Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hello,
I'm testing UAG DirectAccess but sometimes, when I try to access my portal, I'm getting an error 403: "Server error 403 -0 Forbidden: Access denied. You do not have permission to view this directory or page using the credentials that you supplied." The thing is that I haven't supplied any credentials. I'm just trying to load the homepage of the portal.
Some other times, it works and I see access the published applications(File Access for now) and download/upload files. It's just not very stable and I don't know what I'm doing wrong.
Based on the error, I know it's a permission issue on the IIS but I can't pinpoint the exact problem and I'm afraid to mess with the IIS. Here are the Authentications that I have in place:
Default Web Site: Anonymous Authentication: ENABLED Windows Authentication: ENABLED Everything else is DISABLED.
Main Portal: Anonymous Authentication: ENABLED Windows Authentication: ENABLED
Everything else is DISABLED.
Am I doing it the right way or the wrong way? What authentication methods does one need in place to get DA to work smoothly?
Also, once a user connects via DA, what happened to the user network shares? Are they supposed to be connected or disconnected as the user is not physically connected to the network anymore?
What about password management? Are DirectAccess users able to change their passwords and be notified as if they were directly connected to the network?
FYI: I have - UAG 2010 SP1 installed on a Windows Server 2K8 R2 running on a HP ProLiant DL 360 G7 with 24 GB of RAM. - I have a Server 2K8 R2 forest with two DC/GCs. - I have an internal CA, - a 3rd party SSL certificate for IP-HTTPS, - a Network Location Server _ ...
I'm assuming you are talking about the IPHTTPS tunnel, the 403 forbidden is the expected result. When you run through the DA configuration, select the URL, the server builds a web interface that isn't exposed through IIS. Is a DA client successful when using IPHTPS? Teredo? 6to4?
Yes, DA users are on the network and will receive PW notifications and can use CTRL-ALT-DEL to change their passwords.
Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Thanks for taking your time to respond to my message. I really appreciate that.
It's good to know that DA users will be able to receive password notifications and change their passwords. It will be a great feature for my remote users.
That said, how do I know if a DA client is successful using IPHTTPS/Teredo/6to4?
I tried to use a DA Connectivity Assistant on the DA client but it’s not working properly.
Can I check the success in the UAG Management interface? I'm very new in the UAG arena so bear with me please.
On the DA Client, I'm seeing the output below in the DA Connectivity Assistant's log file (DCADefaultLog.txt) · C:\Windows\system32\LogSpace\{D71B58C8-BE28-49EE-8F59-15BA571770E2}>netsh int httpstunnel show interfaces
Interface IPHTTPSInterface (Group Policy) Parameters ------------------------------------------------------------ Role : client URL : https://wdc-uag2010.domainname:443/IPHTTPS Last Error Code : 0x103 Interface Status : no usable certificate(s) found
There is a 3rd party SSL certificate for the IPHTTPS Interface so I don't know why the Interface status says "no usable certificate found" above. Something is not working right based on the output above, isn't it?
When I run the same command from the DA Server, everything comes back ok. I get the output below:
· C:\Windows\system32>netsh interface httpstunnel show interfaces
Interface IPHTTPSInterface Parameters ------------------------------------------------------------ Role : server URL : https://wdc-UAG2010.domainname:443/IPHTTPS Client authentication mode : certificates Last Error Code : 0x0 Interface Status : IPHTTPS interface active
The command below shows that the Teredo server is unreachable over UDP.
C:\Windows\system32\LogSpace\{D71B58C8-BE28-49EE-8F59-15BA571770E2}>netsh int teredo show state Teredo Parameters --------------------------------------------- Type : client Server Name : x.x.x.x.x(one of the 2 consecutive public IPs) (Group Policy) Client Refresh Interval : 30 seconds Client Port : unspecified State : offline Error : primary teredo server unreachable over UDP
Any hints, suggestions to help me get DirectAccess right will be greatly appreciated.
Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Dear All: Just a quick update to say that I finally got UAG DirectAccess to work. My DA Clients are able to access all their network drives from outside my network as if they were directly connected to the office network. Furthermore, they are able to get GPO, change their passwords,....print from home to the office printer,...It's pretty cool.
I only have one problem now. From outside the corporate network, my DA clients are not able to access a URL that I added to my internal DNS records as a CNAME. The web server is located oustide my network so I'm using a CNAME to point to it. I created an exclusion in the NRRT Table to allow DA Clients to use their local TCP/IP settings to connect to the site not the Internal DNS but for some reason, it's not working as I would like to. Every time a DA Client tries to access the site, the connection times out and the page is never loaded.
Has someone experienced the same problem before in the process of deploying DirectAccess?