DirectAccess client enables IPHTTPS interface when inside corporate network at remote sites

We have 4 offices connected via an MPLS network. I've installed the DA server in the main office. We're using a PKI for NLS and IPsec certs and a self-signed cert for IPHTTPS. For the most part everything works great. When a DA client is in the main office
all DA settings are disabled and the client acts as it should. When on the internet the IPHTTPs tunnel is established and remote access works.
My problem is when the same DA client connects at one of the remote offices. When at a remote office the IPHTTPS interface is active. The NRPT is not. No tunnel is actually established but I find Event 4012, NCSI event logs showing that the Inside/Outside probe
failed. This in and of itself would not be a big deal as the tunnel is never established however it does seem to cause Outlook to prompt for a password. I know this has something to do with our OWA site being resolvable inside the network, but I'm at a loss
as to why this only happens with the IPHTTPS interface is active with no tunnel established.
The NLS site appears to be working from the remote offices. I can ping NLS via DNS name and can open the https NLS website in a browser.
Anyone have any ideas as to why this would be happening?

Event Logs:
Log Name:      Microsoft-Windows-NCSI/Operational
Source:        Microsoft-Windows-NCSI
Date:          4/22/2013 8:26:58 AM
Event ID:      4012
Task Category: Check Corporate Inside/outside Location
Level:         Warning
Keywords:      (17179869184)
User:          NETWORK SERVICE
Computer:      N30504-EDUENSIN.miac.local
Description:
Inside/Outside probe failed for interface 0x8300000F000000.
Error: A connection with the server could not be established (12029)
Host: directaccess-nls.miac.local//insideoutside
Next retry: 128 second(s).
Log Name:      Microsoft-Windows-NCSI/Operational
Source:        Microsoft-Windows-NCSI
Date:          4/22/2013 8:26:58 AM
Event ID:      4010
Task Category: Check Corporate Inside/outside Location
Level:         Information
Keywords:      Response Time,(35184372088832)
User:          NETWORK SERVICE
Computer:      N30504-EDUENSIN.miac.local
Description:
Inside/Outside detection finished for interface 0x8300000F000000 (OUTSIDE).
netsh dns show state
Name Resolution Policy Table Options
Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                        if the name does not exist
in DNS or
                                        if the DNS servers are
unreachable
                                        when on a private network
Query Resolution Behavior             : Resolve only IPv6 addresses for names
Network Location Behavior             : Let Network ID determine when Direct
                                        Access settings are to
be used
Machine Location                      : Inside corporate network
Direct Access Settings                : Configured and Disabled
DNSSEC Settings                       : Not Configured
netsh namespace show effectivepolicy
DNS Effective Name Resolution Policy Table Settings
Note: DirectAccess settings would be turned off when computer is inside corporat
e network
netsh interface httpstunnel show interfaces
Interface IPHTTPSInterface (Group Policy) Parameters
Role                       : client
URL                        :
https://***********:443/IPHTTPS
Last Error Code            : 0x0
Interface Status           : IPHTTPS interface active

Similar Messages

Lync 2010 client asks for credentials when outside of corporate network.

Hello,
We are running Lync 2010 Enterprise. Everytime our Lync users are outside of our network and they log in to their Lync client, they get a pop-up window asking for credentials. When they log into Lync inside our network the Lync client connects automatically
without asking for credentials. Is this normal behavior? I assumed that the Lync client would behave exactly no matter where they were connecting from. They are using Lync 2010 client on domain joined laptops, I would assume the Lync client would just use
the same credentials they used to log in to their computers and not ask for anything. Please let me know if there is a way to stop the pop-up from showing up when people try to connect to Lync from outside our network.
Thanks for any help!

Outside of the network the credential popup is for Exchange web services on the back end to check calendar info, contact lookup, etc. If Lync is already logged in when they see the popup, this is normal behavior.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications
This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

IPHTTPS interface not installed

Trying to restore direct access to a laptop that had it working until some malware disabled it.
When I run: netsh interface httpstunnel show interface
I get the following:
Interface IPHTTPSInterface (Group Policy) Parameters
Role
: client
URL
: https://2012da.server.com:443/IPHTTPS
Last Error Code
: 0x0
Interface Status
: IPHTTPS interface not installed.
Other corporate connectivity available.
How do I install IPHTTPS?

Hi,
Please check this guide:
Cannot Reach the DirectAccess Server with IP-HTTPS
http://technet.microsoft.com/en-us/library/ee844126(v=ws.10).aspx
After confirming everything, and you recieve this message "IPHTTPS interface deactive", please disable teredo by running this command and see what's going on:
netsh interface teredo set state disable
Hope this could be helpful.
Kate Li
TechNet Community Support

I can Ping FW inside interface but can not connect to remote resources

dear all
i configer my asa 5520 through ASDM to enable VPN Connection , i follow the cisco steps and it works fine and the anyconnect version 3.1 in Windows 8 - one day troubleshoot for this point only - can connect and have an IP address from the range , but i have something wrong in NAT may be because all guides talking about old ASDM ( NAT Exempt) but i am confeused to apply it on the new ASDM.
i can ping the inside interface from my labtop which using anyconnect , but i can not access anything else inside my network
Please anyone has a solution , please describe it using ASDM , thanks for help
This is my configuration
interface GigabitEthernet0/1
description
nameif SRV_ZONE
security-level 50
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/2
description
nameif TRUST_ZONE
security-level 100
ip address 172.17.200.1 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif MGMT
security-level 0
ip address 10.10.10.1 255.255.255.0
dns server-group DefaultDNS
domain-name xxx.xxx.xxx
object network obj-192.168.1.11
host 192.168.1.11
object network obj-xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object service obj-tcp-source-eq-25
service tcp source eq smtp
object network obj-192.168.1.12
host 192.168.1.12
object network obj-xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object service obj-tcp-eq-25
service tcp destination eq smtp
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-172.17.8.8
host 172.17.8.8
object network obj-172.17.0.0
subnet 172.17.0.0 255.255.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
object network obj_any-06
subnet 0.0.0.0 0.0.0.0
object network obj.172.17.8.115
host 172.17.8.115
object network obj.xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object service http
service tcp source eq www destination eq www
object network obj.xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object service https
service tcp source eq https destination eq https
object service newservice
service tcp source eq pop3 destination eq pop3
object network mail
host 172.17.8.8
description mail
object network 192.168.1.11
host 192.168.1.11
description smtp
object service smtpnew
service tcp source eq 587 destination eq 587
object network VPN_RANGE
description VPN ACCESS RANGE
object network VPN_PoOL
subnet 172.17.16.0 255.255.255.0
description vpn
object-group network DM_INLINE_NETWORK_1
network-object host 192.168.1.11
network-object host 192.168.1.12
object-group network Eighth_Floor
network-object 172.17.8.0 255.255.255.0
object-group service WEB_SERVICES
service-object tcp destination eq www
object-group network ENT_SERVERS
network-object host 192.168.1.11
network-object host 192.168.1.1
object-group network DM_INLINE_NETWORK_2
network-object 172.17.200.0 255.255.255.0
network-object 172.17.8.0 255.255.255.0
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group service web tcp
port-object eq www
port-object eq xxx
port-object eq ftp
port-object eq xxx
port-object eq xxx
object-group service xxx_Web_and_Email
service-object object http
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
access-list DMZ_access_in extended permit ip 192.168.1.0 255.255.255.0 172.17.0.0 255.255.0.0
access-list DMZ_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list justice_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
access-list xxx-VPN_splitTunnelAcl remark vpn
access-list xxx-VPN_splitTunnelAcl standard permit 172.17.16.0 255.255.255.0
access-list xxx-VPN_splitTunnelAcl standard permit any
access-list cap extended permit tcp any host xxx.xxx.xxx.xxx eq smtp log
access-list cap1 extended permit tcp host 192.168.1.11 any eq smtp
access-list SRV_ZONE_nat_outbound extended permit tcp 192.168.1.0 255.255.255.0 any eq smtp
access-list SRV_ZONE_nat_outbound extended permit ip host 192.168.1.11 any
access-list TRUST_ZONE_access_in extended permit ip host 172.17.88.108 any
access-list TRUST_ZONE_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.10.3.0 255.255.255.0 any
access-list TRUST_ZONE_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.10.50.0 255.255.255.0 any
access-list TRUST_ZONE_access_in extended permit ip 172.17.8.0 255.255.255.0 any
access-list TRUST_ZONE_access_in extended permit ip 172.17.200.0 255.255.255.0 any
access-list TRUST_ZONE_access_in extended permit ip 172.17.0.0 255.255.0.0 host 192.168.1.12
access-list TRUST_ZONE_cryptomap extended permit ip xxx.xxx.xxx.xxx 255.255.255.248 any
access-list outside_access_in extended permit tcp any host 192.168.1.11 eq smtp
access-list outside_access_in extended permit tcp any host 172.17.8.8 eq www
access-list outside_access_in extended permit tcp any host 192.168.1.12 object-group web
access-list outside_access_in extended permit tcp any host 172.17.8.8 eq pop3
access-list outside_access_in extended permit ip 172.17.16.0 255.255.255.0 any inactive
access-list vpn remark vpn
access-list vpn standard permit 172.17.16.0 255.255.255.0
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging host TRUST_ZONE 172.17.8.100
mtu INT_ZONE 1500
mtu SRV_ZONE 1500
mtu TRUST_ZONE 1500
mtu MGMT 1500
ip local pool VPN_POOL 172.17.16.100-172.17.16.254 mask 255.255.255.0
ip verify reverse-path interface INT_ZONE
ip verify reverse-path interface SRV_ZONE
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any SRV_ZONE
icmp permit any TRUST_ZONE
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (SRV_ZONE,INT_ZONE) source static obj-192.168.1.11 obj-xxx.xxx.xxx.xxx service any obj-tcp-source-eq-25
nat (SRV_ZONE,INT_ZONE) source static obj-192.168.1.12 obj-xxx.xxx.xxx.xxx
nat (SRV_ZONE,INT_ZONE) source dynamic obj-192.168.1.0 interface service obj-tcp-eq-25 obj-tcp-eq-25
nat (INT_ZONE,SRV_ZONE) source static any any destination static 192.168.1.11 obj-172.17.8.8 service obj-tcp-source-eq-25 obj-tcp-source-eq-25
nat (TRUST_ZONE,INT_ZONE) source static VPN_PoOL VPN_PoOL destination static VPN_PoOL VPN_PoOL
object network obj_any
nat (SRV_ZONE,INT_ZONE) dynamic obj-0.0.0.0
object network obj_any-01
nat (SRV_ZONE,MGMT) dynamic obj-0.0.0.0
object network obj-172.17.8.8
nat (TRUST_ZONE,INT_ZONE) static xxx.xxx.xxx.xxx service tcp www www
object network obj-172.17.0.0
nat (TRUST_ZONE,SRV_ZONE) static 172.17.0.0
object network obj_any-02
nat (TRUST_ZONE,INT_ZONE) dynamic interface
object network obj_any-03
nat (TRUST_ZONE,SRV_ZONE) dynamic interface
object network obj_any-04
nat (TRUST_ZONE,INT_ZONE) dynamic obj-0.0.0.0
object network obj_any-05
nat (TRUST_ZONE,SRV_ZONE) dynamic obj-0.0.0.0
object network obj_any-06
nat (TRUST_ZONE,MGMT) dynamic obj-0.0.0.0
object network obj.172.17.8.115
nat (TRUST_ZONE,INT_ZONE) static obj.xxx.xxx.xxx.xxx service tcp www www
object network mail
nat (TRUST_ZONE,INT_ZONE) static obj-xxx.xxx.xxx.xxx service tcp pop3 pop3
nat (TRUST_ZONE,INT_ZONE) after-auto source static obj-172.17.8.8 obj-xxx.xxx.xxx.xxx service https https
access-group outside_access_in in interface INT_ZONE
access-group DMZ_access_in in interface SRV_ZONE
access-group TRUST_ZONE_access_in in interface TRUST_ZONE
route INT_ZONE 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route TRUST_ZONE 10.10.0.0 255.255.0.0 172.17.200.254 1
route TRUST_ZONE 10.11.0.0 255.255.0.0 172.17.200.254 1
route TRUST_ZONE 10.12.0.0 255.255.0.0 172.17.200.254 1
route TRUST_ZONE 10.13.0.0 255.255.0.0 172.17.200.254 1
route TRUST_ZONE 172.17.0.0 255.255.0.0 172.17.200.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http 172.17.8.0 255.255.255.0 TRUST_ZONE
http 172.17.8.155 255.255.255.255 TRUST_ZONE
http 172.17.8.45 255.255.255.255 TRUST_ZONE
http 10.10.10.2 255.255.255.255 MGMT
http 192.168.1.12 255.255.255.255 SRV_ZONE
http 0.0.0.0 0.0.0.0 INT_ZONE
http 172.17.200.0 255.255.255.0 TRUST_ZONE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map pol 1 match address TRUST_ZONE_cryptomap
crypto dynamic-map pol 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map INT_ZONE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map TRUST_ZONE_map0 1 ipsec-isakmp dynamic pol
crypto map TRUST_ZONE_map0 interface TRUST_ZONE
crypto map INT_ZONE_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map INT_ZONE_map0 interface INT_ZONE
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn SEC-xxx-FW1
subject-name CN=SEC-xxx-FW1
no client-types
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=SEC-xxx-FW1
keypair sslvpnkeypair
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
    57f4e52e 6b851966 77515d62 c209a0df 1c32ce94 bb90cbce 497cfd04 6745ea85
    efb75f85 2ae1ad35 344d94ab 915e01ab d3292626 ac697a52 b4ed6632 d3ed2332 ae
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate e6054352
    c64f3661 30f14c3d 06b5f039 9f14560d 3b154fd1 42782268 7531689e 8e547d91
    85e88415 e326f653 74733a6c a3f5c935 f7e83f56 f6
quit
crypto isakmp enable INT_ZONE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 INT_ZONE
ssh 172.17.8.0 255.255.255.0 TRUST_ZONE
ssh 10.10.10.2 255.255.255.255 MGMT
ssh timeout 5
console timeout 0
management-access TRUST_ZONE
vpn load-balancing
interface lbpublic INT_ZONE
interface lbprivate INT_ZONE
priority-queue INT_ZONE
tx-ring-limit 256
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 INT_ZONE
webvpn
enable INT_ZONE
svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy xxx-VPN internal
group-policy xxx-VPN attributes
dns-server value xx.xx.xx.xx xx.xx.xx.xx
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value xxx-VPN_splitTunnelAcl
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol webvpn
group-policy GPNEW internal
group-policy GPNEW attributes
dns-server value 172.17.8.41
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value xxx.xxx.xxx
address-pools value VPN_POOL
username VPNAM password xxx encrypted
username VPNAM attributes
service-type remote-access
vpn-group-policy xxx-VPN
tunnel-group xxx-VPN type remote-access
tunnel-group xxx-VPN general-attributes
dhcp-server 172.17.8.41
tunnel-group xxx-VPN ipsec-attributes
pre-shared-key *****
tunnel-group pol type ipsec-l2l
tunnel-group pol ipsec-attributes
pre-shared-key *****
trust-point ASDM_TrustPoint0
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
address-pool VPN_POOL
default-group-policy GPNEW
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect pptp
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:78a941e3f509dec8f3570c60061eedaa
: end

thanks god
i solve the problem
the problem is in NAT
i creat an object with the ip address host from VPN pool and name it vpn
then i do the nat from inside to that host as the following picture...
trust zone is the inside zone
vpn is the outside vpn host...
thanks and hope it helps anyone else...

DirectAccess on Server 2012 R2 with Single NIC behind NAT on IPv4 only Corporate Network Results in "DNS Not Working Properly"

I hit this problem at a customer site and can re-produce it in a simple lab. Lab environment: servers:
1x Server 2012 R2 DC and DNS server - DC1 - 10.0.0.1
1x Server 2012 R2 DirectAccess (DA) server - DA1 - 10.0.0.100
Servers are running "Update" (KB2919355) and following DA hotfixes:
KB2929930
KB2966087
I configured DA (via advanced wizard) as follows:
DA and remote access
AD group
directaccess-webprobehost DNA (A) record pointing to 10.0.0.100
behind an edge device (with a single network adapter)
SSL certificate from enterprise root CA issued to directaccess.contoso.com
NLS on remote server using https://nls.corp.contoso.com
DNS: corp.contoso.com = 10.0.0.1; nls.corp.contoso.com = ""
DNS suffix search list = corp.contoso.com
The DNS server validates successfully in the configuration UI.
With this configuration, I get a static IPv6 address of fd79:7a37:cbd9:3333::1/128 assigned to the NIC
The operations status is all green apart from DNS which displays the following error:
"DNS: Not Working Properly"
Error:
None of the enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 used by DirectAccess clients for name resolution are responding. This might affect DirectAccess client connectivity to corporate resources.
Causes:
Enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 are not responding.
I can, however ping fd79:7a37:cbd9:7777::a00:1 (which is the DNS64 translation of 10.0.0.1)
I would like to know what checks are failing as there are no failures in Event Viewer.
I have come across forums where people have the same issue and fix it by specifying the local IP (in this case 10.0.0.100) as the DNS server, however Richard Hicks has confirmed with me that the DNS server should be set to the DNS server, not the DA server's
IP.

Thanks for the post Matt,
ISATAP has been disabled on my DA server, so the results of a "ROUTE PRINT -6" command yields:
===========================================================================
Interface List
12...00 15 5d 01 03 64 ......Microsoft Hyper-V Network Adapter
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 IPHTTPSInterface
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
12 261 fd79:7a37:cbd9::/48 On-link
14 306 fd79:7a37:cbd9:1000::/64 On-link
14 306 fd79:7a37:cbd9:1000::/128   On-link
14 306 fd79:7a37:cbd9:1000::1/128     On-link
14 306 fd79:7a37:cbd9:1000::2/128    On-link
14 306 fd79:7a37:cbd9:1000:814c:28be:46b5:52c1/128   On-link
12 261 fd79:7a37:cbd9:3333::1/128 On-link
12 261 fd79:7a37:cbd9:7777::/96 On-link
12 261 fe80::/64 On-link
14 306 fe80::/64 On-link
12 261 fe80::20c0:e848:d304:9f01/128   On-link
14 306 fe80::814c:28be:46b5:52c1/128     On-link
1 306 ff00::/8 On-link
12 261 ff00::/8 On-link
14 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
If Metric Network Destination Gateway
0 4294967295 fd79:7a37:cbd9:1000::/64 On-link
0 4294967295 fd79:7a37:cbd9::/48 On-link
0 4294967295 fd79:7a37:cbd9:7777::/96 On-link
===========================================================================

Iphttps interface The system cannot find the file specified

DA client is not working when checked status for netsh int iphttpstunnel show int
it gives error system could not find file specified.
Any idea on this error ?

netsh interface httpstunnel show interfaces
The system cannot file the file specified.
Also under device manager I dont see iphttps interface.
Thanks for help.

Hosts on corporate network unable to connect to VPN client

I've got an ASA 5505 set up as an IPSec-VPN server. The VPN client is able to connect okay and can initiate TCP sessions with hosts on the corporate network. But those hosts cannot initiate TCP sessions with the client; the ASA rejects their packets instead of sending them through the encrypted tunnel.
This sounds like a firewall configuration problem. But the ASA is not set up to firewall VPN connections at all, as far as I can tell.
Can anyone explain what's wrong or where I should look?

Thanks for the feedback.
The client is a Mac running OS-X. Firewalling is turned off; there's no trouble connecting to the client when it is plugged directly into the corporate network.
The "no-nat" rules on the 5505 look like this:
access-list inside_nat0_outbound extended permit ip any 10.170.30.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
Here 10.170.30.0/24 is the IP pool dedicated to the VPN. There are no other NAT-related lines in the 5505's configuration.

DirectAccess Client not connecting without error code on Windows Server 2012 R2 and Windows 8.1

Hello,
we are currently migrating from Windows Server 2012 to 2012 R2 and are not able to get the new Direct Access Service up and running. Our goal is to establish DirectAccess connection for a handful of clients using the IPHTTPS-adapter on the default port 443.
Errors:
There is actually no error showing up. It seems the infrastructure tunnel cannot be created but none of the IPv6-transition adapters is connecting (teredo and 6-to-4 are down) and the IPHTTPs adapter gives no informations about a problem:
>Get-DAConnectionStatus
Status : Error
Substatus : CouldNotContactDirectAccessServer
>Get-NetIPHttpsState
LastErrorCode : 0x0
InterfaceStatus : Failed to connect to the IPHTTPS server; waiting to reconnect
Setup:
Our setup is a virtualized Windows Server 2012 R2 Standard running on Hyper-V. It is located behind a NAT having the Port 443 mapped to the server. The only role installed after the basic install is RRAS including DirectAccess and VPN. The assistants completed
successfully (running the configuration for DirectAccess and VPN). Operation Status says everything is green und working (for multiple days in the meanwhile). A previous direct access installation (on a different machine running Windows Server 2012) has
been removed before installing the new server. The new installation is using a different router, so this might also be the cause of a problem.
The client is a Windows 8.1 notebook located outside the company network accessing the internet through another NAT-device. The client has been able to connect to the previous DirectAccess setup but has never been able to establish a connection after the
setup of the new Direct Access server. The device has no outbound constraints concerning the NAT-device and is only running the integrated Windows Firewall.
Diagnosis:
So far I've done some basic DNS and connectivity checks. The DNS-name can be resolved correctly and the router even responds to pings. The port forward is working and HTTPs connections are generally possible (temporarily routed the port to
access the NLS-Website located on the server, which worked fine).
Network monitor shows that both computers are communicating, traffic on the expected Port 443 is incoming on the server and responses from the server reach the client.
Opening the IPHTTPs-url and in an endless page load. Sometime the browser page closes but I've never seen any result. Using telnet on the port shows that the server is accepting connections. I've even build a small test application that does a GET-Request
on the URL returning HTTP-200 and no content.
I'm currently running out of ideas what to do and since no error occurs this is kind of a bit frustrating. Any help appreciated.
Regards
Matthias

Hi,
In addition, have you disabled the DA client components on the DA client? If no, please also check
the settings on the Name Resolution Policy Table.
More information:
DirectAccess
Client Location Awareness – NRPT Name Resolution
In addition, error 0x4C9 means the remote computer refused the network connection. It may be due to the invalid
registry or corrupt drivers. For more detailed information, please refer to the link below:
Error 1225 - Error Code 0x4C9
Note:
Microsoft is providing this information as a convenience to you. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
Best regards,
Susie

"Unable to connect to the database" when connected to corporate network

Hi
Installed Primavera P6 V7 and Oracle 10g in Stand alone on XP 32bit machines with SP3. When our machines are NOT connected to the corporate network it works fine.
However when connected to the network we can not access the locally stored database. We get message "primavera unable to connect to the database. would you like to configure the database connection now"
Database on servers that we set up are fine regardless.
If we connect machines to just the internet, again no issues.
So something is stopping Primavera opening local database when connect on our corporate network.
Any ideas please?
Thanks

This may be a long shot but look into how your TNSNAMES.ora file is being distributed on the domain (or are you possibly utilizing LDAP.ora on the domain side?).
Some time ago I remember a company scripting an ENV variable on domain logon that altered where the Oracle client would pull the TNSNAMES from.

Working of serializable interface, when it doesn't have any methods

Hi,
I am curious about how the serializable interface is used in JVM.
This is an empty interface. ie. it does not have any method signatures or any variables inside.
How does java use this interface, for serializing purposes.
Also, why should it be an interface, when its all empty.

Such marker interfaces are just used to tell something about about a class, in this cases that the developer wants that instances of a class can be serialized. The code that handles the serialization just check s"instanceof Serializable". Of course Serializbale could look like this
public interface Serializable
public boolean isSerializable();
But why make things more complicated than necessary?

Just trying out my new mac but email won't load, error says "The mail server denied access to the account because an administrator or other mail client was using it when Mail tried to log in. Try again later." A little lock is beside the email inbox

Just trying out my new mac but email won't load, error says "The mail server denied access to the account because an administrator or other mail client was using it when Mail tried to log in. Try again later." A little lock is beside the email inbox account, no password prompted and account is online and enabled... Thoughts?

Have you tried clicking on the lock to see it it will then ask for a passwored. Otherwise, try reblooting.

Allow VPN client to connect from the inside to another remote network

Hi, if I have a Cisco VPN client software on the inside of network and client is to connect to a remote network, over the internet. What ports need to be opened and on the outside interface/inside/both?
Thanks.

Basically, all you need is UDP port 500, NAT-T will do the rest.
Connections are initiated from the inside and while everything is allowed in that direction, this should work by default.
If you have an access-list that limits traffic from inside to outside, you might need to allow this traffic.
Regards,
Leo

System Center Endpoint Protection updates not applying to DirectAccess clients

Hi
I have W2008R2 SP2 with SCCM2012R2 CU3 server.
We started testing DirectAccess. All other updates (Windows, Skype, Adobe) are applying except SCEP.
Initiating policies from laptop did not helped.
DirectAccess subnet is in boundary list.
Computer account is in correct collection. SCEP only updates when laptop is on LAN.
Where to look to resolve this problem?

Yes, the boundaries that you put in SCCM which specify your DirectAccess client computers must be the IP addresses they are using, which are the IPv6 addresses given to them via their DA transition technologies (6to4, Teredo, IP-HTTPS). Depending on how
you setup DirectAccess, you may only have some of these available for the clients to utilize. If your DA server is sitting behind a NAT, or if you used the "Getting Started Wizard" to setup DA, then only IP-HTTPS is available to your DA clients and
that is how they are all connecting. In that case you should only need to add the IP-HTTPS IPv6 prefix.
You can use this info to calculate the prefixes, or you can check in the SCCM agent on the client machine, I believe in the section where it shows you the heartbeat it will also show you the current prefix that your client is utilizing:
First Public IPv4=WW.XX.YY.ZZ (address on the DA server)
2001:0:WWXX:YYZZ::/64 (Teredo)
2002:WWXX:YYZZ:8100::/56 (IP-HTTPS)
2002:WWXX:YYZZ:8000::/49 (organizational prefix)
2002:WWXX:YYZZ:8000::/64 (ISATAP)
2002:WWXX:YYZZ:8001::/96 (NAT64/DNS64)

Support DirectAccess Clients from local lan?

We've implemented DirectAccess 2012 R2 and are trying to use remote desktop and SCCM remote assistance to support offsite systems connected by DirectAccess.
I can use a DirectAccess remote client to remote desktop to a local windows system, but I cannot use that same local system to connect to the same remote resource. I believe this may be a routing issue on our LAN.
I can Remote Desktop from the direct access server to a DirectAccess remote client.
Pings fail with "Ping request could not find host testhost01. Please check the name and try again."
Tracert fails with "Unable to resolve target system name"
NSlookup returns 3 IPv6 addresses for the host
This is the last piece of the puzzle to have DA working 100%
Any pointers? Places to look?
Thanks!!

Hi,
Do you use IPv6 in your internal network?
If no, it should not be an issue.
If the intranet is only using IPv4, NAT64 and DNS64 will be enabled on the DirectAccess server.
Similar to NAT, the DirectAccess clients are hidden by the NAT64. We can't access a machine behind NAT.
Best Regards.
Steven Lee
TechNet Community Support

Enabling SQL Interface !!

Hi All,
Am using EPM 11.1.1.2
Am aware that we need to enable the SQL Interface using inst-sql.sh script under $ARBORPATH when i did it in 7x
but am unable to see the same script as it mentioned in the document to install SQL Interface using this script
I searched in the entire $HYPERION_HOME path also but no luck
Is it automatically taken care during Essbase installation from System Installer? If so, i think i need to see the
.odbc.ini file in the $ARBORPATH/bin which am not able to view.
Can anybody reply to this as you might have enabled sql interface or aware of this...
Thanks,

Hi Nra,
No problem for that...
See here we will have two ini files on version 7x....
one is odbc.ini which you are explaining and this is used for Essbase Integration Services
one more is .odbc.ini (pronounced as "Dot ODBC Dot ini") but both will contain the same DB SID's
Now my question is do we need to use the same odbc.ini file for EIS as well as SQL Interface? or we need to manually create
the .odb.ini file especially for SQL interface like in 7x?
To your answer, am not going to use the odbc features of 7x but we use the latest ODBC features supported by OEPM 11.1.1.2
however, the DB related information would be same and cannot change
Thanks,

DirectAccess client enables IPHTTPS interface when inside corporate network at remote sites

Similar Messages

Maybe you are looking for