DirectAccess (2012 R2) Force Tunnel & Non-IE Browsers

Similar Messages

• DirectAccess 2012 force tunneling

  Hi,
  I have a Windows Server 2012 DirectAccess implementation where I want to enable force tunneling so clients using DirectAccess from the Internet will us force all traffic to the
  DA server.
  When I select “use force tunneling” in the DA Wizard and save the configuration, my DA enabled clients loses network connectivity when they are placed on my internal network.
  In the DA wizard I see the help text “DirectAccess clients connected to the internal network and to the Internet via remote Access server” below the “use force tunneling” option.
  Can it be true that the force tunneling apply to all DA clients regardless if they are placed internally or on the Internet?
  If that is true it will give a lot of traffic on the DA server if force tunneling is enabled.
  Thomas Forsmark Soerensen

  I'm having the exact same issue :
  When in the internal network there is still an entry in the NRPT : the one for "."
  DNS Effective Name Resolution Policy Table Settings
  Settings for .
  Certification authority :
  DNSSEC (Validation) : disabled
  IPsec settings : disabled
  DirectAccess (DNS Servers) : fd17:dc02:d12b:3333::1
  DirectAccess (Proxy Settings) : Bypass proxy
  My setup is the following:
  One NIC behind a FW/Reverse Proxy (squid), force tunneling activated, windows 7 clients (PKI deployed), NAP (NPS/HRA deployed and working).
  I tried some tips on DNS resolution:
  - enable "Allow DA clients to use local name resolution"
  - use least restrictive local name resolution option 'use local name resolution for any kind of DNS resolution error" (but I tried others)
  In the configuration there is :
  - "." and the DA DNS Server prefix:3333::1
  - public url of my DA and no DNS server
  - DirectAccess-NLS.internaldomain no DNS Server
  On the netsh dnsclient show state this is also strange:
  C:\Users\administrator>netsh dnsclient show state
  Name Resolution Policy Table Options
  Query Failure Behavior : Always fall back to LLMNR and
  NetBIOS for any kinds of errors
  Query Resolution Behavior : Resolve only IPv6 addresses for names
  Network Location Behavior : Let Network ID determine when Direct
  Access settings are to be used
  Machine Location : Inside corporate network
  Direct Access Settings : Configured and Enabled
  DNSSEC Settings : Not Configured
  It says it is inside corporate network but direct Access settings are "Configured and
  Enabled"
  Do you have some ideas ?

• Direct Access 2012 R2 - Problems with Force Tunneling and other questions

  I have just setup a Direct Access 2012 R2 server in my network, 2012 domain and all Windows 8 clients. 
  Internal CA environment (no external CRL) using a public issued cert for IPHTTPS tunnel, 2 interfaces for the DA server, 1 internal and 1 in the DMZ behind a NAT firewall (1 public IPv4 address) and my test clients are connecting fine to internal resources.
  1.  When I enable Force Tunneling the clients no longer are able to access the external internet.  Is there anything I need to add to make this work?
  2.  I am having trouble with our Remote Desktop Session Hosts.  I can only assume it has something to do with the DNS  as we have our AD domain performing internal DNS of the int.contoso.com domain and public DNS performing for the external
  Contoso.com domain (RDWA etc).  DA has only int.contoso.com set as a DNS Name Suffix in the Infrastructure Setup.  Should I add the external contoso.com Name Suffix in there too?
  3.  I have a Kaspersky Security Center server for centralized AV admin, can I still push out AV updates to the clients that connect with DA.  Do I add my KSC server to the Management Servers list in the Infrastructure Server Setup page on the DA
  setup.   Does that list allow those servers to access the DA clients?

  Hi,
  Let's solve problems one by one. Force tunneling. When enabled, all network trafic from DirectAccess clients goes throught IPSEC tunnels. Just configure a proxy on your DirectAccess clients (with a FQDN of course) and your clients should be able to surf
  internet again.
  RDS : Depend. Where are your RDS servers registred internal zone DNS or external DNS zone. If a DirectAccess client cannot resolve a name it does not know if it has to go throught the tunnel. At last can you ping your RDS Server?
  Remote Management : Right. Adding servers in this list allow them to use the IPSEC infrastructure tunnel (computer established tunnel) without users being logged.
  BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

• DirectAccess force tunneling - Web proxy (TMG) needs authentication

  Hello,
  I have deployed a DirectAccess 2012 server using computer certificate authentication. The clients are connecting to corporate resources over the WAN usin DirectAccess. Forced tunneling is a requirement. The DirectAccess is only configured for IPHTTPS using
  a single NIC behind a firewall.
  But there is a TMG web proxy in the corporate network that authenticates users. When these users connect over the Internet using devices that have DirectAccess enabled, they are not able to visit any sites as TMG blocks the connection. In the TMG logs, I
  see that the reason it is dropping these web connections are because the traffic is coming from an 'anonymous' user as per the logs.
  The proxy requires user authentication.
  Can someone please advise?
  Thanks in advance,
  SinghP80

  Yes I was able to resolve this by using the command below on the DA server:
  Set-DAClientDNSConfiguration -DNSSuffix '.' -ProxyServer ProxyFQDN:PortNumber
  Hope this helps you as well. Please let me know. if it does.
  Regards,
  SinghP80

• DirectAccess Force Tunneling via proxy server (TMG)

  Hello
  I am looking to enable Force Tunneling for DirectAccess.  All web traffic would then go via TMG proxy.  This is all fine, but in the past this was once configured and stopped IMAP from working?  
  The question is, would forced tunneling only send http/https traffic to the proxy by design and all other traffic directly out? Other traffic does traverse the proxy when internal to the LAN but I am sure DA treats this a little different in terms of what
  protocols are forwarded - Is this correct?
  If this is the case then I am assumming the firewall infrastructure is stopping IMAP?
  Thanks

  Hi There - it is a strong recommendation even in Microsoft deployments not to use Force Tunnelling unless you really have to. Using Force Tunnelling will always revert to IP-HTTPS which is still technically the slowest of the transition technologies. This
  means DirectAccess clients use only IP-HTTPS to obtain IPv6 connectivity to the DirectAccess servers over the IPv4 Internet.  IP-HTTPS has much higher overheads than IPv6, 6to4 or Teredo. Also your proxy server will handle every request and consume
  plenty of bandwidth and you cannot put NRPT exemptions in force tunnelling as all traffic has to come through the tunnel. There is also the small issue of captive portals. There are more things to list but the above should be enough to start an argument on
  why not to do it !!
  You could implement a split tunnel with enforced web proxy (seeing as you have TMG) as per the guide / recommendations by Shannon Fritz below (which works well in reality.
  http://www.concurrency.com/infrastructure/web-filtering-for-directaccess-users-55/
  Kr
  John Davies

• Modern UI apps do not connect to internet when using microsoft VPN (forced tunneling) (win 8.1)

  hi, i am running windows 8.1 on a Surface Pro 3, when i connect to VPN (microsoft) all apps on the desktop work as expected,
  when in modern UI, apps do not detect an intenet connection.
  i belive this is fixed in windows 8 using this hotfix:
  https://support.microsoft.com/kb/2797356?wa=wsignin1.0
  & Here:
  http://support.microsoft.com/kb/2876419
  these hofixes are for windows 8 & not 8.1...
  are there hotfixes for windows 8.1 available? (disabling forced tunneling is not an acceptable solution unfortunatley
  Thanks

  Hi,
  Actually this is a known issue and there is no effective method untill now. You can find related threads in Technet but none of them got a useful solution. However, I'm still keep researching and testing, aim to find a workaround method for this problem.
  If there is any progress in the future, I'll post the solution here.
  Thanks for your understanding.
  Roger Lu
  TechNet Community Support

• OWA Calendar not showing month view in non-IE browsers

  I've got a user who can't see the Month view on his OWA calendar. He's the only user complaining - Month view loads fine on my Exchange account across all browsers and operating systems.
  I can see the Month view on his account when I log in with IE, but not with any other browser, Windows and Mac.
  Any ideas? I'm at a total loss here, I've been in and deleted recurring appointments, but nothing else looks out of the ordinary. Everything else works, it just won't load the month view in non-IE browsers and he's the only one affected.
  Any clues appreciated, thank you!

  Hi, 
  The Microsoft OWA web interface has two versions: OWA Premium and OWA Light. OWA Premium which can achieve calendar month view is only accessible when using Microsoft’s Internet Explorer browser. 
  If you’re using any other browser, we can use OWA Light. In light version, the OWA feature is not rich like OWA Premium. As for Calendar view, there is only daily view in OWA light.
  About Calendar view in third-party browser, please contact the third-party browser support for more helps.
  About Microsoft Outlook Web Access Light 2007, please refer to:
  http://blogs.technet.com/b/exchange/archive/2006/09/13/3394870.aspx
  Thanks,
  Winnie

• Slow Performance in Non IE Browsers

  I'm struggling with slow performance with non IE browsers (I.e. Opera or Firefox), or connections through a proxy server to an applicaton I wrote. This is what I am using...
  JSF 1.2
  EJB 3.0
  Facelets
  RichFaces Taglib
  SJSAS 9.1
  Anyone have any suggestions where to direct my frusterations?

  There is enhancement filed about this issue that you are experiencing. Also, there are a new set of PL/SQL API documentation that is automatically generated and we are checking to see if those have the same issue.
  Thanks,
  Sue Vickers

• Many pages not displayed correctly in non-IE browsers

  Some pages, especially those part of the PDK, are not displayed in non-IE browsers. An example is:
  http://portalstudio.oracle.com/pls/ops/docs/FOLDER/COMMUNITY/PDK/plsql/doc/sdk22pkg.htm
  Viewing the source shows a very badly formatted IMG SRC tag (alt="Oracle9iAS Portal Developer Kit"). Removing this tag fixes the pages.
  Could you please adjust these pages ASAP so they are again also viewable according to the Rehabilitation Act?

  There is enhancement filed about this issue that you are experiencing. Also, there are a new set of PL/SQL API documentation that is automatically generated and we are checking to see if those have the same issue.
  Thanks,
  Sue Vickers

• Non-safari browsers on osx access to XI

  We have large number of researchers on Macs needing access to BO XI Rel 3 ( 12.1.0 ) with Tomcat as the server.
  We need them to be able to get via SSO however any browser used (Firefox, Opera, Safari) gets a 401 (authorization error).  This did not happen when we were using IIS as the server.  We upgraded in order to take advantage of certain features but got bit by this.
  We've altered Firefox's parameters
    network.automatic-ntlm-auth.trusted-uris
    network.negotiate-auth.delegation-uris
    network.negotiate-auth.trusted-uris
  which didn't do anything.
  An official support ticket yielded "We don't support non-IE browsers".
  This is probably an OS X setup and postings in other areas suggest this can be done but there are no directions.
  Given SAP / Bus Obj push into healthcare / biotech it seems that this has to have happened and been dealt with.
  Anyone have any ideas ?
  danke

  We do certainly support firefox and usually setting up SSO with the parameters you specified will work. The other browsers I'm not so sure. BO has absolutely no control here. Maybe understanding what SSO actually is will help....
  So when SSO is configured on BO(I'm assuming true SSO such as kerberos or NTLM). The website (virtual directory) will no longer allow anonymous access and will present a 401 (challenge to the browser). The trick you have to find out is if your browser supports spnego/NTLM and how to configure it. Typically on a windows server with IE the AD user logs in with their credentials. The browser hits the site and receives the 401 (like your error). The browser then checks its rules to see if it is allowed to send the user logged in credentials. If the rules permit (a common reason would be for intranet sites where IE SSO is enabled by default) then the browser will negotiate either NTLMSSP or spnego and the AD user will be authorized to access BO based on their mapped AD account permissions.
  Now I'm not sure you OS is supported, do you login to it with AD? Have you found steps for setting up spnego or NTLM SSP. As all of these components AD, the browsers, the OS are outside of our products there is very little our support engineers can do when it doesn't work other than goggling possible solutions. We do have documented solutions for IE and firefox on windows (which I have heard will work for firefox on Mac as well).
  Regards,
  Tim

• DirectAccess 2012 - Best way to deploy between two firewalls (NAT'd)

  We are deploying DirectAccess 2012 and have a requirement that traffic from the internet (red) must be proxied through the DMZ (yellow) before touching anything on the internal network (green). I will initially only be configuring it to use IP-HTTPS (no
  teredo). We have two firewalls, one on the perimeter (FW1), and one between the DMZ and internal networks (FW2).
  I'm trying to determine the best way of deploying this in our environment. I've come up with two possibilities:
  1. Deploy with two network cards, each connected to separate DMZs. In this scenario, NIC 1 would contain the internet facing IP in DMZ 1 (say 10.10.10.2 and NAT'd by FW1), and NIC2 would contain an internal facing IP on DMZ2 (say 10.10.11.2). NIC2 would
  be routable to the internal subnets via the internal firewall.
  Crude diagram:    Internet -> FW1 -> 10.10.10.2---DA---10.10.11.2 -> FW2 -> Internal network
  2. Deploy with one network card in the DMZ. This would be NAT'd by FW1, and then pass traffic through to to FW2. Since I'd be allowing all TCP/UDP traffic (as per MS) through FW2 to the primary network, this method seems unsafe to me.
  Crude diagram:   Internet -> FW1 -> 10.10.10.2---DA -> FW2 -> Internal network
  What is the best and most secure way to deploy this in the DMZ? I do not want to put an internal network IP directly on the DirectAccess server, as it needs to go through FW2 before reaching internal. The DA server should be isolated in the DMZ.
  Advice is appreciated.

  Hi,
  The first solution is better. The DA server is under the protection of FW1, and the DA server
  already offers certain security itself, such as the requirement of a Computer Certificate, domain membership (which mean domain authentication) and so on.
  Here is a related threads,
  DirectAccess 2012 + Security concerns
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/2e394a72-d263-449f-9ec2-02701aa8cb96/directaccess-2012-security-concerns?forum=winserver8gen
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Office Integration and non-MS browsers

  I have an 'issue' with Office Integration and non-MS browsers with our SharePoint 2013 on-prem enviroment (using SSO via ADFS).
  Background: our internal client wants to move to SharePoint sites for collaboration with external partners.  One of the selling points they're wanting to make to justify the move from their current
  external collaboration site is Office integration - specifically the ability to open/edit/save documents by clicking on the document in SharePoint, having it open in Office (PC/client) for editing.  Note they are wanting full integration with the client
  version of Office - not OWA.  The other requirement is that this work with both Firefox and Chrome.
  Issue: Office integration works fine using Internet Explorer.  When a user click on a document the document opens in Office and can be edited directly in the browser without any additional prompts. 
  But when clicking on a document via Firefox or Chrome the SSO login form pops-up when Office starts.  Once the user enters their credentials they can work with the documents as desired.  But our client does not want this second prompt.
  Question:
  Is there a way to configure SharePoint so that Firefox or Chrome open up documents for editing without a second logon prompt?  I'm assuming not based on my research on how these browsers handle
  cookies differently than IE.   Can someone confirm? 
  Is there a dev solution to this?  Note that because the users will be partners (non-employees) we are trying to avoid using a solution that would involve installing custom software on their pc's
  (such as browser extensions).

  Unfortunately you are looking at a plugin or having the users modify their browsers:
  http://yalla.itgroove.net/2011/12/firefox-friday-3-sharepoint-login-prompts-on-firefox/
  http://www.rhyous.com/2009/12/31/why-does-firefox-prompt-for-domain-ad-authentication-or-how-to-get-firefox-to-automatically-login-to-web-sites-with-domain-credentials-sharepoint-for-example/
  Brandon Atkinson
  Blog: http://sharepointbrandon.com

• Sharepoint 2013 Infopath form Date Picker causes screen to move shift to the top in non-IE browsers

  I created a list in Sharepoint 2013 that has a date field. I then created an Infopath form that has that date field in there. When I go to insert a new item in the list, clicking on the datefield brings up the calendar control. In IE the page doesn't move,
  in non-IE browsers it moves the page to the top. Is there a fix for this?

  Also want to know how to fix this behaviour!

• N-force 2 (non soundstrom) Or SBLive 5.1 ??

  which one is better with 5.1 analog speakers ?
  N-force 2 (non soundstrom) Or SBLive 5.1 ??

  Quote
  Originally posted by Shayan_he
  where can i find some  technical information about my mobo sound ?
  like i said its K7N2 Delta-L
  i already checked the nvidia site but it has only soundstorm information
  If you go to this linkRealtek Drivers and read the notes you will see some spec info. In my opinion I think Live 5.1 has better sound, but as mentioned previously it's a matter of preference.  

• Add DirectAccess 2012 R2 to DirectAccess 2012 Cluster

  Does anyone know if it is supported or possible to add DirectAccess 2012 R2 to an existing DirectAccess 2012 cluster?
  Hoping to use this approach to upgrade and to DirectAccess 2012 R2 without creating a new cluster and configuration.
  Thanks

  I've never tried it, but I don't know of any reason why it wouldn't work. Server 2012 and above handle NLB/clustering quite a bit differently than UAG did, where the nodes are really more individualized and there's not a "master/member" mentality
  anymore. So when you add the new 2012 R2, if you experience problems with it or notice that no user sessions are flowing to it, you can simply remove it from the array again, and then you'll know for sure. :)
  If I had an environment online right now where I could test this for you I would, but I would give it a try if you have the server ready to go. Just make sure that you install the Remote Access Role, and also the NLB feature, to your new server before you
  try adding it to the array. You'll also need to have IP addressing and certificates in place on this new node before you will be able to join it successfully to the array.