When DirectAccess is enabled and Group Policy is applied to a client computer, computer cannot ping or connect to any internal resources.

DirectAccess setup is very simple, not sure what could cause it.

Any

Hi,

if your DirectAccess client is connected on LAN and NLS is not reachable, the client consider to be connected on Internet. Can you publish resultst of the logs collected from DirectAccess client?

I did not know I needed NLS. Are there good tutorials how to set it all up? What logs are you talking about?

Yup, definitely sounds like your DA client computers that have received the policy are not able to reach the NLS website successfully. A common mistake that many new DA admins make is using the Getting Started Wizard (the quick wizard) to get DA up and running quickly, but then if they encounter any kind of problem they shut down the server. If you do this, you have then applied a policy to the client computers that is forcing them to look for the NLS website all the time (and internal name resolution only works correctly when they can successfully see the NLS website) - but if you have now shut down the DirectAccess server, your NLS server is also down and so you create a problem just like the one you are experiencing.

The NLS website should not be hosted on the DirectAccess server anyway, it should really be placed onto it's own web server. If you want to do your DirectAccess install right, you might want to check out some of the info in here as well, it addresses things like NLS specifically: http://www.packtpub.com/microsoft-directaccess-best-practices-and-troubleshooting/book

Guys,

Links that you gave me tell me how to setup DirectAccess. I know how to do this, I saw those articles before.

Question is how to setup NLS and configure it to work with DirectAccess?

The thing that is both good and bad about DirectAccess is that there are so many different ways that it can be setup. Don't take this the wrong way, but it sounds like you have used the Getting Started Wizard to setup DA, the very easy method, and in my opinion this is the very worst way to setup DA.

But, back to topic - An NLS website is just a website that you put inside your network. It must be an HTTPS site, so it does need a valid SSL certificate, though because the only computers who are going to be contacting this website are your domain joined DA clients, you can utilize an internal CA server to issue that cert and save yourself some cost. Simply stand up a website, doesn't matter the content, I usually just create a Default.htm page that says something like "This is the NLS website for DirectAccess", and then in your DirectAccess wizards (the real wizards, not the Getting Started Wizard), you will have a page to configure the NLS server address.

When you use the Getting Started Wizard, it assumes that you want to take the shortcut method to getting DA up and running, and so it stands up the NLS website on the DirectAccess server using a self-signed cert. That is likely the boat you are in at the moment. NLS is a critical piece of the DirectAccess puzzle, it should really be on its own web server on a standardized name, like "nls.company.local". In a true best practices effort, the NLS website should even be redundant.

Hi

NLS is a simple HTTPSweb site used by DirectAccess clients to detect LAN connectivity. When NLS is detected, DirectAccess is Disabled. technically speaking, if you configured DirectAccess you were asked for a NLS location. If not, you might have performed a next/next/next installation and the NLS is located on your DirectAccess Gateway and binded on the LAN interface. if you perform a Get-Daserver powershell command on this server you will find HRL of the NLS.

If your DirectAccess clients connected on LAN cannot reach NLS, thet consider they are connected to Internet.

At last, here is a good starting point for DirectAccess setup : http://technet.microsoft.com/fr-fr/library/jj574174.aspx

And here is mine : http://danstoncloud.com/blogs/simplebydesign/archive/2011/10/08/directaccess-in-windows-8-sneak-preview.aspx

Check below link to build a simple NLS server with simple site so your DA clients can check whether you are internal or external

http://www.concurrency.com/blog/uag-directaccess-network-location-server-nls/

I would highly recommend creating a simple small VM, install IIS and make it your NLS server (nls.yourcompany.com)

For troubleshooting whether you are internal or external DA client, you may use the following command "Netsh dnsclient show state"

Check this article for general DA troubleshooting

http://itcalls.blogspot.com/2012/03/windows-7-direct-access-client.html

• Edited by Ahmed Nabil Mahmoud [MVP]MVP, Moderator 23 hours 7 minutes ago

Another good reference article will be

http://technet.microsoft.com/en-us/library/ee649252(v=ws.10).aspx

Check below link to build a simple NLS server with simple site so your DA clients can check whether you are internal or external

http://www.concurrency.com/blog/uag-directaccess-network-location-server-nls/

I would highly recommend creating a simple small VM, install IIS and make it your NLS server (nls.yourcompany.com)

For troubleshooting whether you are internal or external DA client, you may use the following command "Netsh dnsclient show state"

Check this article for general DA troubleshooting

http://itcalls.blogspot.com/2012/03/windows-7-direct-access-client.html

• Edited by Ahmed Nabil Mahmoud [MVP]MVP, Moderator Saturday, February 01, 2014 12:39 PM

Check below link to build a simple NLS server with simple site so your DA clients can check whether you are internal or external

http://www.concurrency.com/blog/uag-directaccess-network-location-server-nls/

I would highly recommend creating a simple small VM, install IIS and make it your NLS server (nls.yourcompany.com)

For troubleshooting whether you are internal or external DA client, you may use the following command "Netsh dnsclient show state"

Check this article for general DA troubleshooting

http://itcalls.blogspot.com/2012/03/windows-7-direct-access-client.html

• Edited by Ahmed Nabil Mahmoud [MVP]MVP, Moderator Saturday, February 01, 2014 12:39 PM