When does a DirectAccess client check the NLS

I'm trying to understand the events, timing, etc. of WHEN the NLS url is checked to determine if a client should enable/disable DirectAccess.  I've seen very little info on this point, but I'm hoping I've just missed it.

Tom Shinder [MSFT] notes 

http://blogs.technet.com/b/tomshinder/archive/2010/04/02/directaccess-client-location-awareness-nrpt-name-resolution.aspx

... Whenever the DA client detects that there has been a network status change (such as when the network interface is unplugged and then plugged in again, or after waking from sleep), the DA client tries to connect to the NLS server URL over an HTTPS connection.  ...

However, I'm thinking there has to be more to it than a NIC status change.  What other scenarios trigger a NLS check?

July 29th, 2015 12:18pm

HI,

In fact it's more the firewall mode evaluation that trigger NRPT desactivation. It's not clearny documented how it works for the Domain firewall mode but if your computer can reach a domain controller using protocol such AS LDAP, Windows consider interface a domain.

Free Windows Admin Tool Kit Click here and download it now
July 30th, 2015 7:51am

Thanks, BenotS, for the response.  I did find a nice article on Network Location Awareness and the Windows Firewall (http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx) which plays into DirectAccess.

As you stated, the check for whether or not a computer is on the domain essentially boils down to the ability to contact a Domain Controller via LDAP using the DsGetDCName method/procedure/function.

From a DirectAccess perspective, I know that the NLS needs to be highly available.  What I'm hoping to learn is that what scenarios would cause an intranet DirectAccess Client to enable itself.  Obviously the NLS check is the final determining test, but what/when is the NLS tested?

Knowing this can make a significant impact on the NLS high availability design.  

For instance... If I have 2 AD sites each with a domain controller and an NLS at location 1.  When the WAN link between the sites drops the client will not necessarily know it from a network / firewall perspective.  The client in location 2 can talk to the local DC, but not the NLS.  So something has to trigger the NLS check... but what?

Thank you.

July 30th, 2015 12:12pm

Hi

From my own testing, DirectAccess clients connected on LAN are not impacted when they cannot reash NLS as they already have the Domain firewall profile, unless there is a network connectivity change such as switching from wired lan to wifi.

When a DirectAccess client located on LAN cannot reach the Network Location, server it try to enable DirectAccess but in most case will failed. When NLS comes up, client automatically disable DirectAccess. 

At last NLS high availability can be managed throught F5 or Kemp solution. With F5, Web site can be hosted on F5 applicance themself. Will be the case for Kemp very soon. 

Free Windows Admin Tool Kit Click here and download it now
July 30th, 2015 1:56pm

Thank for the insight Benot.
July 30th, 2015 4:31pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics