Win8.1 Direct Access Client Stuck at "Connecting"

Similar Messages

• WIndows 8.1 Direct Access Client Needs to approve external wifi use before it connects - proxy not responding

  Ok So I have windows 8.1 with Direct Access Client and it works fine when I am able to check and uncheck proxy settings - which is a bit of a pain and seems unnecessary (I hope). If I take the laptop to a Starbucks I get the error that the proxy server is
  not responding so it never redirects for me to "accept" the rules.
  If I uncheck my proxy settings it then redirects and connects to their internet wifi and off I go - DA connects and all is well.
  I am using a GPO to configure the proxy settings as shown (all options are greyed out for the users)

  Hi,
  Your problem is a classic one when using that kind of proxy settings, unfortunately.
  To solve this without the need of user interaction, there are two solutions that will sort this out for you. In your case, if you want to use your corporate connection for internet traffic even over da, I'd opt for alternative 1 or 2 depending on what you are
  trying to achieve.
  1. WPAD (Web Proxy Auto Discovery protocol http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol) - it actually uses the Automatic browser configuration checkbox on your client and looks for the file wpad.dat on a specific web server that you Pointout
  with either dns-record called wpad or DHCP option 252.
  2. Auto configuration script (pac script http://en.wikipedia.org/wiki/Proxy_auto-config) - uses the same kind of file as above. The difference is that you get the possiblity, like you want in your scenario to target what users that should get the script.
  See this below article for more details on the options you have.
  http://technet.microsoft.com/en-us/library/dd361918.aspx
  http://techlib.barracuda.com/display/WSFLEXv41/How+to+Configure+Proxy+Settings+Using+Group+Policy+Management
  Let us know if you need further assistance!
  /Johan
  MCT | MCSE: Private Cloud/Server, Desktop Infrastructure

• Windows Server 2012 - Direct Access clients and the Windows 8 firewall

  Hi,
  We're running a simple proof-of-concept for Server 2012 Direct Access, we have a single DA server behind a firewall using NAT. We have a number of client devices setup for DA and running Windows 8.
  Our issue is that we can only get the Windows 8 direct access clients to connect (when outside the corporate network) and work with the windows firewall disabled (public network profile). 
  With the windows firewall disabled everything works exactly as expected. When outside the corporate network the client detects the network state (public network profile), connects via DA and all internal resources can be accessed successfully...fantastic.
  Is there some specific guidance on manually configuring the windows 8 firewall for Direct Access ? We've tried the obvious TCP:443 with edge traversal enabled but without success.
  Much of the information we have found relates to UAG rather than Windows 2012 DA.
  Any assistance is appreciated.

  Hi,
  There isn’t any specific configuration on the firewall.
  Just confirm that port 443 can be forwarded to DirectAccess server.
  Of course, make sure you are using IPsec first.
  Check the links:
  STEP 6: Test DirectAccess Client Connectivity from Behind a NAT Device
  http://technet.microsoft.com/en-us/library/hh831524.aspx#TeredoCLIENT1
  DirectAccess for Windows Server 2012 Installation & Configuration Guide
  http://syscomlab.blog.com/2012/09/directaccess-for-windows-server-2012-guide/
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Routing back to Direct Access Clients - is this possible?

  Hi,
  We have been using direct access for the past few months successfully, however the one problem we are still having is we can't use programs that require a route back to the Direct Access client (such as managing a Hyper-V machine on the local lan), using SourceOffsite
  or even using Remote Desktop to remote onto a direct access client or ping the direct access client.
  Our local LAN uses Ipv4 and we can route fine to the Direct Access clients from the Direct Access Server where the tunnel terminates but not from any other machine on the network. Do I need to change the direct access configuration to allow this or do I need
  to somehow create a route on my LAN for the direct access clients?
  Thanks in advance
  David

  I found out how to do this in this useful article and tested it and it is working fine - thanks.
  http://www.packtpub.com/article/configuring-manage-out-to-directaccess-clients

• Cannot connect to direct access clients from management servers

  I have direct access setup on a Server 2012 machine and I have successfully added clients to it.  Clients can reach internal resources and everything seems to be working great inbound.  However, I am having some trouble with outbound management.
   From the Direct Access server I can ping, RDP, browse files, etc... From the management server I have defined in the DA setup I can only ping the machines and nothing else.
  I had worked with some MS tech support to get to this point, and they had me configure my DA server and the few management server with status IPv6 addresses.  I'm not sure if this is necessary or if outbound managment should work using ISATAP?
  My DA server is Server 2012, and the clients are Windows 8 and Windows 8.1.

  You should be able to make outbound management work using either ISATAP or native IPv6. If you have configured native IPv6 and it's not working, there may be some kind of routing issue with the way that IPv6 is setup in your environment, or even a piece
  of networking equipment that is not IPv6 capable.
  If you're interested in trying the ISATAP route to see if you can get it working that way, Chapter 3 in this is dedicated to the setting up of ISATAP: http://www.packtpub.com/microsoft-directaccess-best-practices-and-troubleshooting/book
  (sorry, not trying to be self-serving, but these kinds of questions are exactly the reason why I put the book together)

• Cannot apply Direct Access Client GPO on Windows 8.1 Enterprise client

  Hi, I have made a Direct Access environment on Windows Server 2012 R2 Essential.
  All setting seems to be ok, but i'm completely stuck when i have to export the DA client GPO to the client computer.
  The client computer is a Win8.1 Enterprise, already joined to the domain.
  When execute the command gpupdate /force, it complete successfully but when i do a gpresult /R i have nothing in the "Applied Group Policy Object" field (N/A) while i should have the Default domain GPO and the DA client GPO.
  What is wrong at this state ?
  Thanks

  My user1 is in the "DirectAccess" group.
  In all the tutorial i saw, i have never seen you have to add the computer object to this group but only the user.
  Anyway, i have just add it to the group.
  From my first post, here is what i did.
  ran a Group Policy Result, from the DC to the client. 
  It give me the error RPC unavailable. 
  So i open the local policies on the client > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall >
  Domain Profile > double click on "Windows Firewall: Allow inbound remote administration exception" > tick enable 
  I reran the Group Policy Results, and it work this time. 
  Now i have the result for the User1 on TECH2 client pc. 
  On details pane > Denied GPOs 
  The DA client setting is deny with the reason "access denied" ...
  Now on the client computer after a GPRESULT /R
  Computer settings
  Applied Group Policy Object
  Default Domain Policy
  Local Group Policy
  The following GPOs were not applied because they were filtered out
  DirectAccess Client Setting
  Filtering: Denied (Security)
  DirectAccess Server Settings
  Filtering: Denied (Security)  -> normal

• Direct Access client getting NameResolutionFailure error

  Hi,
  I'm trying to setup Direct Access on a Windows 2012 R2 server and I'm running into what is hopefully a pretty easy problem to resolve.
  I've followed the instructions to setup a simple setup for DA on a Windows 2012 R2 server with everything all on one server and I'm running behind a TMG 2010 server.  On the TMG server I've published the my DA server using a server publishing rule
  based on these instructions
  http://danstoncloud.com/blogs/simplebydesign/archive/2013/04/04/tmg-can-be-a-good-friend-of-directaccess.aspx
  The setup seems pretty straight forward, but now when I'm testing my clients I'm getting the NameResolutionFailure error when I try and connect when I'm not on our internal network.
  The problem I'm pretty sure is DNS related because when my test Windows 8.1 client is on our internal network everything works fine. 
  When I plug the machine into an external network, I get the NameResolutionFailure error for the DA client. If I try and ping anything address on our domain name I get an error that the address is unresolvable.  I can ping any other domain name address fine.
  On my DA server, on the DNS tab of the Infrastructure Server setup I have the following entries:
  mydomain.com              fdf3:137e:5133:ce07:1000::127
  directaccess.mydomain.com
  DirectAccess-NLS.mydomain.com
  directaccess.mydomain.com is the publicly resolvable name of my DA 2012 R2 server that is bound the external IP address published on my TMG 2010 server.  This name is not resolvable when on any internal machines.
  If I execute the get-DNSClientNRPTPolicy command I get this:
  Namespace                        : DirectAccess-NLS.mydomain.com
  QueryPolicy                      :
  SecureNameQueryFallback          :
  DirectAccessIPsecCARestriction   :
  DirectAccessProxyName            :
  DirectAccessDnsServers           :
  DirectAccessEnabled              :
  DirectAccessProxyType            : UseDefault
  DirectAccessQueryIPsecEncryption :
  DirectAccessQueryIPsecRequired   : False
  NameServers                      :
  DnsSecIPsecCARestriction         :
  DnsSecQueryIPsecEncryption       :
  DnsSecQueryIPsecRequired         : False
  DnsSecValidationRequired         : False
  NameEncoding                     : Utf8WithoutMapping
  Namespace                        : directaccess.mydomain.com
  QueryPolicy                      :
  SecureNameQueryFallback          :
  DirectAccessIPsecCARestriction   :
  DirectAccessProxyName            :
  DirectAccessDnsServers           :
  DirectAccessEnabled              :
  DirectAccessProxyType            : UseDefault
  DirectAccessQueryIPsecEncryption :
  DirectAccessQueryIPsecRequired   : False
  NameServers                      :
  DnsSecIPsecCARestriction         :
  DnsSecQueryIPsecEncryption       :
  DnsSecQueryIPsecRequired         : False
  DnsSecValidationRequired         : False
  NameEncoding                     : Utf8WithoutMapping
  Namespace                        : .mydomain.com
  QueryPolicy                      :
  SecureNameQueryFallback          :
  DirectAccessIPsecCARestriction   :
  DirectAccessProxyName            :
  DirectAccessDnsServers           : fdf3:137e:5133:ce07:1000::127
  DirectAccessEnabled              :
  DirectAccessProxyType            : NoProxy
  DirectAccessQueryIPsecEncryption :
  DirectAccessQueryIPsecRequired   : False
  NameServers                      :
  DnsSecIPsecCARestriction         :
  DnsSecQueryIPsecEncryption       :
  DnsSecQueryIPsecRequired         : False
  DnsSecValidationRequired         : False
  NameEncoding                     : Utf8WithoutMapping
  So I'm thinking that the issue is related to the fact that the NRPT table says that directaccess.mydomain.com address there is no DNS specified.  In fact it seems like that entry shouldn't even be there.  When I was configuring DA for the first
  time, I got a warning that said:
  Warning: The NRPT entry for the DNS suffix .serverdomain.local contains the public name used by client computers to connect to the Remote Access server. Add the name Servername.serverdomain.local as an exemption in the NRPT.
  I wasn't sure what this meant at the time but I'm guessing it's relevant to this problem.
  Can some one give some help with this?
  Thanks in advance
  Nick

  Hi,
  So here is what I did.  First the IP information from my DA server IPHTTPS address from ipconfig /all
  Tunnel adapter IPHTTPSInterface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : IPHTTPSInterface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : fdfd:1374:5130:1000::1(Preferred)
     IPv6 Address. . . . . . . . . . . : fdfd:1374:5130:1000::2(Preferred)
     IPv6 Address. . . . . . . . . . . : fdfd:1374:5130:1000:2400:8f5a:a931:1ff8(Preferred)
     Link-local IPv6 Address . . . . . : fe80::2400:8f5a:a931:1ff8%17(Preferred)
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 436207616
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-4F-8E-38-00-15-5D-00-96-05
     NetBIOS over Tcpip. . . . . . . . : Disabled
  So the address of my IPHTTPS address appears to be -S using this address as the source and going to an internal machine with an IPV6 address and got this:
  tracert -S fdfd:1374:5130:1000:2400:8f5a:a931:1ff8 testserver
  Tracing route to testserver.mydomain.com [fdfd:1374:5130:ce07:1000::220]
  over a maximum of 30 hops:
    1    <1 ms    <1 ms    <1 ms  daserver.mydomain.com [fdfd:1374:5130:1000:2400:8f5a:a931:1ff8]
    2     *        *        *     Request timed out.
    3     *        *        *     Request timed out.
    4     *        *        *     Request timed out.
    5     *        *        *     Request timed out.
    6     *        *        *     Request timed out.
    7     *        *        *     Request timed out.
    8     *        *        *     Request timed out.
    9     *        *        *     Request timed out.
   10     *        *        *     Request timed out.
   11     *        *        *     Request timed out.
   12     *        *        *     Request timed out.
   13     *        *        *     Request timed out.
   14 
  So it looks like from the IPHTTPS address I can't get to any internal IPV6 addresses on my internal IPV6 network I think right?  I did a route print on the DA server and got this:
  ===========================================================================
  Interface List
   12...00 15 5d 00 96 05 ......Microsoft Hyper-V Network Adapter
    1...........................Software Loopback Interface 1
   14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
   16...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
   17...00 00 00 00 00 00 00 e0 IPHTTPSInterface
  ===========================================================================
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0      172.16.0.21     172.16.0.127    261
          127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
          127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
    127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
         172.16.0.0    255.255.240.0         On-link      172.16.0.127    261
       172.16.0.127  255.255.255.255         On-link      172.16.0.127    261
      172.16.15.255  255.255.255.255         On-link      172.16.0.127    261
          224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
          224.0.0.0        240.0.0.0         On-link      172.16.0.127    261
    255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    255.255.255.255  255.255.255.255         On-link      172.16.0.127    261
  ===========================================================================
  Persistent Routes:
    Network Address          Netmask  Gateway Address  Metric
            0.0.0.0          0.0.0.0      172.16.0.21  Default
  ===========================================================================
  IPv6 Route Table
  ===========================================================================
  Active Routes:
   If Metric Network Destination      Gateway
   12    261 ::/0                     fdfd:1374:5130:ce07:1000::21
    1    306 ::1/128                  On-link
   12   4205 fdfd:1374:5130::/48      fdfd:1374:5130:ce07:1000::21
   17    306 fdfd:1374:5130:1000::/64 On-link
   17    306 fdfd:1374:5130:1000::/128  On-link
   17    306 fdfd:1374:5130:1000::1/128      On-link
   17    306 fdfd:1374:5130:1000::2/128      On-link
   17    306 fdfd:1374:5130:1000:2400:8f5a:a931:1ff8/128        On-link
   12    261 fdfd:1374:5130:7777::/96 On-link
   12    261 fdfd:1374:5130:ce07::/64 On-link
   12    261 fdfd:1374:5130:ce07:1000::127/128                    On-link
   12    261 fdfd:1374:5130:ce07:6b8c:21b9:52b4:e7c5/128    On-link
   12    261 fe80::/64                On-link
   17    306 fe80::/64                On-link
   17    306 fe80::2400:8f5a:a931:1ff8/128              On-link
   12    261 fe80::e00f:6c15:fde4:6491/128           On-link
    1    306 ff00::/8                 On-link
   12    261 ff00::/8                 On-link
   17    306 ff00::/8                 On-link
  ===========================================================================
  Persistent Routes:
   If Metric Network Destination      Gateway
    0 4294967295 fdfd:1374:5130:1000::/64 On-link
    0   4200 fdfd:1374:5130::/48      fdfd:1374:5130:ce07:1000::21
    0    256 fdfd:1374:5130:ce07::/64 On-link
    0 4294967295 fdfd:1374:5130:7777::/96 On-link
    0 4294967295 ::/0                     fdfd:1374:5130:ce07:1000::21
  ===========================================================================
  Am I missing a route here?
  Thanks

• Direct Access client DNS Registration q.

  Hi All,
  We have Direct Access installed, configured and mostly working on Windows 2012 R2 server supporting WIN 8.1 clients (only).
  All internal resources are accessible and have good name resolution, etc.
  However, I now have to enable "manage out" functionality. SCCM based Remote Assistance etc.
  There are various guides and I think manage out is working correctly. There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
  I have enable "secure only" DNS registration by Group Policy.
  We use split tunneling for clients.
  The Direct Access server is behind a NAT firewall. (CISCO) So the only effective transition tech is IP-HTTPS.
  Many thanks for any assistance in pointing me in the right direction.

  Hi,
  >>There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
  Did you deploy the IPv6 in your corpnet? If no, it's normal.
  If we use the IPv4 in the corpnet, the NAT64 and DNS64 will be enabled on the DirectAccess server. When the DirectAccess client sends the DNS update packet, according to the NRPT, the packet will be sent to the DirectAccess server. DirectAccess
  server will on behalf of the client to register the AAAA record.
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Direct Access Troubleshooting: Failed to connect to domain sysvol share

  Hi, I've been setting up DirectAccess on windows server 2012 r2, using the single interface setup and have successfully connected to the intranet passing all important troubleshooting tests. 
  Now when troubleshooting the internet connection I am facing the following error:
  Failed to connect to domain sysvol share
  Here is the stack trace:
  7/11/2014 12:46:18μμ[P:1340T:1] [MicrosoftServices.WS2012DA.ClientTroubleshooter.TreeViewHandler] Info: Added ChildNode CertTestsNodeChild3.
  7/11/2014 12:46:18μμ[P:1340T:1] [MicrosoftServices.WS2012DA.ClientTroubleshooter.TreeViewHandler] Info: RootNode CertTestsNode found at index 4.
  7/11/2014 12:46:18μμ[P:1340 T:1] [MicrosoftServices.WS2012DA.ClientTroubleshooter.TreeViewHandler] Info: TheRootNode CertTestsNode has already 4 ChildNodes.
  7/11/2014 12:46:18μμ[P:1340 T:6] [MicrosoftServices.WS2012DA.ClientTroubleshooter.InfraTunnelChecker] Info: Enter CheckSysvolShare - check the availability of the domain sysvol share.
  7/11/2014 12:46:18μμ[P:1340 T:6] [MicrosoftServices.WS2012DA.ClientTroubleshooter.InfraTunnelChecker] Info: Trying to enumerate \\premiernic.com\sysvol\premiernic.com\Policies.
  7/11/2014 12:46:18μμ[P:1340 T:1] [MicrosoftServices.WS2012DA.ClientTroubleshooter.TreeViewHandler] Info: AddedChildNode CertTestsNodeChild4.
  7/11/2014 12:46:18μμ[P:1340 T:1] [MicrosoftServices.WS2012DA.ClientTroubleshooter.TreeViewHandler] Info: RootNode CertTestsNode found at index 4.
  7/11/2014 12:46:18μμ[P:1340 T:1] [MicrosoftServices.WS2012DA.ClientTroubleshooter.TreeViewHandler] Info: The RootNode CertTestsNode has already 5 ChildNodes.
  7/11/2014 12:46:18μμ[P:1340 T:1] [MicrosoftServices.WS2012DA.ClientTroubleshooter.TreeViewHandler] Info: AddedChildNode CertTestsNodeChild5.
  7/11/2014 12:46:18μμ[P:1340 T:1] [MicrosoftServices.WS2012DA.ClientTroubleshooter.TreeViewHandler] Info: About to add a new RootNode to the TreeView object.
  7/11/2014 12:46:18μμ[P:1340 T:6] [MicrosoftServices.WS2012DA.ClientTroubleshooter.InfraTunnelChecker] ERROR: AnException occurred while connecting to the domain sysvol share. Message: The network path was not found.
  7/11/2014 12:46:18μμ[P:1340 T:1] [MicrosoftServices.WS2012DA.ClientTroubleshooter.TreeViewHandler] Info: Added new RootNode: InfraTunnelTestsNode. The list has now 6 nodes.
  7/11/2014 12:46:18μμ[P:1340 T:6] [MicrosoftServices.WS2012DA.ClientTroubleshooter.MainForm] Info: Finished running IPsec Infrastructure Tunnel tests.​
  To troubleshoot I run:
   "netsh dns show state"
  - machine location correctly shows as outside corporate network
   "netsh namespace show effectivepolicy"
  - neither entries show Certification Authority.
  - .premiernic.com lists ipv6 addresses for DNS servers, cy-da-01.premiernic.com does not
  - proxy settings are correct
  - in both cases IPSec is disabled
  "ipconfig /all"
  - Shows Teredo Tunneling used as ipv6 transition technology
  "nltest /dsget:
  - getting dc name failed, no such domain
  Anyone got any ideas what may be going wrong?

  Hi Steven, thanks for your answer. 
  When connected to the internet, i can ping the IPV6 DNS server addresses. When I try nslookup <aninternalFQDN> <IPV6DNS> i get a time-out. Same applies when testing the same commands from DirectAccess server. 
  Note that now, when looking at operation status, I see DNS as not operational and not responding to requests.
  Finally, I check my server security logs for IPSec and find the following error (code 4653).
  IPSec Main Negotiation failed
  Failure location: Local computer
  Failure reason: No Policy Configured
  Verifying the infrastructure tunnel
  Following the guide provided in the link, i first check whether the client can successfully create the tunnel. As expected I am able to see all the expected client policies in connection security rules(pt.3).
  However, when I look at Monitoring \ Connection Security (pt.4) i don't see DirectAccess Policy-ClientToDnsDc (but
  I do see directaccess policy-ClientToDNS64NAT64PrefixExemption).
  I then run netsh
  advfirewall monitor show currentprofile where I only see my public profile with my ISP settings, which to my understanding is correct.
  When I run netsh advfirewall monitor show mmsa main mode shows computer cert and user ntlm for auth. 
  When I run netsh advfirewall monitor show qmsa  quick mode shows remote address as expected.
  When I run nltest /dsgetdc: /force on client machine i get "getting dc name failed", however from my directaccess server to dc command completes successfully.
  Verifying the intranet tunnel
  When running net view \\IntranetFileServer I
  see an offline share (would be online if accessible). Web interface wont load for the same system.
  When running netsh advfirewall monitor show mmsa and qmsa everything is as expected.
  Conclusions
  Couldn't find anything in either server firewall rules or gateway that would be blocking dns.
  I think the culprit is the following:
  IPSec negotiation failed - no policy found (on server)
  Missing DirectAccess Policy - ClientToDnsDc
  I've done a couple of gpupdates on both client and server, and double checked gpresult. Nothing seems out of order, except no refernce to to clienttodnsdc. Still nothing.
  Anybody?

• Configuration of Direct Access 2012

  Good morning.
  I have tried to set up Direct Access from what I see is pretty much a 30-40 minute job, but has turned out to be something of a pain. Having followed the video on youtube for Windows Server 2012 with Basic PKI configuration and Windows 7 clients. I
  have set up a working DA server with no issues and all green ticks.
  Here's a run down.
  I have a DC (2012) with the CA already installed.
  I have a virtual DA (2012) set up with the advanced settings.
  I have a a TMG 2010 server as the firewall with a Non-Web Publishing rule designed to forward HTTPS requests to the DA on the internal network.
  The set up went as planned and I followed the instruction to set up the PKI and all computers have picked up a computer Certificate for the CA so that the internal root is validated.
  The Certificates that I chose for the DA server were as follows;
  DirectAccess-NLS.mydomain.local
  remote.my-external-domain-name.co.uk
  both published from my internal CA so that the root of the certificates were valid.
  I have a Third party wildcard cert ( *.my-external-domain-name.co.uk ) for TMG to allow other connection such as VPN and web access.
  DA Config:
  Step 1: Remote Clients
  I set up the DA server as per the video, set the DirectAccessClient group, and in the
  Network Connectivity Assistant The resource was filled in with the
  http://diectaccess-WebProbeHost URL.
  Step 2: Remote Access Server
  The Network Topology was set to Behind an edge device (with single network adapter), and then is says to type in the 'PUBLIC NAME' used by clients to connect to the Remove Access Server. Here I typed in the external DNS
  name remote.my-external-domain-name.co.uk.
  Network Adapters had the one ethernet and an IPv6 address. The
  Select Certificate sued to authenticate IP-HTTPS connections has the CN=remote.my-external-domain-name.co.uk.
  Authentication is set to AD and I used the root certificate of the CA for
  use computer certificates. I also Enabled windows 7 client computers to connect via DirectAccess.
  Step 3: Infrastructure Servers
  Network Location Sevrer had the NLS is deployed on this server with the
  DirectAccess-NLS cert.
  DNS had the internal domain and the DirectAccess-NLS. the Internal domain was pointing to the IPv4 address of the DA. I read that I need to put the external name suffix of remote.my-external-domain-name.co.uk entry in and pointed that
  to the internal DA IPv4 address also.
  DNS Suffix List was set automatically and I also added my external domain name just in case.
  Managerment was straight forward and I pointed to our System Centre 2012 R2 server.
  Upon clicking finish and applying the GPO policies everything went according to plan. All green ticks. I did a GPupdate on the client I was testing and the GPO policies came through.
  Now the issue I have is that on the internal network I get the Last Error 0x80190190 unable to connect to server. Now I am sure that this should say active as it is inside the network. I get the same error out side. When I check the DA server for
  netsh int https sh int  it returns the value that client authentication = NONE. I set it up to use computer certificates and even is I uncheck that it does not change. 
  It there a straight forward thing I missed or is it to do with publishing in TMG. Internally the direct access client will not connect as it will find the NLS in the internal DNS as I have the host record for both the server FQDN and the DirectAccess-NLS
  potining to the IPv4 address. I also have the external remote.my-external-domain-name.co.uk entry in the internal DNS to point to the internal IPv4.
  I have opened the ports for 443, 62000 on the DA for the IIS inbound and outbound. 
  I have a windows 8 client but need to test it as Windows 8 is supposed to work just like that.
  What am I doing wrong here?? Any ideas would be much appreciated. 

  Thank you for this Jordan.
  I have now got it working. The next step is to make sure my applications are all using Names rather than IP addresses.
  I have basically setup the system as per my original thread that follows, NOT in BOLD.
  I have tried to set up Direct Access from what I see is pretty much a 30-40 minute job, but has turned out to be something of a pain. Having followed the video on youtube for Windows Server 2012 with Basic PKI configuration and Windows 7 clients. I have
  set up a working DA server with no issues and all green ticks.
  Here's a run down.
  I have a DC (2012) with the CA already installed.
  I have a virtual DA (2012) set up with the advanced settings.
  I have a a TMG 2010 server as the firewall with a Non-Web Publishing rule designed to forward HTTPS requests to the DA on the internal network.
  The set up went as planned and I followed the instruction to set up the PKI and all computers have picked up a computer Certificate for the CA so that the internal root is validated.
  The Certificates that I chose for the DA server were as follows;
  DirectAccess-NLS.mydomain.local
  remote.my-external-domain-name.co.uk
  both published from my internal CA so that the root of the certificates were valid.
  I have a Third party wildcard cert ( *.my-external-domain-name.co.uk ) for TMG to allow other connection such as VPN and web access.
  DA Config:
  Step
  1: Remote Clients
  I set up the DA server as per the video, set the DirectAccessClient group, and in the Network Connectivity Assistant The resource was
  filled in with the http://diectaccess-WebProbeHost URL.
  Step
  2: Remote Access Server
  The Network Topology was set to Behind
  an edge device (with single network adapter), and then is says to type in the 'PUBLIC NAME' used by clients to connect to the Remove Access Server. Here I typed in the external DNS name remote.my-external-domain-name.co.uk.
  Network Adapters had the one ethernet and an IPv6 address. The Select
  Certificate sued to authenticate IP-HTTPS connections has the CN=remote.my-external-domain-name.co.uk.
  Authentication is set to AD and I used the root certificate of the CA for use
  computer certificates. I also Enabled windows 7 client computers to connect via DirectAccess.
  Step
  3: Infrastructure Servers
  Network Location Sevrer had the NLS
  is deployed on this server with the DirectAccess-NLS cert.
  DNS had the internal domain and the DirectAccess-NLS. the Internal domain was pointing to the IPv4 address of the DA. I read that I need
  to put the external name suffix of remote.my-external-domain-name.co.uk entry in and pointed that to the internal DA IPv4 address also.
  DNS Suffix List was set automatically and I also added my external domain name just in case.
  Managerment was straight forward and I pointed to our System Centre 2012 R2 server.
  Upon clicking finish and applying the GPO policies everything went according to plan. All green ticks. I did a GPupdate on the client I was testing and the GPO policies came through.
  I have set up TMG as per the isa.org forum  
  http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part2.html .
  @ Jordan - I ensured that I had a separate external IP address for the requests from the clients to TMG as I publish websites internally.
  I used a third party wildcard cert for the IP-HTTPS connect part in DA Config Step 2.
  All the rest of the DA set up was pretty much out of the box as stated above. 

• Direct Access is working but how do I configure it for remote services, client management software, etc..

  Good morning/afternoon/evening TechNet,
  I've finally gotten a DA client connected to the corporate network utilizing an external network. I'm having a couple issues, one, not being able to ping the server from a computer that's on the same domain(I'm able to ping the DA client from the DA server).
  I'm not sure if there is a firewall setting that needs to be open on the client for incoming echo requests? Second, we use a client management system called BMC and I would like the direct access server to be able to utilize the BMC server so that I can manage
  the DA client whenever its on the network. I noticed on the DA server that "Step 3" offers an area where it allows you to add servers that will be used for direct access client management. Would I just need to populate the server in here and then
  open appropriate firewall rules so that the DA server has access to them? Lastly, Trying to "mstsc" into the DA client what would I need to open up on both sides so that I'm able to do this?
  Sorry about the horrible grammar but I've been up 24+ hours getting this awesome but pain in the butt Direct Access feature working.
  Thank you as always!
  -Liqsh0t

  I'm afraid it's a bit more complicated than adding a server into the list in Step 3 :)
  When a DirectAccess client is connecting into a corporate network that is IPv4 (I assume yours is, most are), it can reach into your IPv4 servers because the DA server is doing NAT64/DNS64 translations, turning all of your DirectAccess IPv6 packets into
  IPv4 packets before they head inside the network. But even though this happens in the background without you really knowing about it, the key thing there is that all DirectAccess traffic is IPv6. This means the clients can only be contacted via IPv6. If you
  have IPv6 inside your network, then you can route outbound fairly easily to your DA client computers. If you are all IPv4 inside as most companies are, then you have to either roll IPv6 out inside your network, at least partially, or you have to utilize ISATAP
  inside your network in order to create a sort of "virtual IPv6 cloud" that runs on top of your IPv4 internal network. This enables your internal management systems (like the BMC servers and helpdesk computers for RDP access outbound) to have a connection
  into the IPv6 world, which then enables them some routing capability to get out to the IPv6-connected DA clients. In addition to this IPv6 or ISATAP setup, you also need to configure WFAS rules on the DA clients so that they will allow this traffic.
  There is some info on setting up ISATAP here: http://blogs.technet.com/b/jasonjones/archive/2013/04/19/limiting-isatap-services-to-directaccess-manage-out-clients.aspx
  Otherwise one of the chapters in this book is also dedicated to the setup of a selective ISATAP environment, to be used for the purposes of DirectAccess outward management: https://www.packtpub.com/virtualization-and-cloud/microsoft-directaccess-best-practices-and-troubleshooting

• Server 2012 Direct Access Single NIC cant get it to work

  Hi,
  I am having some real issues with setting up Direct Access with Server 2012 and a Windows 8 client, it simply won’t work at all.
  First of all I should describe my setup:
  I have an internet connection with a static IPv4 address on the external network adapter of the router
  The internal network address (the address of the router which has the internet connection) is 192.168.1.1
  Server1 (windows 2008 R2 Standard) has a static IPv4 address 192.168.1.2 and has some ports forwarded from the router (443, 25, 80) this server is a domain controller, email server, and has the DNS, DHCP and
  certificate services
  Server 2 (Windows 2008 R2 standard) has static IPv4 address 192.168.1.3 it has no ports forwarded from the router as it has no services accessed externally, it is used as a file server and print server, backup
  domain controller and backup DNS.
  Server 3 (Windows 2012) has static IPv4 address 192.168.1.4 and has the Remote Access server role installed along with all the other default features and roles it requires in the setup process.
  These servers have all got an IPv6 address which I assume the server has configured automatically, there has been no deliberate configurations made to disable IPv6
  I have no UAG or proxy server or anything else to route packets to internal servers. Just this router which has the option for port forwarding (I assume that’s NAT isn’t it?) sorry don’t know much about that
  area.
  I go through the setup wizard in remote access to configure direct access, in the external URL I have entered da.mydomain.com and created a host A record in my external domain name providers DNS which points
  the da record to my external IP address. The wizard creates all the GPO’s, scoped correctly, and applied to a Windows 8 client. The operational status shows its all working and I got green ticks. However, when I connect the client to the internal network it
  doesn’t seem to have correctly got the DA settings. I run the following in powershell
  Get-DnsClientNrptPolicy
  Nothing displays – at all
  Get-NCSIPolicyConfiguration
  Description                   
  : NCSI Configuration
  CorporateDNSProbeHostAddress  
  : fdd8:dd4a:ea42:7777::7f00:1
  CorporateDNSProbeHostName     
  : directaccess-corpConnectivityHost.mydomain.local
  CorporateSitePrefixList       
  : {fdd8:dd4a:ea42:1::/64, fdd8:dd4a:ea42:7777::/96, fdd8:dd4a:ea42:1000::1/128,
  fdd8:dd4a:ea42:1000::2/128}
  CorporateWebsiteProbeURL      
  : http://directaccess-WebProbeHost.mydomain.local
  DomainLocationDeterminationURL : https://DirectAccess-NLS.mydomain.local:62000/insideoutside
  Get-DAConnectionStatus
  Get-DAConnectionStatus : Network Connectivity Assistant service is stopped or not responding.
  At line:1 char:1
  + Get-DAConnectionStatus
  + ~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo         
  : NotSpecified: (MSFT_DAConnectionStatus:root/StandardCi...onnectionStatus) [Get-DAConnect
     ionStatus], CimException
  + FullyQualifiedErrorId : Windows System Error 1753,Get-DAConnectionStatus
  I go into services.msc and find that the network connectivity assistant is not started, it wont start either something must trigger it but I have no idea how to get it triggered to start… this might be my only
  source of problem perhaps but on a more network level question:
  If I have such ports as 80, and 443 (which I assume DA uses in some form with a public IPv4 internet address) directed at server 1, how does the DA connection get to server 3 which has the DA role installed?
  I could create another record on the server which also opens port 443 to server as well as for server 1, but then how would the router know which server to pass the DA connection to if the same port is open for two different servers?
  Either way, this first issue is that the client doesn’t seem to have the ability to connect internally correctly yet, so maybe this connectivity service is a good place to start? My understanding is that the
  networks icon in the system tray should show that there is a corporate connection, but it doesn’t. also, the client seems to have the NLS certificate in the computer certificate store, so the cert side of things is working and the GPO side is working.
  Many thanks
  Steve

  ahh i see, so just to enlighten me even further...
  If a company has two web servers that would mean they would need two different public facing IP addresses so they can route to each internal web server. If, like the big companies have, they
  may have many web servers (possibly more than 100) I’m assuming that simply buying more public IP addresses would have a limit, especially since the IPv4 address space is pretty much exhausted. So is this where proxy systems come into play like ISA and Forefront,
  is this what they do?
  I assume if such a product was implemented you could go down to just one or two public IP addresses, point all traffic to the ISA server and that in turn would do all the routing of packets
  to each server behind the NAT/router (probably based on some sort of domain name or sub domain namespace as it’s parameter for forwarding?)
  Secondly, what I have done is installed windows server 2012 and used that as a direct access client (I read on another forum that the windows 8 RP doesn’t have the enterprise bits to make this
  work). I have got much further with the 2012 server acting as a client (installed on laptop, installed desktop experience and wireless LAN), 
  but when I run the following command on my DA client I get the following status
  Get-DAConnectionStatus
  Status:                 
  connectedlocally
  Substatus:          
  none
  This appears to work fine, when im connected to the local network. But then I disconnect and run the command again and I get the following:
  Status:                 
  Error
  Substatus:          
  NameResolutionFailure
  On my router what I did is temporarily disable port 443 going to my original server and instead opened it up pointing to my other server, so 443 traffic should be going to my DA server now, but I don’t understand why its giving the name resolution failure
  status. I have a host A record called “da” with my domain hoster, and entered the full domain namespace in the DA wizard as da.mydomain.com (the Host A record has been up there for more than a week so it’s propagated through the net)
  So, a bit further but stuck again.

• ConfigMgr Clients connection over direct access.

  My test client machine is running Windows 8.1 and connecting to network through Direct Access. I am running SCCM 2012 R2 on Windows Server 2012.
  Test Machine: NYWIN8
  SCCM Server: SCCM01
  Domain: demo.local
  I would like to understand how configmgr handles clients connecting through direct access. What all functionality is available for such clients?
  On my client machine is see following errors:
  FSPSTATEMESSAGE.LOG
  Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7
  [CCMHTTP] ERROR: URL=HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED
  POLICYAGENT.LOG
  Policy
  http://SCCM01.demo.local/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 is not available.
  DATATRANSFERSERVICE.LOG
  DTS job {E6FAADEE-F22E-4E89-92EE-C2D9C10C3056} BITS job {9C444FAB-FD3C-4A6B-B8A4-81DA159E4E45} failed to download source file
  http://SCCM01.demo.local:80/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 to destination C:\Windows\CCM\Temp\{C9AA0DDC-BD37-442D-A00E-EE7404D47C12}.tmp with error 0x80190194
  DTS job {E6FAADEE-F22E-4E89-92EE-C2D9C10C3056} BITS job {9C444FAB-FD3C-4A6B-B8A4-81DA159E4E45} partially completed 0/1 with error 0x80190194 context 5
  Software Catalog Update Endpoint
  Failed to open portal registry key 'Software\Policies\Microsoft\CCM'. maybe haven't been created yet. Error 0x80070002
  WEDMTRACE.LOG
  No CCM Identification blob
  CAS.LOG
  The number of discovered DPs(including Branch DP and Multicast) is 0
  SMSCLIUI.LOG
  Failed to set DNSSuffix value to the registry.
  Are there any issues due to connecting using direct access?

  When I try to deploy any software (7-ZIP or Notepad++) to this client I get following error:
  The software change returned error code 0x87D00607(-2016410105).
  I can deploy same software fine to other machines connecting on LAN.
  Server Logs:
  Portlctl
  PORTALWEB's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)
  PORTALWEBs http check returned hr=0, bFailed=0
  awbsctl
  AWEBSVCs http check returned hr=0, bFailed=0
  AWEBSVC's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)
  Client Logs:
  CAS
  The number of discovered DPs(including Branch DP and Multicast) is 0
  CCMEVAL
  Client's current MP is http://SCCM01.DEMO.local and is accessible
  ClientLocation
  Current AD forest name is Demo.local, domain name is Demo.local
  Domain joined client is in Intranet
  Rotating assigned management point, new management point [1] is: SCCM01.demo.local (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>
  Assigned MP changed from <SCCM01.demo.local> to <SCCM01.demo.local>.
  ContentTransferManager
  No data since 11/13/2013
  CTM job {F6085C09-4C39-489E-A6F6-2C268398B7F2} successfully processed download completion.
  DataTransfer
  DTS job {B227AB6E-6D0F-4709-B8C6-AA8B66CBBE2D} BITS job {AE61D01C-E251-45FA-8B2C-2E22DDD91016} failed to download source file
  http://SCCM01.demo.local:80/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 to destination C:\Windows\CCM\Temp\{22619283-47B1-445A-9262-C1FA54AD0F64}.tmp with error 0x80190194
  DTS job {B227AB6E-6D0F-4709-B8C6-AA8B66CBBE2D} BITS job {AE61D01C-E251-45FA-8B2C-2E22DDD91016} partially completed 0/1 with error 0x80190194 context 5
  Filebits
  BranchCache Is Not Enabled
  Failed to check PeerDistribution status. NOT able to do branch cache.
  FSPSTATEMESSAGE
  Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7
  [CCMHTTP] ERROR: URL=HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED
  Successfully sent location services HTTP failure message.
  InternetProxy
  Failed to get proxy for url 'HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp'. Error 0x87d00215
  InventoryAgent
  Inventory: 9 Collection Task(s) failed.
  SCCLIENT
  Event maps to notification type = Application Enforcement Failed   (Microsoft.SoftwareCenter.Client.Data.WmiConnectionManager at EventWatcher_EventArrived)
  SMSCLIUI
  Failed to set DNSSuffix value to the registry.
  IPCONFIG /ALL from CLIENT:
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : NYWIN8
     Primary Dns Suffix  . . . . . . . : demo.local
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : demo.local
     System Quarantine State . . . . . : Not Restricted
  Ethernet adapter vEthernet (Internal):
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #3
     Physical Address. . . . . . . . . : 00-15-5D-01-0B-07
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::d3f:4e51:c648:7b26%26(Preferred)
     Autoconfiguration IPv4 Address. . : 169.254.123.38(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.0.0
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 872420701
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
     DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                         fec0:0:0:ffff::2%1
                                         fec0:0:0:ffff::3%1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter vEthernet (External):
     Connection-specific DNS Suffix  . : home
     Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
     Physical Address. . . . . . . . . : 84-A6-C8-AF-03-DE
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::9cb5:5132:1f47:e7c6%24(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Thursday, January 2, 2014 1:27:53 PM
     Lease Expires . . . . . . . . . . : Saturday, January 4, 2014 12:27:55 PM
     Default Gateway . . . . . . . . . : 192.168.1.1
     DHCP Server . . . . . . . . . . . : 192.168.1.1
     DHCPv6 IAID . . . . . . . . . . . : 730113736
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
     DNS Servers . . . . . . . . . . . : 192.168.1.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Wireless LAN adapter Local Area Connection* 3:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
     Physical Address. . . . . . . . . : 84-A6-C8-AF-03-DF
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Ethernet adapter Bluetooth Network Connection:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
     Physical Address. . . . . . . . . : 84-A6-C8-AF-03-E2
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Ethernet adapter Ethernet:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : home
     Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
     Physical Address. . . . . . . . . : E0-DB-55-D2-5E-59
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.home:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : home
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter iphttpsinterface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : iphttpsinterface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : fd64:fc00:d17b:1000:e1a7:9cc8:c3c7:d819(Preferred)
     Temporary IPv6 Address. . . . . . : fd64:fc00:d17b:1000:c598:7f17:e286:369d(Preferred)
     Link-local IPv6 Address . . . . . : fe80::e1a7:9cc8:c3c7:d819%10(Preferred)
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 369098752
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Tunnel adapter isatap.{DC7D2C63-1506-49EC-A40F-AA4E56DE4001}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes

• Cannot view history of direct access users connecting to Forefront UAG

  Hi, I'm trying to get a list of the users that have been connecting through UAG Direct Access for the past month. I've tried using the methods shown in the technet articles about monitoring of UAG Direct Access either using Powershell or the TMG event loggin
  console, using this links:
  http://technet.microsoft.com/en-us/library/gg313776.aspx
  http://technet.microsoft.com/en-us/library/gg313783.aspx
  Using the TMG event logging I see a lot of data from a few days back, even if the filter is set to 30 days, and the log is supposed to be up to 8GB in size before overwriting. The info that it shows is only about sessions to the portal trunk and not direct
  access. I know this because on the UAGModuleID column there is no there are no "connected" or "managed" sessions, all are SessionMgr, UserMgr, Filter and RDG mainly.
  Through powershell I tried running the following commands after importing the module according to the article:
  Get-Directaccessusers -showhistory $true and no results are shown.
  Get-Directaccessusers -showhistory $true -starttime "1/6/2015 8:00AM" and no results shown
  Get-Directaccessusers -showhistory $true -starttime "1/6/2015" no results
  Get-Directaccessusers -showhistory $true -starttime "1/2/2015 8:00AM" -Endtime "1/11/2015 8:00PM" no results
  Get-Directaccessusers -showhistory $true -username user = no results.
  Get-Directaccessusers -username user = no results
  the only command that shows any data is just Get-Directaccessusers but that shows the current Direct Access users, no history.
  I checked the Registry HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\MonitorMgr\sql-builtin-log registry key and it is on 1.
  Any ideas on how can I get more history data on the direct access users connecting through UAG?
  Please let me know.
  Appreciated it.
  Thank you!
  Eduardo Rojas

  Russel,
  the problem has been solved now! The final thing missing was just a check in a  checkbox.
  Below a comprehensive explanation that may help others.
  We basically did what you proposed:
  We sent a ping from one of the DA-Clients to the TS-Farm members. Since we got replies, we knew that IPv6 communication generally is okay. The answer received was an IPv6. In this scenario we had not yet given any IPv6 to the farm-members! Thus we knew it must
  be comming from the DA DNS-Proxy. There are a number of DA-GPOs and one of them is dictating the net portion of the IPv6 to be used in DA-communication, appended by a hex-translation of the target computers IPv4. Therefore the DA DNS-Proxy is taking the GPO-set
  IPv6-value, adds the IPv4 in hex and sends it  back as an ICMP echo.
  With this in place and working correctly one can ping any domain host from any DA-Client. This is configured when initially setting up DA and is handled by the wizzard. Once DA is installed this should all be in place without extra user interaction.
  We then took those IPv6 answeres and turned them into fixed IPv6es of the farm-members (each member its own IPv6). So far so good, but this is where it still did not work. Evaluation of the Connection Broker log showed that the redirect reply still included
  only the IPv4 of the target farm-member. With that (after a short while) we realized that one has to set a
  check in the Connection Brokers Settings, so that the IPv6 LAN-Connection will be used for redirects as well and not only the IPv4 LAN-connection..... How stupid is that? :-)
  But as we all know - in dealing with server configuration - you should always "know before you go". But even though you may think you do, when finally arriving you know you didn't.... And that's what we call experinece.
  Thanks to Russel for your interest and help.
  Brgds Ralf

• Direct access network connectivity assistant, the update is not applicable

  Been testing DirectAccess for a couple of weeks now, and all seemes to be working fine. But now it want to install the DA connectivity assistant but it fails to install. When searching for updates on this computer it gives an error message as seen in the
  screenshot below .
  I've reinstalled Windows , updated windows, removed the virus scanner, checked if the update was already installed. Nothing worked
  OS = Windows 7 Enterprise N
  Windows update log appears 
  2013-11-15 09:54:11:265
  912 1290
  Report CWERReporter finishing event handling. (00000000)
  2013-11-15 09:54:42:534
  912 1290
  Report CWERReporter finishing event handling. (00000000)
  2013-11-15 09:54:56:188
  4736 984
  COMAPI -----------  COMAPI: IUpdateServiceManager::RemoveService  -----------
  2013-11-15 09:54:56:188
  4736 984
  COMAPI  - ServiceId = {f8fc7b4b-f693-4113-ab5f-137e03025faa}
  2013-11-15 09:54:56:609
  4736 984
  COMAPI ISusInternal::DisconnectCall failed, hr=8024000C
  2013-11-15 09:54:56:625
  4736 984
  COMAPI waiting for worker thread to complete
  2013-11-15 09:54:56:625
  4736 984
  COMAPI Removed OnCompleted callback from GIT (cookie=256)
  2013-11-15 09:54:56:625
  4736 984
  COMAPI IUpdateService removing volatile scan package service, serviceID = {F8FC7B4B-F693-4113-AB5F-137E03025FAA}
  2013-11-15 09:54:56:641
  912 1334
  Agent WARNING: WU client fails CClientCallRecorder::RemoveService with error 0x80248014
  2013-11-15 09:54:56:656
  4736 984
  COMAPI WARNING: ISusInternal::RemoveService failed, hr=80248014

  Hi,
  Firstly, I would like to confirm with you if it worked before on Windows 7 Enterprise N version.
  As I known, following are some additional features that Windows 7 Enterprise N edition has and other versions does not have:
  a. Direct Access
  b. Branch cache
  c. Federated search
  You need to meet the following requirements to install the DA connectivity assistant.
  Windows 7 Enterprise, Windows 7 Ultimate
  1. 10 MB of disk space.
  2. 10 MB of RAM.
  3. Microsoft Word or Microsoft Word Viewer (available as a free download) can be used to view Word documents.
  I would like to suggest you download and install it from official website.
  Microsoft DirectAccess Connectivity Assistant 2.0
  http://www.microsoft.com/en-us/download/details.aspx?id=29039
  Hope it helps.
  Regards,
  Blair Deng
  Blair Deng
  TechNet Community Support