Server 2012 DC behind NAT

Similar Messages

• Server 2012 R2 RRAS NAT VPN connectivity issues

  Hello all,
  I'm having trouble making IKEv2 connections to my VPN server from the Internet after changing my home lab network infrastructure to use Server 2012 R2 RRAS NAT routing. Despite all of the appearances of a proper configuration, it appears that NAT-T is not
  working properly.
  Let me preface my questions/issues with some critical infrastructure disclosures/explanations to help troubleshoot this issue:
  1. This is a home lab environment with no impact to corporate production systems in any way. All information garnered from help in this session is understood to be as-is.
  2. The entire environment is on Server 2012 R2 Hyper-V. I’ve configured trunking on all of the layer 2 (Cisco Catalyst switch) etherchannels, and I’ve configured trunking on the Hyper-V vSwitches. I have no issue with internal routing or NAT or with attaching
  to VPN from an internal VLAN, which indicates that routing (Layer 3) is not at issue here since everything goes where it should.
  3. The NAT server and the VPN server are two separate Windows Server 2012 R2 Std. Hyper-V VMs. The NAT server has 1 NAT uplink to/from my ISP and 5 router interfaces (NICs with no gateways specified). I have a static IP, so it’s not an IP changing anywhere.
  I have all of the port forwarding on the public NAT interface configured properly. Email, web, and application access work fine from out-to-in. The VPN server has 2 NICs: one on a VPN VLAN and the other on an internal VLAN.
  4. I ran Netmon from my corporate office and saw that IKEv2 traffic to my host over UDP 500 was successful (I got a response back), but the connection to UDP 4500 was attempted 3 times and then fails. Since UDP 4500 is the NAT-T port, I’m thinking this is
  where the fault is occurring. I also ran Netmon from the NAT router itself and found that traffic was flowing from the Internet to the VPN server up the stack to Layer 3.
  5. As a test, I turned off Windows firewall on both the VPN server and the NAT server. This made no difference, so firewall is not at play here.
  6. My certificates are configured properly with my external VPN address and appropriate SANs pointing to the public IP address. These same certificates worked without issue prior to the migration to Server 2012 R2 RRAS as my NAT router.
  The actual error I'm receiving is Error 809 which indicates a problem with the connectivity to the VPN server, presumably through the NAT router. Prior to the change to virtual routing, I was using a Linksys E3000 with L2TP/PPTP passthrough enabled and had
  no issues connecting to my VPN server remotely.
  Some questions I have specifically regarding Server 2012 R2 RRAS and NAT:
  1. Is NAT-T "turned on" by default? Are there any settings required through netsh or elsewhere that I might have overlooked to enable NAT Traversal?
  2. How can I test if NAT-T is working outside of VPN testing?
  3. Is it Microsoft's recommendation/requirement that VPN and NAT be collocated on the same server? I noticed in the NAT forwarding rules that the pre-defined L2TP forwarder says "L2TP on this server." Does that indicate that L2TP can't pass beyond
  that server? What are the security implications for running VPN from the router?
  Any help would be appreciated. I've been troubleshooting this issue for 2 weeks and cannot seem to find any documentation or help on this issue. I'm hoping if others have similar issues, this post will help point them in the right direction. I have netmon
  captures to assist with troubleshooting if it comes to that. I'm certain this is NAT-T at this point, but I just can't prove it beyond a shadow of a doubt, and I have customers who have asked about using Microsoft RRAS for routing. I can't, in good conscience,
  recommend it if NAT-T is problematic since most companies want some sort of VPN solution for their environment.
  Respectfully yours,
  Ron Arestia

  Hi Ron,
  Please try to create and configure the AssumeUDPEncapsulationContextOnSendRule registry value.
  For detailed information, please refer to the link below:
  http://support.microsoft.com/kb/926179
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Runninb Weblogic Server 6.1 behind NAT/firewall

  My network has a router running NAT on it, with all the nodes on the LAN using
  192.168.x.x addresses. One of them has Weblogic Server 6.1 running, which I would
  like to make accessible from outside the LAN. I added a single rule to forward
  port 7001 to the IP address of the machine running Weblogic. I can connect to
  the server from other nodes on the LAN, but the forwarding doesn't seem to be
  working. I can't even connect from a node on the LAN using the public IP. Any
  suggestions would be appreciated. Thanks.

  Check the following URL regarding firewalls :
  http://e-docs.bea.com/wls/docs61//cluster/planning.html
  Check your weblogic.log for error messages.

• DirectAccess on Server 2012 R2 with Single NIC behind NAT on IPv4 only Corporate Network Results in "DNS Not Working Properly"

  I hit this problem at a customer site and can re-produce it in a simple lab.  Lab environment: servers:
  1x Server 2012 R2 DC and DNS server - DC1 - 10.0.0.1
  1x Server 2012 R2 DirectAccess (DA) server - DA1 - 10.0.0.100
  Servers are running "Update" (KB2919355) and following DA hotfixes:
  KB2929930
  KB2966087
  I configured DA (via advanced wizard) as follows:
  DA and remote access
  AD group
  directaccess-webprobehost DNA (A) record pointing to 10.0.0.100
  behind an edge device (with a single network adapter)
  SSL certificate from enterprise root CA issued to directaccess.contoso.com
  NLS on remote server using https://nls.corp.contoso.com
  DNS: corp.contoso.com = 10.0.0.1; nls.corp.contoso.com = ""
  DNS suffix search list = corp.contoso.com
  The DNS server validates successfully in the configuration UI.
  With this configuration, I get a static IPv6 address of fd79:7a37:cbd9:3333::1/128 assigned to the NIC
  The operations status is all green apart from DNS which displays the following error:
  "DNS: Not Working Properly"
  Error:
  None of the enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 used by DirectAccess clients for name resolution are responding. This might affect DirectAccess client connectivity to corporate resources.
  Causes:
  Enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 are not responding.
  I can, however ping fd79:7a37:cbd9:7777::a00:1 (which is the DNS64 translation of 10.0.0.1)
  I would like to know what checks are failing as there are no failures in Event Viewer.
  I have come across forums where people have the same issue and fix it by specifying the local IP (in this case 10.0.0.100) as the DNS server, however Richard Hicks has confirmed with me that the DNS server should be set to the DNS server, not the DA server's
  IP.

  Thanks for the post Matt,
  ISATAP has been disabled on my DA server, so the results of a "ROUTE PRINT -6" command yields:
  ===========================================================================
  Interface List
   12...00 15 5d 01 03 64 ......Microsoft Hyper-V Network Adapter
    1...........................Software Loopback Interface 1
   14...00 00 00 00 00 00 00 e0 IPHTTPSInterface
  ===========================================================================
  IPv6 Route Table
  ===========================================================================
  Active Routes:
   If Metric Network Destination                           Gateway
    1    306 ::1/128                                               On-link
   12    261 fd79:7a37:cbd9::/48                         On-link
   14    306 fd79:7a37:cbd9:1000::/64                On-link
   14    306 fd79:7a37:cbd9:1000::/128              On-link
   14    306 fd79:7a37:cbd9:1000::1/128            On-link
   14    306 fd79:7a37:cbd9:1000::2/128            On-link
   14    306 fd79:7a37:cbd9:1000:814c:28be:46b5:52c1/128     On-link
   12    261 fd79:7a37:cbd9:3333::1/128            On-link
   12    261 fd79:7a37:cbd9:7777::/96                On-link
   12    261 fe80::/64                                           On-link
   14    306 fe80::/64                                           On-link
   12    261 fe80::20c0:e848:d304:9f01/128       On-link
   14    306 fe80::814c:28be:46b5:52c1/128      On-link
    1    306 ff00::/8                                               On-link
   12    261 ff00::/8                                              On-link
   14    306 ff00::/8                                             On-link
  ===========================================================================
  Persistent Routes:
   If Metric Network Destination                            Gateway
    0 4294967295 fd79:7a37:cbd9:1000::/64       On-link
    0 4294967295 fd79:7a37:cbd9::/48                On-link
    0 4294967295 fd79:7a37:cbd9:7777::/96       On-link
  ===========================================================================

• How to configure the server 2012 with NAT settings & 3 public IP addresses

  Hi everybody,
  I received this from my ISP:
  Here's your IP informationMain IP: 70.164.1.165Subnet
  Mask: 255.255.255.0
  Gateway: 70.164.1.1
  DNS1: 68.4.16.30
  DNS2: 68.6.16.30
  2 additional usable IP's Natted to 70.164.1.165
  Usable IP's 70.182.178.97 & 98
  Subnet Mask if needed: 255.255.255.252
  If you are using one server use 70.164.1.165 as the main IP then add/bind 70.182.178.97 & 98 to the NIC.
  For Linux Servers
  Network 70.182.178.96
  Broadcast 70.182.178.99
  If you are using a firewall or router, please make sure you are using 70.164.1.165 on the WAN interface, you can use / NAT 70.182.178.97 & 98 to your server(s).
  Main IP can also be natted to your server. 
  Please make sure shared IP hosting is utilized to conserve IP addresses per ARIN requirements.
  I have a Dell server, setup with Server 2012 DataCenter.
  I plan to run two VM's running ASP.NET web applications connected using the two additional IP addresses.
  I assume I should setup the VM Host to the base address .165 - simple enough no problem and I know how to setup the VM's on their own separate network and I can access the internet - no issues with that.
  How do I setup the additional public addresses since they have to pass through the Main address to the correct VM?
  I have googled for a few days and my ISP tech people look at me like I want to extract their teeth.  Their answer is to sell me a router and set it up.  This really does not seem that hard a task.

  Try maybe below configuration.
  VMHOST
  NIC1 - 70.164.1.165
  NIC2 - 192.168.0.1
  255.255.255.0
  NIC3 - 192.168.1.1
  255.255.255.0
  VM1:
  Bind VM NIC1 to VMHOST NIC2
  NIC1 - IP1:192.168.0.2 255.255.255.0
    IP2:70.182.178.97
  VM2: 
  Bind VM NIC1 to VMHOST NIC3
  NIC1 - IP1:192.168.1.2 255.255.255.0
    IP2:70.182.178.98
  On VMHOST set static traces (use Command Line):
  ROUTE ADD 70.182.178.97 MASK 255.255.255.255 192.168.0.2 
  ROUTE ADD 70.182.178.98 MASK 255.255.255.255 192.168.1.2

• CUP server behind NAT

  Would there be any problems in having a CUP server (IM & Presence) behind a NAT? A quick google indicates that XMPP isn't like SIP and is NAT friendly, but I wasn't sure if there are any gotchas. (The CUP server and it's CUCM partner are on the same subnet, so there's no issue with the presence SIP trunk between CUP & CUCM)
  Thanks,
  GTG

  It may work, but the client is going to be only functioning half way.  Take a look at the port mappings below.   you will see that XMP will get you connected to the server, but then directory calls go right to LDAP, etc.   You cant NAT LDAP requests.
  The correct way to do this is to run Collaboration Edge (VCS Expressway) in your DMX to hand off the secure communications between the Jabber client and the rest of the UC servers. (CUCM, CUC, LDAP, etc).
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/port/9_0_1/CUCM_BK_T98E8963_00_tcp-port-usage-guide-90/CUCM_BK_T98E8963_00_tcp-port-usage-guide-90_chapter_010.html

• DirectAccess Client not connecting without error code on Windows Server 2012 R2 and Windows 8.1

  Hello,
  we are currently migrating from Windows Server 2012 to 2012 R2 and are not able to get the new Direct Access Service up and running. Our goal is to establish DirectAccess connection for a handful of clients using the IPHTTPS-adapter on the default port 443.
  Errors:
  There is actually no error showing up. It seems the infrastructure tunnel cannot be created but none of the IPv6-transition adapters is connecting (teredo and 6-to-4 are down) and the IPHTTPs adapter gives no informations about a problem:
  >Get-DAConnectionStatus
  Status    : Error
  Substatus : CouldNotContactDirectAccessServer
  >Get-NetIPHttpsState
  LastErrorCode   : 0x0
  InterfaceStatus : Failed to connect to the IPHTTPS server; waiting to reconnect
  Setup:
  Our setup is a virtualized Windows Server 2012 R2 Standard running on Hyper-V. It is located behind a NAT having the Port 443 mapped to the server. The only role installed after the basic install is RRAS including DirectAccess and VPN. The assistants completed
  successfully (running the configuration for DirectAccess and VPN). Operation Status says everything is green und working (for multiple days in the meanwhile). A previous direct access installation (on a different machine running Windows Server 2012) has
  been removed before installing the new server. The new installation is using a different router, so this might also be the cause of a problem.
  The client is a Windows 8.1 notebook located outside the company network accessing the internet through another NAT-device. The client has been able to connect to the previous DirectAccess setup but has never been able to establish a connection after the
  setup of the new Direct Access server. The device has no outbound constraints concerning the NAT-device and is only running the integrated Windows Firewall.
  Diagnosis:
  So far I've done some basic DNS and connectivity checks. The DNS-name can be resolved correctly and the router even responds to pings. The port forward is working and HTTPs connections are generally possible (temporarily routed the port to
  access the NLS-Website located on the server, which worked fine).
  Network monitor shows that both computers are communicating, traffic on the expected Port 443 is incoming on the server and responses from the server reach the client.
  Opening the IPHTTPs-url and in an endless page load. Sometime the browser page closes but I've never seen any result. Using telnet on the port shows that the server is accepting connections. I've even build a small test application that does a GET-Request
  on the URL returning HTTP-200 and no content.
  I'm currently running out of ideas what to do and since no error occurs this is kind of a bit frustrating. Any help appreciated.
  Regards
  Matthias

  Hi,
  In addition, have you disabled the DA client components on the DA client? If no, please also check
  the settings on the Name Resolution Policy Table.
  More information:
  DirectAccess
  Client Location Awareness – NRPT Name Resolution
  In addition, error 0x4C9 means the remote computer refused the network connection. It may be due to the invalid
  registry or corrupt drivers. For more detailed information, please refer to the link below:
  Error 1225 - Error Code 0x4C9
  Note:
  Microsoft is providing this information as a convenience to you. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Best regards,
  Susie

• Server 2012 Direct Access Single NIC cant get it to work

  Hi,
  I am having some real issues with setting up Direct Access with Server 2012 and a Windows 8 client, it simply won’t work at all.
  First of all I should describe my setup:
  I have an internet connection with a static IPv4 address on the external network adapter of the router
  The internal network address (the address of the router which has the internet connection) is 192.168.1.1
  Server1 (windows 2008 R2 Standard) has a static IPv4 address 192.168.1.2 and has some ports forwarded from the router (443, 25, 80) this server is a domain controller, email server, and has the DNS, DHCP and
  certificate services
  Server 2 (Windows 2008 R2 standard) has static IPv4 address 192.168.1.3 it has no ports forwarded from the router as it has no services accessed externally, it is used as a file server and print server, backup
  domain controller and backup DNS.
  Server 3 (Windows 2012) has static IPv4 address 192.168.1.4 and has the Remote Access server role installed along with all the other default features and roles it requires in the setup process.
  These servers have all got an IPv6 address which I assume the server has configured automatically, there has been no deliberate configurations made to disable IPv6
  I have no UAG or proxy server or anything else to route packets to internal servers. Just this router which has the option for port forwarding (I assume that’s NAT isn’t it?) sorry don’t know much about that
  area.
  I go through the setup wizard in remote access to configure direct access, in the external URL I have entered da.mydomain.com and created a host A record in my external domain name providers DNS which points
  the da record to my external IP address. The wizard creates all the GPO’s, scoped correctly, and applied to a Windows 8 client. The operational status shows its all working and I got green ticks. However, when I connect the client to the internal network it
  doesn’t seem to have correctly got the DA settings. I run the following in powershell
  Get-DnsClientNrptPolicy
  Nothing displays – at all
  Get-NCSIPolicyConfiguration
  Description                   
  : NCSI Configuration
  CorporateDNSProbeHostAddress  
  : fdd8:dd4a:ea42:7777::7f00:1
  CorporateDNSProbeHostName     
  : directaccess-corpConnectivityHost.mydomain.local
  CorporateSitePrefixList       
  : {fdd8:dd4a:ea42:1::/64, fdd8:dd4a:ea42:7777::/96, fdd8:dd4a:ea42:1000::1/128,
  fdd8:dd4a:ea42:1000::2/128}
  CorporateWebsiteProbeURL      
  : http://directaccess-WebProbeHost.mydomain.local
  DomainLocationDeterminationURL : https://DirectAccess-NLS.mydomain.local:62000/insideoutside
  Get-DAConnectionStatus
  Get-DAConnectionStatus : Network Connectivity Assistant service is stopped or not responding.
  At line:1 char:1
  + Get-DAConnectionStatus
  + ~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo         
  : NotSpecified: (MSFT_DAConnectionStatus:root/StandardCi...onnectionStatus) [Get-DAConnect
     ionStatus], CimException
  + FullyQualifiedErrorId : Windows System Error 1753,Get-DAConnectionStatus
  I go into services.msc and find that the network connectivity assistant is not started, it wont start either something must trigger it but I have no idea how to get it triggered to start… this might be my only
  source of problem perhaps but on a more network level question:
  If I have such ports as 80, and 443 (which I assume DA uses in some form with a public IPv4 internet address) directed at server 1, how does the DA connection get to server 3 which has the DA role installed?
  I could create another record on the server which also opens port 443 to server as well as for server 1, but then how would the router know which server to pass the DA connection to if the same port is open for two different servers?
  Either way, this first issue is that the client doesn’t seem to have the ability to connect internally correctly yet, so maybe this connectivity service is a good place to start? My understanding is that the
  networks icon in the system tray should show that there is a corporate connection, but it doesn’t. also, the client seems to have the NLS certificate in the computer certificate store, so the cert side of things is working and the GPO side is working.
  Many thanks
  Steve

  ahh i see, so just to enlighten me even further...
  If a company has two web servers that would mean they would need two different public facing IP addresses so they can route to each internal web server. If, like the big companies have, they
  may have many web servers (possibly more than 100) I’m assuming that simply buying more public IP addresses would have a limit, especially since the IPv4 address space is pretty much exhausted. So is this where proxy systems come into play like ISA and Forefront,
  is this what they do?
  I assume if such a product was implemented you could go down to just one or two public IP addresses, point all traffic to the ISA server and that in turn would do all the routing of packets
  to each server behind the NAT/router (probably based on some sort of domain name or sub domain namespace as it’s parameter for forwarding?)
  Secondly, what I have done is installed windows server 2012 and used that as a direct access client (I read on another forum that the windows 8 RP doesn’t have the enterprise bits to make this
  work). I have got much further with the 2012 server acting as a client (installed on laptop, installed desktop experience and wireless LAN), 
  but when I run the following command on my DA client I get the following status
  Get-DAConnectionStatus
  Status:                 
  connectedlocally
  Substatus:          
  none
  This appears to work fine, when im connected to the local network. But then I disconnect and run the command again and I get the following:
  Status:                 
  Error
  Substatus:          
  NameResolutionFailure
  On my router what I did is temporarily disable port 443 going to my original server and instead opened it up pointing to my other server, so 443 traffic should be going to my DA server now, but I don’t understand why its giving the name resolution failure
  status. I have a host A record called “da” with my domain hoster, and entered the full domain namespace in the DA wizard as da.mydomain.com (the Host A record has been up there for more than a week so it’s propagated through the net)
  So, a bit further but stuck again.

• Configuring "Manage Out" Server 2012 DirectAccess IP-HTTPS

  Hoping someone with hands on experience configuring Manage Out functionality can answer a few questions for me?
  We have built a Server 2012 VM and deployed DirectAccess successfully.  Have tested with both Win7 and Win8 clients successfully.  After some initial issues with DNS were addressed with a Microsoft hotfix, it seems to be running stable.
  I want to configure Manage Out capabilities, so that I can remotely help the DA clients with software installs and similar.  I've read up on as many blog entries as I can find, but still finding it a bit mystifying. 
  We are using IP-HTTPS connectivity.  As best I can tell, we are not using Teredo or ISATAP.  The DA server is dual-NIC and is configured behind an Edge device (NIC #1 is DMZ and receives NAT'd traffic from external IPv4 address on firewall, NIC
  #2 is internal LAN).  Our internal networks are IPv4 only (no IPv6 at all); therefore DNSv4 and DHCPv4 internally).
  Am hoping that somewhere there might be a step-by-step configuration guide to match our scenario.  Alternatively, if someone can recommend a Local (i.e. Melbourne, Australia) consultant who knows this stuff backwards, I'd consider paying for that.

  OKay, so finally I am in a position to share some information ... it has taken me about 6 months of off-and-on (mostly "off") activity to get things working.
  We engaged a third-party company to do the initial installation of Direct Access.  This got us 90% of the way to where we needed to go.
  The configuration of Manage Out was eventually achieved, but we did take some further expert advice, because I didn't want to change anything without first understanding What was being changed and Why it needed to be changed.  So I had to be educated
  quite a bit about IPv6, IP-HTTPS and ISATAP.
  We ended up disabling all IPv6 on the clients EXCEPT for the IP-HTTPS protocol.  This was done via a GPO.
  I ran into some problems with IPv6 and ISATAP initially when configuring our IT PCs to be able to "manage out" to the DA clients.  We went with a non-standard name for the ISATAP Router (we called ours ISATAP-DirectAccess) and pointed this in DNS to
  the internal IPv4 address of the DA server.  This was enforced via a GPO.  However our PCs did not get IPv6 addresses on their ISATAP adapters.  This was eventually resolved by changing some settings on the ISATAP adapter for the Internal NIC
  on the DA server.  The settings were:  Forwarding=Enabled and also Advertising=Enabled
  After that the IT PCs were getting ISATAP addresses fine, but some of the DA Clients were not registering themselves with an IPv6 address in our Internal DNS.  This was eventually resolved when we discovered that some of the DA Clients' DNS records
  had 'bad' security permissions on them.  Once we fixed those permissions we found the DA Clients would register an IPv6 address when operating in Direct Access mode (and would remove their old IPv4 address) and would register an IPv6 address when connected
  internally (and would remove their unwanted IPv6 address).
  There was also a hitch with getting Windows Remote Assistance working with the DA clients.  This required a Hotfix from Microsoft to get it working properly.
  Setting the Firewall rules for the DA clients with Edge Traversal enabled was the easiest part of the process frankly.  The most difficult part was troubleshooting the problems with DNS registration and the problems with getting selected internal PCs
  to get a valid ISATAP adapter address from the DA server.

• L2TP VPN for servers behind NAT

  I have two 2012 R2 servers, both behind NAT, which I'm trying to connect via VPN. I have no problem connecting them via PPTP, but when connecting them via L2TP (with shared key for testing), the dialing server never connects to other server.
  I assume that the problem is that they're both behind NAT.  In Windows Server 2008, you were able to set a registry value to get the L2TP connections to work under NAT, see
  http://support.microsoft.com/kb/926179 by setting the environment variable AssumeUDPEncapsulationContextOnSendRule.
  I tried using this with the two servers, but it didn't seem to help.  Is there some other way to get the L2TP connection for the two 2012 R2 servers working behind NAT?

  Hi,
  Thanks for your pointer and sorry for replying so late.
  I am sorry to say that I haven’t found any documents to ensure whether NAT-T is supported in Windows server 2012 R2 or not. In addition,
  VPN servers that are located behind NAT is not recommended. When a server is behind a network address translator, and the server uses NAT-T, unintended behavior might occur because
  of the way NAT translate network traffic.
  Best regards,
  Susie

• Windows Server 2012 - Direct Access clients and the Windows 8 firewall

  Hi,
  We're running a simple proof-of-concept for Server 2012 Direct Access, we have a single DA server behind a firewall using NAT. We have a number of client devices setup for DA and running Windows 8.
  Our issue is that we can only get the Windows 8 direct access clients to connect (when outside the corporate network) and work with the windows firewall disabled (public network profile). 
  With the windows firewall disabled everything works exactly as expected. When outside the corporate network the client detects the network state (public network profile), connects via DA and all internal resources can be accessed successfully...fantastic.
  Is there some specific guidance on manually configuring the windows 8 firewall for Direct Access ? We've tried the obvious TCP:443 with edge traversal enabled but without success.
  Much of the information we have found relates to UAG rather than Windows 2012 DA.
  Any assistance is appreciated.

  Hi,
  There isn’t any specific configuration on the firewall.
  Just confirm that port 443 can be forwarded to DirectAccess server.
  Of course, make sure you are using IPsec first.
  Check the links:
  STEP 6: Test DirectAccess Client Connectivity from Behind a NAT Device
  http://technet.microsoft.com/en-us/library/hh831524.aspx#TeredoCLIENT1
  DirectAccess for Windows Server 2012 Installation & Configuration Guide
  http://syscomlab.blog.com/2012/09/directaccess-for-windows-server-2012-guide/
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• ASA and RADUIS on Windows server 2012

  hi i have ASA5505 i want to get the Authentication from Raduis Server using NPS on windows Server 2012 i test the Raduis Server over "Kerio Control VMware Virtual Appliance" its work Perfect for testing my Setting on Raduis  but with the ASA5505 i get this message "Error authentication rejected aaa failure" 
  Running Config
  : Saved
  ASA Version 9.1(3)
  hostname NazcoFW
  domain-name default.domain.invalid
  enable password XgEKS9WizHnI9IUJ encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd XgEKS9WizHnI9IUJ encrypted
  names
  interface Ethernet0/0
  switchport access vlan 22
  interface Ethernet0/1
  interface Ethernet0/2
  switchport access vlan 12
  interface Ethernet0/3
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  switchport access vlan 32
  shutdown
  interface Vlan1
  nameif NAZCO
  security-level 100
  ddns update hostname OSI
  dhcp client update dns server both
  ip address 172.16.200.1 255.255.255.0
  interface Vlan12
  nameif outside4
  security-level 0
  ip address 172.16.4.254 255.255.255.0
  interface Vlan22
  nameif Outside20
  security-level 0
  ip address 172.16.20.254 255.255.255.0
  boot system disk0:/asa913-k8.bin
  ftp mode passive
  dns domain-lookup NAZCO
  dns server-group DefaultDNS
  name-server 10.1.1.1
  name-server 10.1.2.1
  domain-name default.domain.invalid
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network HP5220
  host 10.10.10.105
  object network ak20
  host 10.10.10.110
  object network hp5520
  host 192.168.2.105
  object network HP7000
  host 192.168.2.106
  object network HP5520
  host 192.168.2.105
  object network ak04
  host 10.10.10.110
  object network HP400
  host 192.168.2.107
  object network out04
  range 192.168.2.200 192.168.2.220
  object network AK04
  host 10.10.10.110
  object network oooo
  subnet 10.10.10.0 255.255.255.0
  object network 444
  host 10.10.10.110
  object network OSITOINT
  subnet 10.10.10.0 255.255.255.0
  object-group network OSItoOUT04
  network-object object out04
  access-list outside20_access_in extended permit icmp any4 any4
  pager lines 24
  logging enable
  logging asdm-buffer-size 512
  logging trap informational
  logging asdm informational
  logging host NAZCO 10.10.10.10 17/6161
  logging debug-trace
  logging permit-hostdown
  mtu NAZCO 1500
  mtu Outside20 1500
  mtu outside4 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-721.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (NAZCO,outside4) source dynamic any interface dns
  nat (NAZCO,Outside20) source dynamic any interface dns
  route Outside20 0.0.0.0 0.0.0.0 172.16.20.1 1
  route outside4 0.0.0.0 0.0.0.0 172.16.4.1 11
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server Keefa-Raduis protocol radius
  aaa-server Keefa-Raduis (NAZCO) host 172.16.200.10
  key *****
  radius-common-pw *****
  user-identity default-domain LOCAL
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 NAZCO
  snmp-server host NAZCO 10.10.10.196 community ***** version 2c
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown
  snmp-server enable traps syslog
  snmp-server enable traps ipsec start stop
  snmp-server enable traps entity fru-insert
  snmp-server enable traps remote-access session-threshold-exceeded
  snmp-server enable traps connection-limit-reached
  snmp-server enable traps cpu threshold rising
  snmp-server enable traps ikev2 start stop
  snmp-server enable traps nat packet-discard
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca trustpool policy
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
  308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
  0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
  30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
  13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
  0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
  20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
  65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
  65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
  30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
  30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
  496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
  74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
  68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
  3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
  63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
  0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
  a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
  9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
  7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
  15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
  63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
  18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
  4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
  81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
  db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
  7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
  ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
  45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
  2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
  1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
  03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
  69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
  02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
  6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
  c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
  69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
  1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
  551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
  1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
  2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
  4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
  b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
  6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
  481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
  b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
  5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
  6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
  6c2527b9 deb78458 c61f381e a4c4cb66
  quit
  telnet timeout 5
  ssh scopy enable
  ssh 172.16.200.0 255.255.255.0 NAZCO
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  management-access NAZCO
  dhcp-client update dns server both
  dhcpd dns
  dhcpd update dns both
  dhcpd address 172.16.200.20-172.16.200.89 NAZCO
  dhcpd dns 172.16.20.1 172.16.4.1 interface NAZCO
  dhcpd lease 1048575 interface NAZCO
  dhcpd update dns both interface NAZCO
  dhcpd enable NAZCO
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
  username admin password bZmVDHuxUzzxS3yz encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
  class class-default
  user-statistics accounting
  service-policy global_policy global
  prompt hostname context
  service call-home
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
  hpm topN enable
  Cryptochecksum:357b7c6f861e8aa9bb3a3674a789b39b
  : end
  asdm image disk0:/asdm-721.bin
  no asdm history enable

  Hi
    Looks like the AAA configuration is set for local
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  Change it to Radius
  aaa-server Keefa-Raduis protocol radius
  aaa-server Keefa-Raduis (NAZCO) host 172.16.200.10
  key *****
  radius-common-pw *****
  for example :
  aaa authentication telnet console Keefa-Raduis LOCAL
  Now when you will do telnet to using Radius credentials, Its Should work, If radius goes down you can use LOCAL username and password as fallback method.
  Cheers!
  Minakshi(Do rate the helpful post)

• Server 2012 R2 RRAS Multitenant Gateway GUI

  "The new RRAS Multitenant Gateway Deployment Guide demonstrates how to use Windows PowerShell to deploy RRAS as a virtual machine (VM)-based multitenant software gateway and Border Gateway Protocol (BGP) router that allows CSPs and Enterprises to enable
  datacenter and cloud network traffic routing between virtual and physical networks, including the Internet." I have server 2012 R2 installed on a vm with Remote Access server role  and Routing and Remote Access Service (RRAS) role  installed
  how do I configure this for NAT? (I did find a powershell script but I want to do this through the ui) without SCVMM.
  Peplink Balance 210 dual wan router (Bell and Cogeco)
  2 ProLiant physical servers
  2 Nics per server
  5 static ips
  2 Virtual Switches
  Server 2012 R2 host
  Server 2012 R2 Essentials (Domain 1)
  Server 2012 R2 Essentials (Domain 2)
  Server 2012 R2 (Domain 3)
  http://technet.microsoft.com/en-us/library/dn641923.aspx
  New! Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide
  http://blogs.technet.com/b/wsnetdoc/archive/2014/03/26/new-windows-server-2012-r2-rras-multitenant-gateway-deployment-guide.aspx
  Multitenant security and isolation with Hyper 2012
  http://blog.marcosnogueira.org/multitenant-security-and-isolation-with-hyper-2012/
  Here is the situation I have a client that operates 3 small companies out of one location he has a generator plus great physical security and relatively new network cabling I plan to create a couple of vlans on the peplink. I decided to go with server 2012
  essentials (he wants to use RWA) all of the vm’s will be under a very light load on the first server with 1 server to test backups and 2 IO safe drives.
  Diagram
  http://i61.tinypic.com/rct0ti.png
  Thanks in Advance.

  Hi,
  Windows PowerShell is a task-based command-line shell and scripting language designed especially for system administration.
  Don't hesitate to try your hand at it.
  Here are some articles about PowerShell,
  Using Windows PowerShell
  http://technet.microsoft.com/en-us/library/dn425048.aspx
  PowerShell
  http://technet.microsoft.com/en-us/library/ff950685.aspx
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Exchange Server 2013 and Remote Access VPN on a single server running Windows Server 2012?

  Just by way of background, I have been installing and administering network servers, e-mail systems, VPN servers, and the like for many years.  However, my involvement with Exchange and Windows Server has been mostly on the forensics and data recovery
  level, or as a (sophisticated) user.  I have never tried to deploy either from scratch before.  My deployment experiences have been mostly with Linux in recent years, and with small private or personal "servers" running such cutting edge
  software as Windows XP back when it was new.  And even NetWare once.
  When a client asked me if I could set up a server for his business, running Exchange Server (since they really want Outlook with all of its bells and whistles to work, particularly calendars) and providing VPN access for a shared file store, I figured it
  could not be too difficult given that its a small business, with only a few users, and nothing sophisticated in the way of requirements.  For reasons that don't bear explaining here, he was not willing to use a vendor hosting Exchange services or cloud
  storage.  There is no internal network behind the server; it is intended to be a stand-alone server, hanging off a static IP address on the Internet, providing the entirely mobile work-force of about 10 people with Exchange-hosted e-mail for their computers
  and phones, a secure file store, and not much else.  If Exchange didn't need it, I would not need to install Active Directory, for example.  We have no direct need for its services.
  So I did the research and it appears, more by implication than outright assertion, that I should be able to run Windows Server 2012 with Exchange Server 2013 on a server that also hosts Remote Access (VPN only) and does nothing else.  And it appears
  I ought to be able to do it without virtualizing any of it.  However, I have spent the last three or four days fighting one mysterious issue after another.  I had Remote Access VPN working and fairly stable very quickly (although it takes a very
  long time to become available after the server boots), and it has mostly remained reliable throughout although at times while installing Exchange it seems to have dropped out on me.  But I've always been able to get it back after scrounging through the
  logs to find out what is bothering it.  I have occasionally, for a few minutes at a time, had Exchange Server willing to do everything it should do (although not always everything at the same time).  At one point I even received a number of e-mails
  on my BlackBerry that had been sent to my test account on the Exchange Server, and was able to send an e-mail from my BlackBerry to an outside account.
  But then Exchange Server just stopped.  There are messages stuck in the queues, among other issues, but the Exchange Administration Center refuses now to display anything (after I enter my Administrator password, I just get a blank screen, whether on
  the server or remotely).
  So, I am trying to avoid bothering all of you any more than I have to, but let me just begin with the basic question posed in the title: Can I run Exchange Server (and therefore Active Directory and all of its components) and Remote Access (VPN only) on
  a single Windows Server 2012 server?  And if so, do I have to run virtual machines (which will require adding more memory to the server, since I did not plan for it when I purchased it)?  If it can be done, can anyone provide any pointers on what
  the pitfalls are that may be causing my problems?  I am happy to provide whatever additional information anyone might like to help figure it out.
  Thanks!

  An old thread but I ran into this issue and thought I share my solution since I ran into the same issue. Configuring VPN removes the HTTPS 443 binding on the Default Site in IIS for some strange reason; just go and editing the bindings, add HTTPS and things
  should be back to normal.

• Remote Desktop Connection Client 9.3.9600 unable to connect to Server 2012 RDS via Gateway

  Hi,
  I have a Windows Sever 2012 R2 RDS environment with two Gateways servers configured in high availability mode (RD Web Access, RD Gateway, RD Connection Broker roles installed) and four Windows Server 2012 R2 RDS Session Hosts. The servers are all running
  the most recent public server updates. With this configuration I when connecting externally using a Windows 7 computer with the older Remote Desktop Connection client (6.1.7601) I am able to connect without any problems however when I try connecting with a
  newer client from a computer running Windows 8.1 and the 9.3.9600 client I am unable to connect. 
  At the moment a NAT rule is configured to pass 80/443 traffic to only one of the RDS gateway servers, I've removed our load balancer from the configuration for the moment to reduce the complexity. 
  No error is generated by the client when it tries to connect it just stops trying to connect after a while.
  On the Gateways servers event logs for 
  Things I have looked into so far.
  - I've double and triple checked the RDS configuration and checked it against one of my other clients configurations that is working and they are identical. 
  - Connecting from an older client version works fine.
  I'm not sure what else can be checked does anyone have any ideas?

  Hi,
  1. What entries are you seeing in the RD Gateway's log?  Event Viewer\ Applications and Services Logs\ Microsoft\ Windows\ TerminalServices-Gateway
  2. How come you are not forwarding UDP port 3391 in addition to TCP port 443?  It should work without UDP, but you will not have UDP support which is one of the benefits of RDP 8.0/8.1.
  3. Are there any non-default group policy settings being applied to the servers and/or client PCs?  To be clear, I'm asking if any changes have been made to the default local and domain security policies, group policy objects, new GPOs that may have
  been added, etc., that are applicable to the servers and or client PCs.
  -TP