Direct Access - IPHTTPS interface active when inside corporate network

We currently have a single Server 2012 R2 server and a handful of clients using Direct Access. Laptops running Windows 8.1 work fine but we have a few Windows 7 laptops where we are having network issues. Surprisingly, the problem isn't getting Direct Access to work. It's getting Windows to deactivate the IPHTTPS interface when the computer is back on the corporate network..

Direct Access knows that the computer is inside the corporate network and is disabled....

C:\WINDOWS\system32>netsh dnsclient show state

Name Resolution Policy Table Options
--------------------------------------------------------------------

Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                        if the name does not exist in DNS or
                                        if the DNS servers are unreachable
                                        when on a private network

Query Resolution Behavior             : Resolve only IPv6 addresses for names

Network Location Behavior             : Let Network ID determine when Direct
                                        Access settings are to be used

Machine Location                      : Inside corporate network

Direct Access Settings                : Configured and Disabled

DNSSEC Settings                       : Not Configured

And yet the IPHTTPS interface is still active.

Interface IPHTTPSInterface (Group Policy)  Parameters
------------------------------------------------------------
Role                       : client
URL                        : https://engr-da1.domain:443/IPHTTPS
Last Error Code            : 0x0
Interface Status           : IPHTTPS interface active

This is causing problems when people try to access local websites with IE (Chrome and Firefox are fine). There is a huge delay before IE actually renders the page which I'm guessing is related to IPv6 and/or DNS. Once the IPHTTPS interface is disabled or is actually deactivated, everything is fine.

Thoughts?

April 23rd, 2015 1:59pm

Well, it could be becasue of many reasons.

"An IPv4 only host that has no IPv6 enabled interfaces other than the IP-HTTPS adapter will not disable the IP-HTTPS adapter because the client must be able to confirm Corporate Connectivity and have an IPv6 address on an adapter that is not the IP-HTTPS adapter before it disables the IP-HTTPS adapter. "

Check out this blog, which might help you in this case.

http://blogs.technet.com/b/edgeaccessblog/archive/2010/05/09/the-mystery-of-the-ip-https-listener-an-outlook-client-and-an-ipv4-only-network.aspx

Please let me know, how it goes.

  • Proposed as answer by Vasu Deva 19 hours 9 minutes ago
  • Unproposed as answer by Vasu Deva 19 hours 9 minutes ago
  • Proposed as answer by Vasu Deva 19 hours 8 minutes ago
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2015 8:04am

Well, it could be becasue of many reasons.

"An IPv4 only host that has no IPv6 enabled interfaces other than the IP-HTTPS adapter will not disable the IP-HTTPS adapter because the client must be able to confirm Corporate Connectivity and have an IPv6 address on an adapter that is not the IP-HTTPS adapter before it disables the IP-HTTPS adapter. "

Check out this blog, which might help you in this case.

http://blogs.technet.com/b/edgeaccessblog/archive/2010/05/09/the-mystery-of-the-ip-https-listener-an-outlook-client-and-an-ipv4-only-network.aspx

Please let me know, how it goes.

  • Proposed as answer by Vasu Deva Friday, April 24, 2015 12:14 PM
  • Unproposed as answer by Vasu Deva Friday, April 24, 2015 12:14 PM
  • Proposed as answer by Vasu Deva Friday, April 24, 2015 12:14 PM
April 24th, 2015 12:02pm
Hmm.. we use IPv6 on our corporate LAN. In theory, if the physical adapter has an IPv6 address, the IP-HTTPS adapter should be disabled, right?
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2015 1:50pm

HI,

I've seen such case where DirectAccess clients located on LAN can reach NLS but can also reach the IPHTTPS interface of the DirectAccess Gateway. From a technical point of view, DirectAccess is disabled, but it's the IPHTTPS interface that is registred in corporate DNS. That'ts because clients had a DirectAccess to Internet (just NAT). I solved this issue by configuring An ourbount Firewall Policy that block IPHTTPS protocol for the Domain profile.

Is that solution applicable to your problem?

April 25th, 2015 6:07am
Yes BenoitS, that makes total sense. Do you have a document or guide on how to do that?
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2015 11:06am

Hi,

You just need to configure an outbound firewall rule that block the IPHTTPS protocol when targeting your external IPHTTPS IP only for the domain firewall profile.

April 27th, 2015 11:32am
Yeah, it was easier than I thought. Thanks again for the suggestion. I think this may do the trick.
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2015 12:09pm

Hi,

If this trick work, it's not the solution. It means that computers located on LAN have access to Internet without any form of authentication. There should be some Proxy applicances that manage Internet Access and only authenticated users should have access to Internet.

At last, my trick works, but IPHTTPS interface is not disconnected, it's just looping it's initialization phase. At IPCONFIG, you will see an IPHTTPS interface but not operational.

April 27th, 2015 1:30pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics