• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Strange problems with basic DirectAccess setup

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> Strange problems with basic DirectAccess setup Page: [1]
Login
Message << Older Topic   Newer Topic >>
Strange problems with basic DirectAccess setup - 14.Feb.2011 6:04:51 AM   
dlong500

 

Posts: 4
Joined: 2.Jan.2011
Status: offline
I'm the person who asked a while back about setting up a basic DirectAccess infrastructure (non-UAG), and I thought everything was going great as I was stepping through the Test Lab Guide and translating it into a real-world deployment.  But everything seems to have fallen apart...

First off, I've tried just about every troubleshooting guide out there over the past 24 hours and at this point my mind is overloaded, so bear with me if I sound a bit out of it.

I completed the DirectAccess setup without any errors.  My basic setup is this:
1) A physical server with three physical NICs.  The domain controller is installed on the physical server and uses one NIC for internal network access.  The domain controller is also acting as a file server, and of course, as the enterprise CA.
2) Hyper-V is set up on the domain controller, and the two remaining NICs are bound to virtual networks (and not shared with the physical host).  The DirectAccess server is added as a VM and uses one NIC for external and the other for internal access.
3) The IP-HTTPS certificate is a commercial one and the CRL for this certificate is therefore accessible anywhere (this has been tested).
4) The NLS is on the DirectAccess server, but is using a separate virtual NIC bound to a different IP address to avoid any conflicts.

Now for the problems...
I cannot access (even ping) an internal resource from a remote client despite indications that the tunnels are being created.  I can ping the ISATAP address of the DirectAccess server, but not the ISATAP address of the DNS server (domain controller).  And, of course, I can't access any file shares either.

From the domain controller, I can ping the ISATAP address of the DirectAccess server, but not any client addresses.

From the DirectAccess server, I can ping both the ISATAP address of the domain controller, and addresses of clients.

The firewall monitors do seem to indicate that both Main and Quick Mode connections are being made.

The problem is occurring on both a test client that is directly connected to the internet as well as one that is behind NAT.  The really odd thing is that I could swear a couple days ago that I made a successful 6to4 connection on the client directly connected to the internet and was able to access and modify a file on a network share, but now even this client refuses to work despite no change that I can think of in my setup.  The only thing I did is add another test client behind NAT.

I've gone through dozens of troubleshooting guides, and everything seems to check out except that I can't access corporate resources or resolve names.  But there are no certificate errors or incorrect settings as far as I can tell.  I even removed the transparent firewall from in front of the DA server to make sure that wasn't causing the problems but absolutely nothing changed.

I know that without seeing my setup it will be hard to know exactly what is going on but at this point I'm almost willing to pay someone a modest sum to help me figure out what the deal is.  I just don't see why it isn't working, and I feel like I'm so close!  Please help!
Post #: 1
RE: Strange problems with basic DirectAccess setup - 14.Feb.2011 4:56:35 PM   
dlong500

 

Posts: 4
Joined: 2.Jan.2011
Status: offline
Apparently the infrastructure tunnel is coming up fine but the intranet tunnel is not.  However, I'm under the impression that I should still be able to access the domain controller through the infrastructure tunnel...

I tried disabling TCP offload on the NICs (I've had odd things happen with it before) and somehow was able to ping the domain controller from the clients but still could not access anything else.  Then I rebooted the domain controller and DA server and even ping fails again!

I'm at my wits end here.

(in reply to dlong500)
Post #: 2
RE: Strange problems with basic DirectAccess setup - 15.Feb.2011 1:52:49 AM   
dlong500

 

Posts: 4
Joined: 2.Jan.2011
Status: offline
Ok, I believe I've solved the problem.

Short story: Don't ever add another adapter to the DA server for NLS.

Long story: I thought I was being safe by dedicating an adapter and IP on the DA server for NLS, but the reality is that it broke just about everything without really giving many clues as to why things weren't working.  I think it has something to do with the additional adapter screwing up ISATAP functionality, but anyway as soon as I disabled that third adapter everything magically started working...

Now the only thing I need to figure out is why Teredo doesn't seem to be working.  6to4 is fine for clients not behind NAT, but all other clients seem to always fall back to IP-HTTPS.

I think I need a beer now...

(in reply to dlong500)
Post #: 3
RE: Strange problems with basic DirectAccess setup - 16.Feb.2011 6:18:58 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Great!
Good to hear you got it working and thanks for the follow up!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to dlong500)
Post #: 4
RE: Strange problems with basic DirectAccess setup - 17.Feb.2011 10:30:31 PM   
karlf

 

Posts: 14
Joined: 29.Jun.2006
Status: offline
Congratulations, Tom, on your milestone 50,000th post on ISAserver.org!

Thank you for all your excellent advice, ISA recipes, and your persistent support of the Community!

http://www.youtube.com/watch?v=eMWa1a_L74k

-KarlF

< Message edited by karlf -- 17.Feb.2011 10:33:36 PM >

(in reply to tshinder)
Post #: 5
RE: Strange problems with basic DirectAccess setup - 21.Feb.2011 9:32:28 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Karl,
Thanks! :)

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to karlf)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> Strange problems with basic DirectAccess setup Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts