Hello,

I have enabled the Force tunneling Features on DA Server and also followed the Following Link:-

https://technet.microsoft.com/en-us/library/ee649127(v=ws.10).aspx

I have followed the upper link to apply GPO on the Client Machine the only think i have not done is NRPT as i am unable to add any IPV6 address on it. and if adding it says that it already exist. Ignoring this policy i have done the Configuration. But after connection through offline Domain Join A Client computer is unable to access Internet, his Internet also gets blocked. Help me to get out from this issue.

Thanks

Roshan

Hi,

By default, with Split-tunneling you name resolution is managed by DNS servers located on your domain controllers for your internal DNS domains. When you enable Fore tunneling, it create a new entry in NRPT for a wildcard domain with the same DNS servers. Problem, Microsoft never dissociate AD related DNS servers with name resolution to be used by proxy services. In your situation, your internal DNS infrastructure (based on AD domain controllers) might be unable to resolve  public DNS names.

You might be able to solve your problem with this live of Powershell : Set-DAClientDNSConfiguration DNSSuffix . ProxyServer <Name of the proxy server:port>

have a look at this : https://technet.microsoft.com/en-us/library/jj134204.aspx?f=255&MSPPError=-2147217396#BKMK_forcetunnel

"f an organization is using a web proxy for DirectAccess clients to access Internet resources, and the corporate proxy is not capable of handling internal network resources, DirectAccess clients will not be able to access internal resources if they are outside the intranet. In such a scenario, to enable DirectAccess clients to access internal resources, manually create NRPT entries for the internal network suffixes by using the DNS page of the infrastructure wizard. Do not apply proxy settings on these NRPT suffixes. The suffixes should be populated with default DNS server entries."

Did you had a wildcard entry in NRPT that point to your internal proxy (using FQDN, not IPv4)?

I am Not able to get the parameters to set that, only i have in my NRPT rule is

->FQDN in which name is given DirectAccess-NLS.Domain name, and

Enable DNS Settings for DA in this rule and  use this Web Proxy and use the default web proxy is checked.

second rule is set to any and 

Enable DNS Settings for DA in which an IPV6 address is added of DA Internal and thats it's with default.

I made the following changes only edited the Second rule from Any to Suffix and added domain name.

Hello, 

I Followed the Above Link, I am Explaining My Environment What I have done is.

-> Made a Routing Server In which I have Done Nating to provide Internet to our internal Domain.

->Made a Server for Domain Controller in Which Configured ADDS, DNS & DHCP and Also Configured Root CA.

->Made a Server for Subordinate CA.

->Made another Server For Direct Access in Which Configured DA with EDGE. Also All the Server are having 2012 r2. 

-> opened the following port TCP :-41,50,443

->UDP -: 41,50,500 3544   Outbound and Inbound both.

-> Client machine after offline Domain Join.

The Client Machine is getting Connected with Direct Access. But when i am enabling the Force Tunneling features the Internet on Client Gets blocked. For this i am doing:-

-> Enabling the Force tunneling Features on Direct Access Server.

->open the Gpmc.msc on Domain Controller edit the policy DirectAccess Client and then 

1. In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Administrative Templates\Network\Network Connections.

2. In the details pane, double-click Route all traffic through the internal network.

3. In the Route all traffic through the internal network dialog box, click Enabled, and then click OK.

then in NRPT rule on this 

1. In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Windows Settings\Name Resolution Policy.

there is two rule by default one for Direct Access Server and another for any and not knowing what to do in this rule . Also made the Changes as mentioned below.

1. In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies.

2. In the details pane, double-click 6to4 State.

3. In the 6to4 State dialog box, click Enabled, click Disabled State in Select from the following states, click Apply, and then click OK.

4. In the details pane, double-click Teredo State.

5. In the Teredo State dialog box, click Enabled, click Disabled State in Select from the following states, click Apply, and then click OK.

6. In the details pane, double-click IP-HTTPS State.

7. In the IP-HTTPS State dialog box, click Enabled State in Select Interface state from the following options, click Apply, and then click OK.

Now what to do please suggest me. the answer will be appreciated.

thanks 

roshan

For the Force tunneling Feature On DA Server. I have made two adapter one with External and other for Internal and in both the adapter set the Default gateway for routing the Internet.

• Marked as answer by roshan kr 20 hours 50 minutes ago

For the Force tunneling Feature On DA Server. I have made two adapter one with External and other for Internal and in both the adapter set the Default gateway for routing the Internet.

• Marked as answer by roshan kr Monday, August 31, 2015 10:35 AM

For the Force tunneling Feature On DA Server. I have made two adapter one with External and other for Internal and in both the adapter set the Default gateway for routing the Internet.

• Marked as answer by roshan kr Monday, August 31, 2015 10:35 AM

For the Force tunneling Feature On DA Server. I have made two adapter one with External and other for Internal and in both the adapter set the Default gateway for routing the Internet.

• Marked as answer by roshan kr Monday, August 31, 2015 10:35 AM