: So I can't access http://crl.contoso.com/crld/, I think this cause an authentication error and all the problems described above. So can you give me some pieces of advice of how I can troubleshoot this problem or how can I fix it? Thx in advance!

Update: I found out that there are some problems with certificates on DC1: So I can't access http://crl.contoso.com/crld/, I think this cause an authentication error and all the problems described above. So can you give me some pieces of advice of how I can troubleshoot this problem or how can I fix it? Thx in advance!

Update: I found out that there are some problems with certificates on DC1: So I can't access http://crl.contoso.com/crld/, I think this cause an authentication error and all the problems described above. So can you give me some pieces of advice of how I can troubleshoot this problem or how can I fix it? Thx in advance!

if somebody is still interested in it... I found the root cause which prevented me from access crl.contoso.com. To fix this issue it is needed to add crl.contoso.com 10.0.0.2 into hosts file in the corpnet and crl.contoso.com 131.107.0.2 into hosts file on the internet. So this will allow you to access crl.contoso.com and resolve certificate issue connected with that. But after I solved it there is still no access to the corpnet from internet. Still hope to get some piece of advice. Thanks in advance! p.s. there is still no security association entries in the client's firewall menu (as shown in the picture above). I think this can prevent from using direct access. Any help is appreciated!

mr.nothing, May I ask you how you handled the issue that is presented in the DirectAccess Step-by-Step Guide? Step 4: Configure APP1 Configure the HTTPS security binding Next, configure the HTTPS security binding so that APP1 can act as the network location server. To configure the HTTPS security binding 1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In the console tree of Internet Information Services (IIS) Manager, open APP1/Sites, and then click Default Web site. 3. In the Actions pane, click Bindings. 4. In the Site Bindings dialog box, click Add. 5. In the Add Site Binding dialog box, in the Type list, click https. In SSL Certificate, click the certificate with the name nls.corp.contoso.com. Click OK, and then click Close. 6. Close the Internet Information Services (IIS) Manager console. When I get to step 5 it produces an error: Add Site Binding error message ! The specified port is being used by a different binding. This seems to be due to steps take during the configuration of the "Test Lab Guide: Base Configuration" where another https binding takes place on APP1. Did you generate this error and if so, how do you work around it? I will appreciate any guidance you might provide. Thanks, Mark Hensley Mark Hensley

mr.nothing, May I ask you how you handled the issue that is presented in the DirectAccess Step-by-Step Guide? Step 4: Configure APP1 Configure the HTTPS security binding Next, configure the HTTPS security binding so that APP1 can act as the network location server. To configure the HTTPS security binding 1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In the console tree of Internet Information Services (IIS) Manager, open APP1/Sites, and then click Default Web site. 3. In the Actions pane, click Bindings. 4. In the Site Bindings dialog box, click Add. 5. In the Add Site Binding dialog box, in the Type list, click https. In SSL Certificate, click the certificate with the name nls.corp.contoso.com. Click OK, and then click Close. 6. Close the Internet Information Services (IIS) Manager console. When I get to step 5 it produces an error: Add Site Binding error message ! The specified port is being used by a different binding. This seems to be due to steps take during the configuration of the "Test Lab Guide: Base Configuration" where another https binding takes place on APP1. Did you generate this error and if so, how do you work around it? I will appreciate any guidance you might provide. Thanks, Mark Hensley Mark Hensley

mr.nothing, May I ask you how you handled the issue that is presented in the DirectAccess Step-by-Step Guide? Step 4: Configure APP1 Configure the HTTPS security binding Next, configure the HTTPS security binding so that APP1 can act as the network location server. To configure the HTTPS security binding 1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In the console tree of Internet Information Services (IIS) Manager, open APP1/Sites, and then click Default Web site. 3. In the Actions pane, click Bindings. 4. In the Site Bindings dialog box, click Add. 5. In the Add Site Binding dialog box, in the Type list, click https. In SSL Certificate, click the certificate with the name nls.corp.contoso.com. Click OK, and then click Close. 6. Close the Internet Information Services (IIS) Manager console. When I get to step 5 it produces an error: Add Site Binding error message ! The specified port is being used by a different binding. This seems to be due to steps take during the configuration of the "Test Lab Guide: Base Configuration" where another https binding takes place on APP1. Did you generate this error and if so, how do you work around it? I will appreciate any guidance you might provide. Thanks, Mark Hensley Mark Hensley

Hi, TechDrone, Yes, I had this error on this step too. Well, I didn't find better solution for this, but change the port of one of the IIS. It is obvious that the guide has a mistake, and it was mentioned there: http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e87bfe28-598e-4baa-9978-f331f85b71ad but nobody pays attention. Hope it helped.