Direct Access Migration of Root CA

Similar Messages

• Server 2012 Direct Access Single NIC cant get it to work

  Hi,
  I am having some real issues with setting up Direct Access with Server 2012 and a Windows 8 client, it simply won’t work at all.
  First of all I should describe my setup:
  I have an internet connection with a static IPv4 address on the external network adapter of the router
  The internal network address (the address of the router which has the internet connection) is 192.168.1.1
  Server1 (windows 2008 R2 Standard) has a static IPv4 address 192.168.1.2 and has some ports forwarded from the router (443, 25, 80) this server is a domain controller, email server, and has the DNS, DHCP and
  certificate services
  Server 2 (Windows 2008 R2 standard) has static IPv4 address 192.168.1.3 it has no ports forwarded from the router as it has no services accessed externally, it is used as a file server and print server, backup
  domain controller and backup DNS.
  Server 3 (Windows 2012) has static IPv4 address 192.168.1.4 and has the Remote Access server role installed along with all the other default features and roles it requires in the setup process.
  These servers have all got an IPv6 address which I assume the server has configured automatically, there has been no deliberate configurations made to disable IPv6
  I have no UAG or proxy server or anything else to route packets to internal servers. Just this router which has the option for port forwarding (I assume that’s NAT isn’t it?) sorry don’t know much about that
  area.
  I go through the setup wizard in remote access to configure direct access, in the external URL I have entered da.mydomain.com and created a host A record in my external domain name providers DNS which points
  the da record to my external IP address. The wizard creates all the GPO’s, scoped correctly, and applied to a Windows 8 client. The operational status shows its all working and I got green ticks. However, when I connect the client to the internal network it
  doesn’t seem to have correctly got the DA settings. I run the following in powershell
  Get-DnsClientNrptPolicy
  Nothing displays – at all
  Get-NCSIPolicyConfiguration
  Description                   
  : NCSI Configuration
  CorporateDNSProbeHostAddress  
  : fdd8:dd4a:ea42:7777::7f00:1
  CorporateDNSProbeHostName     
  : directaccess-corpConnectivityHost.mydomain.local
  CorporateSitePrefixList       
  : {fdd8:dd4a:ea42:1::/64, fdd8:dd4a:ea42:7777::/96, fdd8:dd4a:ea42:1000::1/128,
  fdd8:dd4a:ea42:1000::2/128}
  CorporateWebsiteProbeURL      
  : http://directaccess-WebProbeHost.mydomain.local
  DomainLocationDeterminationURL : https://DirectAccess-NLS.mydomain.local:62000/insideoutside
  Get-DAConnectionStatus
  Get-DAConnectionStatus : Network Connectivity Assistant service is stopped or not responding.
  At line:1 char:1
  + Get-DAConnectionStatus
  + ~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo         
  : NotSpecified: (MSFT_DAConnectionStatus:root/StandardCi...onnectionStatus) [Get-DAConnect
     ionStatus], CimException
  + FullyQualifiedErrorId : Windows System Error 1753,Get-DAConnectionStatus
  I go into services.msc and find that the network connectivity assistant is not started, it wont start either something must trigger it but I have no idea how to get it triggered to start… this might be my only
  source of problem perhaps but on a more network level question:
  If I have such ports as 80, and 443 (which I assume DA uses in some form with a public IPv4 internet address) directed at server 1, how does the DA connection get to server 3 which has the DA role installed?
  I could create another record on the server which also opens port 443 to server as well as for server 1, but then how would the router know which server to pass the DA connection to if the same port is open for two different servers?
  Either way, this first issue is that the client doesn’t seem to have the ability to connect internally correctly yet, so maybe this connectivity service is a good place to start? My understanding is that the
  networks icon in the system tray should show that there is a corporate connection, but it doesn’t. also, the client seems to have the NLS certificate in the computer certificate store, so the cert side of things is working and the GPO side is working.
  Many thanks
  Steve

  ahh i see, so just to enlighten me even further...
  If a company has two web servers that would mean they would need two different public facing IP addresses so they can route to each internal web server. If, like the big companies have, they
  may have many web servers (possibly more than 100) I’m assuming that simply buying more public IP addresses would have a limit, especially since the IPv4 address space is pretty much exhausted. So is this where proxy systems come into play like ISA and Forefront,
  is this what they do?
  I assume if such a product was implemented you could go down to just one or two public IP addresses, point all traffic to the ISA server and that in turn would do all the routing of packets
  to each server behind the NAT/router (probably based on some sort of domain name or sub domain namespace as it’s parameter for forwarding?)
  Secondly, what I have done is installed windows server 2012 and used that as a direct access client (I read on another forum that the windows 8 RP doesn’t have the enterprise bits to make this
  work). I have got much further with the 2012 server acting as a client (installed on laptop, installed desktop experience and wireless LAN), 
  but when I run the following command on my DA client I get the following status
  Get-DAConnectionStatus
  Status:                 
  connectedlocally
  Substatus:          
  none
  This appears to work fine, when im connected to the local network. But then I disconnect and run the command again and I get the following:
  Status:                 
  Error
  Substatus:          
  NameResolutionFailure
  On my router what I did is temporarily disable port 443 going to my original server and instead opened it up pointing to my other server, so 443 traffic should be going to my DA server now, but I don’t understand why its giving the name resolution failure
  status. I have a host A record called “da” with my domain hoster, and entered the full domain namespace in the DA wizard as da.mydomain.com (the Host A record has been up there for more than a week so it’s propagated through the net)
  So, a bit further but stuck again.

• Network Positioning of a Windows Server 2012 R2 Direct Access & VPN Server

  Reposted moved from Windows Server Forums- Security
  Hi
  I'm in the process of creating a new active directory forest with a single domain using AD.Contoso.com to use the Microsoft example. The reason I have decided on AD.XXXXXXXXX.com is to get way from using split horizon (Split Brain) DNS. The requirements
  for our new domain are :-
  2012 R2 AD
  Direct Access & VPN
  Exchange 2013 OWA, Active Sync Outlook Anywhere (Possibly a Hybrid Config where we have on premises mailboxes and some exchange online mailboxes Office 365 etc)
  Lync 2013 ?
  SharePoint 2013 ?
  Microsoft Active Directory Certificate Services
  System Center Configuration Manager 2012 R2
  Two way trusts between old forest and new to enable Transition/Migration
  Ok so that's what I'm aiming for so now the question.
  They are allowing me to purchase a next Generation Firewall may be a Barracuda NG firewall or a Cisco ASA X series so I need some advice on what type of network topology I should configure. I've read that using the two NIC configuration for
  the 2012 R2 Direct Access Server is preferable, one nic on the internal network one on the perimeter. The problem I have with this is that it bridges the internal network and the perimeter bypassing the backend Firewall see image
  The other alternative is to dispense with the perimeter network use the Direct Access server with a single NIC and setup the NG Firewall in a three-legged config with the DA server on the DMZ.
  So all you security experts out there what would be your design for this simple domain? we don't need any HA or Load Balancing.
  Thanks
  Simon

  Ok I'm not sure we are going to get any advice on this subject but one last effort. Our budget can only stretch to one next generation firewall so I'm considering the following three legged firewall design with a two NIC 2012 R2 Direct
  Access server. If someone could validate this configuration or suggest an alternative then I would be grateful.

• Auto deploying branch office printers with Direct Access

  Hello there
  I am implementing my first Direct Access topology and have a question. We will have branch offices with workstations deployed using Direct Access for administrative purposes. We have staff moving around from branch to branch with the goal to
  make logging on to the network and accessing resources for users as automated as possible. One of the questions I have regards auto configuring branch printers for users using Group Policy. The branch offices have workstations, printers and NAT modem/routers
  with DHCP - but no servers.
  If we have a stand alone network printer, how do we list that printer in Active Directory allowing the user to auto-configure it using group policy? If we install it on a server at Head Office, would the print job travel there first and then back to
  the branch? Obviously this is not ideal. Or can it be directed straight to the printer using a script or something?
  Alternatively we can install and share it on a branch workstation and list it in the directory, but would this not be same the problem as above? This is not ideal either as it would depend on the workstation being always on and available.
  Any input Direct Access gurus?
  Thanks in advance
  MIS5000

  Hi,
  Thanks for your post.
  We could have 2 possible solutions for natively deploy printers using Group Policy without the need for any scripting:
  1) Group Policy Preferences – available in Windows Server 2008 and later
  2) Print Management – available in Windows Server 2003 R2 and later
  http://blog.powershell.no/2009/11/08/deploying-printers-using-group-policy/
  Did you try to use the Print Management? You can share printers on a network and centralize print server and network printer management tasks using the Print Management Microsoft Management Console (MMC) snap-in. Print Management helps you to monitor print
  queues and receive notifications when print queues stop processing print jobs. It also enables you to migrate print servers and deploy printer connections using Group Policy.
  https://technet.microsoft.com/en-us/library/cc731857.aspx
  Meanwhile, if you have any Direct Access related issue, I think you may ask in network forums:
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNIS
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Configuration of Direct Access 2012

  Good morning.
  I have tried to set up Direct Access from what I see is pretty much a 30-40 minute job, but has turned out to be something of a pain. Having followed the video on youtube for Windows Server 2012 with Basic PKI configuration and Windows 7 clients. I
  have set up a working DA server with no issues and all green ticks.
  Here's a run down.
  I have a DC (2012) with the CA already installed.
  I have a virtual DA (2012) set up with the advanced settings.
  I have a a TMG 2010 server as the firewall with a Non-Web Publishing rule designed to forward HTTPS requests to the DA on the internal network.
  The set up went as planned and I followed the instruction to set up the PKI and all computers have picked up a computer Certificate for the CA so that the internal root is validated.
  The Certificates that I chose for the DA server were as follows;
  DirectAccess-NLS.mydomain.local
  remote.my-external-domain-name.co.uk
  both published from my internal CA so that the root of the certificates were valid.
  I have a Third party wildcard cert ( *.my-external-domain-name.co.uk ) for TMG to allow other connection such as VPN and web access.
  DA Config:
  Step 1: Remote Clients
  I set up the DA server as per the video, set the DirectAccessClient group, and in the
  Network Connectivity Assistant The resource was filled in with the
  http://diectaccess-WebProbeHost URL.
  Step 2: Remote Access Server
  The Network Topology was set to Behind an edge device (with single network adapter), and then is says to type in the 'PUBLIC NAME' used by clients to connect to the Remove Access Server. Here I typed in the external DNS
  name remote.my-external-domain-name.co.uk.
  Network Adapters had the one ethernet and an IPv6 address. The
  Select Certificate sued to authenticate IP-HTTPS connections has the CN=remote.my-external-domain-name.co.uk.
  Authentication is set to AD and I used the root certificate of the CA for
  use computer certificates. I also Enabled windows 7 client computers to connect via DirectAccess.
  Step 3: Infrastructure Servers
  Network Location Sevrer had the NLS is deployed on this server with the
  DirectAccess-NLS cert.
  DNS had the internal domain and the DirectAccess-NLS. the Internal domain was pointing to the IPv4 address of the DA. I read that I need to put the external name suffix of remote.my-external-domain-name.co.uk entry in and pointed that
  to the internal DA IPv4 address also.
  DNS Suffix List was set automatically and I also added my external domain name just in case.
  Managerment was straight forward and I pointed to our System Centre 2012 R2 server.
  Upon clicking finish and applying the GPO policies everything went according to plan. All green ticks. I did a GPupdate on the client I was testing and the GPO policies came through.
  Now the issue I have is that on the internal network I get the Last Error 0x80190190 unable to connect to server. Now I am sure that this should say active as it is inside the network. I get the same error out side. When I check the DA server for
  netsh int https sh int  it returns the value that client authentication = NONE. I set it up to use computer certificates and even is I uncheck that it does not change. 
  It there a straight forward thing I missed or is it to do with publishing in TMG. Internally the direct access client will not connect as it will find the NLS in the internal DNS as I have the host record for both the server FQDN and the DirectAccess-NLS
  potining to the IPv4 address. I also have the external remote.my-external-domain-name.co.uk entry in the internal DNS to point to the internal IPv4.
  I have opened the ports for 443, 62000 on the DA for the IIS inbound and outbound. 
  I have a windows 8 client but need to test it as Windows 8 is supposed to work just like that.
  What am I doing wrong here?? Any ideas would be much appreciated. 

  Thank you for this Jordan.
  I have now got it working. The next step is to make sure my applications are all using Names rather than IP addresses.
  I have basically setup the system as per my original thread that follows, NOT in BOLD.
  I have tried to set up Direct Access from what I see is pretty much a 30-40 minute job, but has turned out to be something of a pain. Having followed the video on youtube for Windows Server 2012 with Basic PKI configuration and Windows 7 clients. I have
  set up a working DA server with no issues and all green ticks.
  Here's a run down.
  I have a DC (2012) with the CA already installed.
  I have a virtual DA (2012) set up with the advanced settings.
  I have a a TMG 2010 server as the firewall with a Non-Web Publishing rule designed to forward HTTPS requests to the DA on the internal network.
  The set up went as planned and I followed the instruction to set up the PKI and all computers have picked up a computer Certificate for the CA so that the internal root is validated.
  The Certificates that I chose for the DA server were as follows;
  DirectAccess-NLS.mydomain.local
  remote.my-external-domain-name.co.uk
  both published from my internal CA so that the root of the certificates were valid.
  I have a Third party wildcard cert ( *.my-external-domain-name.co.uk ) for TMG to allow other connection such as VPN and web access.
  DA Config:
  Step
  1: Remote Clients
  I set up the DA server as per the video, set the DirectAccessClient group, and in the Network Connectivity Assistant The resource was
  filled in with the http://diectaccess-WebProbeHost URL.
  Step
  2: Remote Access Server
  The Network Topology was set to Behind
  an edge device (with single network adapter), and then is says to type in the 'PUBLIC NAME' used by clients to connect to the Remove Access Server. Here I typed in the external DNS name remote.my-external-domain-name.co.uk.
  Network Adapters had the one ethernet and an IPv6 address. The Select
  Certificate sued to authenticate IP-HTTPS connections has the CN=remote.my-external-domain-name.co.uk.
  Authentication is set to AD and I used the root certificate of the CA for use
  computer certificates. I also Enabled windows 7 client computers to connect via DirectAccess.
  Step
  3: Infrastructure Servers
  Network Location Sevrer had the NLS
  is deployed on this server with the DirectAccess-NLS cert.
  DNS had the internal domain and the DirectAccess-NLS. the Internal domain was pointing to the IPv4 address of the DA. I read that I need
  to put the external name suffix of remote.my-external-domain-name.co.uk entry in and pointed that to the internal DA IPv4 address also.
  DNS Suffix List was set automatically and I also added my external domain name just in case.
  Managerment was straight forward and I pointed to our System Centre 2012 R2 server.
  Upon clicking finish and applying the GPO policies everything went according to plan. All green ticks. I did a GPupdate on the client I was testing and the GPO policies came through.
  I have set up TMG as per the isa.org forum  
  http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part2.html .
  @ Jordan - I ensured that I had a separate external IP address for the requests from the clients to TMG as I publish websites internally.
  I used a third party wildcard cert for the IP-HTTPS connect part in DA Config Step 2.
  All the rest of the DA set up was pretty much out of the box as stated above. 

• Direct Access and WIndows Phone 8.1?

  Hi all –
  I am reaching out to the community here because I haven’t been able to find anything concrete. 
  The scenario is that we wish to have links which are sent through an on-prem SharePoint farm resolve on a user’s Windows Phone whilst roaming. 
  The root of the issue is that the client does not have split DNS in place. 
  Therefore when they send a link from the SharePoint site it’s URL is mysite.acme.int, for example, which is not resolvable from outside of the corporate network;
  Acme.com is however.
  We have Direct Access (2012 R2) in place and use Windows Phone 8.1. 
  What I am trying to determine is whether or not we can leverage a DA connection with the Windows Phones in order to attain URL resolution.
  Barring that does anyone have any bright ideas on how to conquer the problem?
  Kind regards and thanks in advance!
  Wren

  Hi Wren,
  Agree with Rmknight. Windows Phone doesn't support DirectAccess at present.
  For detailed information, please refer to the link below:
  https://businessmobilitycenter.microsoft.com/en/webinars/Pages/Webinar-Managing-Enterprise-Content-and-Information-on-Lumia-Windows-Phone-8-1.aspx
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Direct Access and WIndows Phone 8.1 for MySIte Resolution?

  Hi all –
  I am reaching out to the community here because I haven’t been able to find anything concrete. 
  The scenario is that we wish to have links which are sent through an on-prem SharePoint farm resolve on a user’s Windows Phone whilst roaming. 
  The root of the issue is that the client does not have split DNS in place. 
  Therefore when they send a link from the SharePoint site it’s URL is mysite.acme.int, for example, which is not resolvable from outside of the corporate network;
  Acme.com is however.
  We have Direct Access (2012 R2) in place and use Windows Phone 8.1. 
  What I am trying to determine is whether or not we can leverage a DA connection with the Windows Phones in order to attain URL resolution.
  Barring that does anyone have any bright ideas on how to conquer the problem?
  Kind regards and thanks in advance!
  Wren

  Hi Wren,
  For your issue, you can try to configure alternate access mappings with IP address for your MySite Web Application and then you can access your site with IP address.
  As I am not familiar with Windows Phone, you can connect with the Windows Phone support or post threads in Widnwos Phone forums to ask for more information:
  http://answers.microsoft.com/en-us/winphone/forum/wp8?tab=Threads
  Best Regards,
  Eric
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Weblogic url direct access restriction

  Hi,
  I have an OHS configured as a proxy for weblogic server. Here my main objective is that all the requests should pass via webserver only.
  I have a requirement like whenever weblogic app url , suppose http://weblogic:7001/app1 is accessed directly, it should redirect to http://webserver:port:7777/app1 and again the request should be forwaded to http://weblogic:port:7001/app1.
  In brief blocking direct access to weblogic and making the user access the app1 via webserver. How can I achieve this?
  Regards
  DPK

  Hi,
  But I need to achieve that using Weblogic only. Client wants to access weblogic directly and one more thing is only one particular application with root context as /app1 must be accessed via webserver and rest all the applications directly through application server. That is the reason why we are not blocking the port for direct access at network end.

• Direct Access Wizard Failure

  Hi all,
  Having an issue with setting up direct access I have followed the guide located at here
  I am following this guide to the letter, apart from setting up to blank GPO for client and server settings
  I decided to copy the script and run it via powershell (admin) and the following error is returned
  VERBOSE: Retrieving server GPO details...
  VERBOSE: Retrieving DirectAccess server information...
  VERBOSE: Clearing existing stale configuration settings. This might take a few minutes...
  VERBOSE: Checking for deployment state...
  VERBOSE: Checking the specified adapters...
  VERBOSE: Deploying the Remote Access server behind NAT...
  VERBOSE: Searching for a network location server certificate...
  VERBOSE: Checking the specified adapters...
  VERBOSE: Checking for a native IPv6 deployment...
  VERBOSE: Verifying the IP-HTTPS certificate...
  VERBOSE:  Deploying DirectAccess with a single network adapter (Ethernet) behind a NAT device...
   ISATAP is used in the internal network.
  VERBOSE: Retrieving internal network DNS settings...
  VERBOSE: Verifying the GPO to write settings...
  VERBOSE: Checking GPO edit permissions...
  VERBOSE: Creating GPO link if not present...
  VERBOSE: Checking for a client GPO to write settings...
  VERBOSE: Checking for edit permissions for the DirectAccess client GPO...
  VERBOSE: Creating GPO link if not present...
  VERBOSE: Checking for permissions to apply DirectAccess client policies to the GPO...
  VERBOSE: Identifying all domains...
  VERBOSE: Identifying infrastructure servers in domain HOME.local...
  VERBOSE: Registering the DNS entry used to check client connectivity...
  WARNING: A DNS entry for DNS probe directaccess-corpConnectivityHost.HOME.local (IP addresses 127.0.0.1;
  fd10:f4c1:d28d:7777::7f00:1) cannot be added. Add the entry manually.
  VERBOSE: Registering the web probe in DNS...
  VERBOSE: Clearing existing stale configuration settings...
  VERBOSE: Creating DirectAccess client policies...
  VERBOSE: Updating client policies...
  Install-RemoteAccess : The security group setting cannot be applied to DirectAccess server GPO HOME.local\Direct
  Access Server.
  At line:1 char:1
  + Install-RemoteAccess -NoPrerequisite -Force -PassThru -ServerGpoName 'HOME.local ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : InvalidArgument: (HOME.local\Direct Access Server:root/Microsoft/...PS_RemoteAccess) [In
     stall-RemoteAccess], CimException
      + FullyQualifiedErrorId : HRESULT 80070057,Install-RemoteAccess
  Remote access is installed.
  Any ideas to what could be causing this?

  Which group are you talking about?
  I have a group for all direct access machines, You have to specify this group during the wizard.
  The permission issue seems to be related to the script trying to modify group policy
  I have tired with the default polices the wizard creates and also specifying 2 blank policies.

• OWA - Url to directly access Shared Calender ?

  Hi Guy's,
  we are nearly finished with our migration from EX2007 to 2013.
  As is seems that the big problems are solved the small ones arise ;)
  maybe someone can help me out:
  With the OWA 2007 it was possible to directly access a shared calender with the url:
  https://webmail.contoso.com/owa/[email protected]/?cmd=contents&module=calendar
  In 2013 this url doesn't work anymore. Is there a new Url or is this not possible within 2013?
  We are using TMG to publish the OWA Site.
  thanks in advanced
  regards
  Stefan

  Hi Stefan,
  I have tested to access the shared calendar by using OWA URL in my Exchange 2013 CU1 environment. When UserA share the calendar to UserB with Reviewer permission, UserB cannot open this calendar directly by using OWA URL. But when I assign UserC full access
  permission to UserA’s mailbox, UserC can access UserA’s calendar successful by using OWA URL.
  Therefore, if you want to open other’s calendar with folder permission instead of mailbox permission in OWA 2013, we can try the following steps:
  1. Login UserB’s mailbox in OWA 2013.
  2. Click Calendar in the
  upper-right
  corner to switch to Calendar pane.
  3. Right-click MY CALENDARS > Open Calendar.
  4. Type shared calendar in the box under From Directory.
  Thanks,
  Winnie Liang
  TechNet Community Support

• Unable to modify Direct Access config

  I've been playing around with setting up Direct Access with Server 2012.  I made a change to allow Windows 7 clients and selected an intermediate certificate authority.  I think I picked an incorrect intermediate CA...but now I cannot change the
  configuration.  When I launch the Remote Access Management Console, I get the message "Settings for the server myserver.mydomain.local cannot be retrieved.  The cmdlet did not run as expected."  I cannot modify any settings to fix the problem
  and cannot remove the role since the configuration exists.  Seems like it is just stuck.  Suggestions?
  Rob
  Rob

  From the list returned from the first command just use the thumbprint of the one you want. For example if you wanted the MS Root (which you won't in practice) the first couple of commands would be as follows:
  PS P:\> Get-ChildItem Cert:\localMachine\Root
  Directory: Microsoft.PowerShell.Security\Certificate::localMachine\Root
  Thumbprint Subject
  CDD4EEAE6000AC7F40C3802C171E30148030C072 CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com
  BE36A4562FB2EE05DBB3D32323ADF445084ED656 CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanvill...
  PS P:\> $certificate = (Get-ChildItem Cert:\LocalMachine\Root\CDD4EEAE6000AC7F40C3802C171E30148030C072)
  PS P:\>
  Douks

• Direct Access: No Security Associations under Main mode and Quick Mode: No SA

  Could someone please help me with the issue here :'(
  Windows Firewall advanced security--> Monitoring --> Main mode (Empty)
    --> quick Mode (Empty)
  Its been days I am trying to trouble shoot this issue. All the setup seems good. I am not able to figure out this certificate issue.

  Hi Sijin,
  What is the status of this issue ? If you still have issue please confirm the following.
  1) What is the Network Topology?
  2) What is the client OS?
  3) If you have it configured for Windows 7 and 8 both then do you have Client Authentication Certificate in Personal store and Root Certificate from Internal CA present on client machine?
  4) What is the Status of IPHTTPS Interface?
  5) Are you able to Ping Direct Access (DNS Server) IP Address (2002:836b:33:3333::1 from client?
  6) What is the status of below services on the client machine?
  IKE and AuthIP IPsec Keying Modules
  IPSec Policy Agent
  7) Which Windows Firewall profile is enable on DA Server and Client?
  Regards
  Kapil

• Win8.1 Direct Access Client Stuck at "Connecting"

  I'm experimenting with Direct Access in a lab setting with 1 client and 3 2012 R2 servers. The client is running Windows 8.1 Enterprise.
  The client is always able to connect to the Direct Access server but is unable to ping or connect to the 2 servers that don't have RAS installed. Moreover, this behavior migrates to whichever server is running Remote Access Server: So, if I remove the role
  and install on another server, the client is able to communicate with the new server, but not the old.
  The connection from the client to the server is via IP-HTTPS (only option available to me in this environment). The client is able to reliably determine when it's on the Internet versus the intranet. However, when on the Internet, it stays in a "Connecting"
  state and never connects, but I'm still able to access the DA server.
  Does anyone have any ideas on how to resolve this?

   I managed to resolve the issue. I'm posting here in the hope that this may help another newbie to DA.
  Here's what caused my issue: As I mentioned, this was a lab environment where the limited number of machines were fulfilling multiple roles. In particular, the DA Server was also a backup domain controller running DNS. In my research, I came across a comment
  on http://directaccessguide.com that mentioned that the DA Server runs DNS64 to support clients; that made me suspicious that the regular DNS server was in some way conflicting. And, in fact, before this server was
  made a backup DC, DA was functioning just fine. Removing the backup DC role resolved the issue.
  So the takeaway is this: Don't run the regular DNS service on the DA Server; if you do, you will get DA client connectivity only to the DA Server.

• Direct Access URLs in Release 2

  What is the format for direct access URLs in release 2? I recall seeing somewhere that it had changed.
  Thanks.

  I found the documentation. It is in the help file /help/sblpath.htm.

• ConfigMgr Clients connection over direct access.

  My test client machine is running Windows 8.1 and connecting to network through Direct Access. I am running SCCM 2012 R2 on Windows Server 2012.
  Test Machine: NYWIN8
  SCCM Server: SCCM01
  Domain: demo.local
  I would like to understand how configmgr handles clients connecting through direct access. What all functionality is available for such clients?
  On my client machine is see following errors:
  FSPSTATEMESSAGE.LOG
  Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7
  [CCMHTTP] ERROR: URL=HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED
  POLICYAGENT.LOG
  Policy
  http://SCCM01.demo.local/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 is not available.
  DATATRANSFERSERVICE.LOG
  DTS job {E6FAADEE-F22E-4E89-92EE-C2D9C10C3056} BITS job {9C444FAB-FD3C-4A6B-B8A4-81DA159E4E45} failed to download source file
  http://SCCM01.demo.local:80/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 to destination C:\Windows\CCM\Temp\{C9AA0DDC-BD37-442D-A00E-EE7404D47C12}.tmp with error 0x80190194
  DTS job {E6FAADEE-F22E-4E89-92EE-C2D9C10C3056} BITS job {9C444FAB-FD3C-4A6B-B8A4-81DA159E4E45} partially completed 0/1 with error 0x80190194 context 5
  Software Catalog Update Endpoint
  Failed to open portal registry key 'Software\Policies\Microsoft\CCM'. maybe haven't been created yet. Error 0x80070002
  WEDMTRACE.LOG
  No CCM Identification blob
  CAS.LOG
  The number of discovered DPs(including Branch DP and Multicast) is 0
  SMSCLIUI.LOG
  Failed to set DNSSuffix value to the registry.
  Are there any issues due to connecting using direct access?

  When I try to deploy any software (7-ZIP or Notepad++) to this client I get following error:
  The software change returned error code 0x87D00607(-2016410105).
  I can deploy same software fine to other machines connecting on LAN.
  Server Logs:
  Portlctl
  PORTALWEB's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)
  PORTALWEBs http check returned hr=0, bFailed=0
  awbsctl
  AWEBSVCs http check returned hr=0, bFailed=0
  AWEBSVC's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)
  Client Logs:
  CAS
  The number of discovered DPs(including Branch DP and Multicast) is 0
  CCMEVAL
  Client's current MP is http://SCCM01.DEMO.local and is accessible
  ClientLocation
  Current AD forest name is Demo.local, domain name is Demo.local
  Domain joined client is in Intranet
  Rotating assigned management point, new management point [1] is: SCCM01.demo.local (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>
  Assigned MP changed from <SCCM01.demo.local> to <SCCM01.demo.local>.
  ContentTransferManager
  No data since 11/13/2013
  CTM job {F6085C09-4C39-489E-A6F6-2C268398B7F2} successfully processed download completion.
  DataTransfer
  DTS job {B227AB6E-6D0F-4709-B8C6-AA8B66CBBE2D} BITS job {AE61D01C-E251-45FA-8B2C-2E22DDD91016} failed to download source file
  http://SCCM01.demo.local:80/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 to destination C:\Windows\CCM\Temp\{22619283-47B1-445A-9262-C1FA54AD0F64}.tmp with error 0x80190194
  DTS job {B227AB6E-6D0F-4709-B8C6-AA8B66CBBE2D} BITS job {AE61D01C-E251-45FA-8B2C-2E22DDD91016} partially completed 0/1 with error 0x80190194 context 5
  Filebits
  BranchCache Is Not Enabled
  Failed to check PeerDistribution status. NOT able to do branch cache.
  FSPSTATEMESSAGE
  Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7
  [CCMHTTP] ERROR: URL=HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED
  Successfully sent location services HTTP failure message.
  InternetProxy
  Failed to get proxy for url 'HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp'. Error 0x87d00215
  InventoryAgent
  Inventory: 9 Collection Task(s) failed.
  SCCLIENT
  Event maps to notification type = Application Enforcement Failed   (Microsoft.SoftwareCenter.Client.Data.WmiConnectionManager at EventWatcher_EventArrived)
  SMSCLIUI
  Failed to set DNSSuffix value to the registry.
  IPCONFIG /ALL from CLIENT:
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : NYWIN8
     Primary Dns Suffix  . . . . . . . : demo.local
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : demo.local
     System Quarantine State . . . . . : Not Restricted
  Ethernet adapter vEthernet (Internal):
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #3
     Physical Address. . . . . . . . . : 00-15-5D-01-0B-07
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::d3f:4e51:c648:7b26%26(Preferred)
     Autoconfiguration IPv4 Address. . : 169.254.123.38(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.0.0
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 872420701
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
     DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                         fec0:0:0:ffff::2%1
                                         fec0:0:0:ffff::3%1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter vEthernet (External):
     Connection-specific DNS Suffix  . : home
     Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
     Physical Address. . . . . . . . . : 84-A6-C8-AF-03-DE
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::9cb5:5132:1f47:e7c6%24(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Thursday, January 2, 2014 1:27:53 PM
     Lease Expires . . . . . . . . . . : Saturday, January 4, 2014 12:27:55 PM
     Default Gateway . . . . . . . . . : 192.168.1.1
     DHCP Server . . . . . . . . . . . : 192.168.1.1
     DHCPv6 IAID . . . . . . . . . . . : 730113736
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
     DNS Servers . . . . . . . . . . . : 192.168.1.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Wireless LAN adapter Local Area Connection* 3:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
     Physical Address. . . . . . . . . : 84-A6-C8-AF-03-DF
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Ethernet adapter Bluetooth Network Connection:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
     Physical Address. . . . . . . . . : 84-A6-C8-AF-03-E2
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Ethernet adapter Ethernet:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : home
     Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
     Physical Address. . . . . . . . . : E0-DB-55-D2-5E-59
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.home:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : home
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter iphttpsinterface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : iphttpsinterface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : fd64:fc00:d17b:1000:e1a7:9cc8:c3c7:d819(Preferred)
     Temporary IPv6 Address. . . . . . : fd64:fc00:d17b:1000:c598:7f17:e286:369d(Preferred)
     Link-local IPv6 Address . . . . . : fe80::e1a7:9cc8:c3c7:d819%10(Preferred)
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 369098752
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Tunnel adapter isatap.{DC7D2C63-1506-49EC-A40F-AA4E56DE4001}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes