WIndows 8.1 Direct Access Client Needs to approve external wifi use before it connects - proxy not responding

Similar Messages

• Windows Server 2012 - Direct Access clients and the Windows 8 firewall

  Hi,
  We're running a simple proof-of-concept for Server 2012 Direct Access, we have a single DA server behind a firewall using NAT. We have a number of client devices setup for DA and running Windows 8.
  Our issue is that we can only get the Windows 8 direct access clients to connect (when outside the corporate network) and work with the windows firewall disabled (public network profile). 
  With the windows firewall disabled everything works exactly as expected. When outside the corporate network the client detects the network state (public network profile), connects via DA and all internal resources can be accessed successfully...fantastic.
  Is there some specific guidance on manually configuring the windows 8 firewall for Direct Access ? We've tried the obvious TCP:443 with edge traversal enabled but without success.
  Much of the information we have found relates to UAG rather than Windows 2012 DA.
  Any assistance is appreciated.

  Hi,
  There isn’t any specific configuration on the firewall.
  Just confirm that port 443 can be forwarded to DirectAccess server.
  Of course, make sure you are using IPsec first.
  Check the links:
  STEP 6: Test DirectAccess Client Connectivity from Behind a NAT Device
  http://technet.microsoft.com/en-us/library/hh831524.aspx#TeredoCLIENT1
  DirectAccess for Windows Server 2012 Installation & Configuration Guide
  http://syscomlab.blog.com/2012/09/directaccess-for-windows-server-2012-guide/
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Routing back to Direct Access Clients - is this possible?

  Hi,
  We have been using direct access for the past few months successfully, however the one problem we are still having is we can't use programs that require a route back to the Direct Access client (such as managing a Hyper-V machine on the local lan), using SourceOffsite
  or even using Remote Desktop to remote onto a direct access client or ping the direct access client.
  Our local LAN uses Ipv4 and we can route fine to the Direct Access clients from the Direct Access Server where the tunnel terminates but not from any other machine on the network. Do I need to change the direct access configuration to allow this or do I need
  to somehow create a route on my LAN for the direct access clients?
  Thanks in advance
  David

  I found out how to do this in this useful article and tested it and it is working fine - thanks.
  http://www.packtpub.com/article/configuring-manage-out-to-directaccess-clients

• Is there any solution to change window title of web access client?

  Hi All,
  Is there any solution to change browser window title of web access client and Oracle Collaboration Suite Calendar?
  Regards,
  Beomwoo.

  While looking at such a tab, click View > Show Path Bar from Finder's menu.  The information you are requesting will be displayed at the bottom of the window.

• Im having trouble using bbciplayer on my ipad it says i need to switch to wifi but im already connected can any one help?

  im having trouble using bbciplayer on my ipad it says i need to switch to wifi but im already connected can any one help? I ve uninstalled/ reinstalled  switched it on and off what next?

  Did you try downloading the movie from iTunes on your iPad?  I know it takes longer but I'd try that. 
  Also try to reset all settings. 
  Settings > General > Reset. Reset all settings. 

• Cannot apply Direct Access Client GPO on Windows 8.1 Enterprise client

  Hi, I have made a Direct Access environment on Windows Server 2012 R2 Essential.
  All setting seems to be ok, but i'm completely stuck when i have to export the DA client GPO to the client computer.
  The client computer is a Win8.1 Enterprise, already joined to the domain.
  When execute the command gpupdate /force, it complete successfully but when i do a gpresult /R i have nothing in the "Applied Group Policy Object" field (N/A) while i should have the Default domain GPO and the DA client GPO.
  What is wrong at this state ?
  Thanks

  My user1 is in the "DirectAccess" group.
  In all the tutorial i saw, i have never seen you have to add the computer object to this group but only the user.
  Anyway, i have just add it to the group.
  From my first post, here is what i did.
  ran a Group Policy Result, from the DC to the client. 
  It give me the error RPC unavailable. 
  So i open the local policies on the client > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall >
  Domain Profile > double click on "Windows Firewall: Allow inbound remote administration exception" > tick enable 
  I reran the Group Policy Results, and it work this time. 
  Now i have the result for the User1 on TECH2 client pc. 
  On details pane > Denied GPOs 
  The DA client setting is deny with the reason "access denied" ...
  Now on the client computer after a GPRESULT /R
  Computer settings
  Applied Group Policy Object
  Default Domain Policy
  Local Group Policy
  The following GPOs were not applied because they were filtered out
  DirectAccess Client Setting
  Filtering: Denied (Security)
  DirectAccess Server Settings
  Filtering: Denied (Security)  -> normal

• Enterprise DNS servers are not responding when using Windows NLB with Direct Access 2012

  Hi
  We have installed Direct Access 2012 as one server installation:
  - Two network cards. First one in DMZ and second one in internal network
  - Two consecutive IP addresses configured in DMZ because of Teredo
  - PKI because of Win7 Clients IPSec
  - Our corporate network is native IPv4 so we use DNS64/NAT64 and DA-server is configured as DNS
  - DA-servers are VMWare virtual machines 
  One server installation works fine and now we want to use Windows NLB as load balancing. NLB installation goes fine too,
  but problem is DNS. If we still try to use DA-server as DNS there comes error message below
  None of the enterprise DNS servers 2002:xxxx:xxxx:3333::1 used by DirectAccess clients for name resolution are responding. This might affect DirectAccess client connectivity to corporate resources.
  When trying to configure DNS using Infrastructure access setup, DNS cannot be validated when using DA-servers DIP or cluster VIP. Only domain local DNS looks to be ok but those have no IPv6 addressess. So how DNS should be configured when using multicast
  NLB? 
  Tried to remove name suffix then adding again => Detect DNS server => DA-server IPv6 address found => validate => The specified DNS server is not responding...
  Then tried to ping detected address => General failure
  NLB clusters are configured as multicast and static ARPs are configured too. Both clusters can be connected from those subnets as they should be. 
  Any clues how to fix this?
  ~ Jukka ~

  Hi,
  Your question falls into the paid support category which requires a more in-depth level of support.  Please visit the below link to see the various
  paid support options that are available to better meet your needs.
  http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone
  Regards,
  Mike
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Cannot connect to direct access clients from management servers

  I have direct access setup on a Server 2012 machine and I have successfully added clients to it.  Clients can reach internal resources and everything seems to be working great inbound.  However, I am having some trouble with outbound management.
   From the Direct Access server I can ping, RDP, browse files, etc... From the management server I have defined in the DA setup I can only ping the machines and nothing else.
  I had worked with some MS tech support to get to this point, and they had me configure my DA server and the few management server with status IPv6 addresses.  I'm not sure if this is necessary or if outbound managment should work using ISATAP?
  My DA server is Server 2012, and the clients are Windows 8 and Windows 8.1.

  You should be able to make outbound management work using either ISATAP or native IPv6. If you have configured native IPv6 and it's not working, there may be some kind of routing issue with the way that IPv6 is setup in your environment, or even a piece
  of networking equipment that is not IPv6 capable.
  If you're interested in trying the ISATAP route to see if you can get it working that way, Chapter 3 in this is dedicated to the setting up of ISATAP: http://www.packtpub.com/microsoft-directaccess-best-practices-and-troubleshooting/book
  (sorry, not trying to be self-serving, but these kinds of questions are exactly the reason why I put the book together)

• Direct Access client getting NameResolutionFailure error

  Hi,
  I'm trying to setup Direct Access on a Windows 2012 R2 server and I'm running into what is hopefully a pretty easy problem to resolve.
  I've followed the instructions to setup a simple setup for DA on a Windows 2012 R2 server with everything all on one server and I'm running behind a TMG 2010 server.  On the TMG server I've published the my DA server using a server publishing rule
  based on these instructions
  http://danstoncloud.com/blogs/simplebydesign/archive/2013/04/04/tmg-can-be-a-good-friend-of-directaccess.aspx
  The setup seems pretty straight forward, but now when I'm testing my clients I'm getting the NameResolutionFailure error when I try and connect when I'm not on our internal network.
  The problem I'm pretty sure is DNS related because when my test Windows 8.1 client is on our internal network everything works fine. 
  When I plug the machine into an external network, I get the NameResolutionFailure error for the DA client. If I try and ping anything address on our domain name I get an error that the address is unresolvable.  I can ping any other domain name address fine.
  On my DA server, on the DNS tab of the Infrastructure Server setup I have the following entries:
  mydomain.com              fdf3:137e:5133:ce07:1000::127
  directaccess.mydomain.com
  DirectAccess-NLS.mydomain.com
  directaccess.mydomain.com is the publicly resolvable name of my DA 2012 R2 server that is bound the external IP address published on my TMG 2010 server.  This name is not resolvable when on any internal machines.
  If I execute the get-DNSClientNRPTPolicy command I get this:
  Namespace                        : DirectAccess-NLS.mydomain.com
  QueryPolicy                      :
  SecureNameQueryFallback          :
  DirectAccessIPsecCARestriction   :
  DirectAccessProxyName            :
  DirectAccessDnsServers           :
  DirectAccessEnabled              :
  DirectAccessProxyType            : UseDefault
  DirectAccessQueryIPsecEncryption :
  DirectAccessQueryIPsecRequired   : False
  NameServers                      :
  DnsSecIPsecCARestriction         :
  DnsSecQueryIPsecEncryption       :
  DnsSecQueryIPsecRequired         : False
  DnsSecValidationRequired         : False
  NameEncoding                     : Utf8WithoutMapping
  Namespace                        : directaccess.mydomain.com
  QueryPolicy                      :
  SecureNameQueryFallback          :
  DirectAccessIPsecCARestriction   :
  DirectAccessProxyName            :
  DirectAccessDnsServers           :
  DirectAccessEnabled              :
  DirectAccessProxyType            : UseDefault
  DirectAccessQueryIPsecEncryption :
  DirectAccessQueryIPsecRequired   : False
  NameServers                      :
  DnsSecIPsecCARestriction         :
  DnsSecQueryIPsecEncryption       :
  DnsSecQueryIPsecRequired         : False
  DnsSecValidationRequired         : False
  NameEncoding                     : Utf8WithoutMapping
  Namespace                        : .mydomain.com
  QueryPolicy                      :
  SecureNameQueryFallback          :
  DirectAccessIPsecCARestriction   :
  DirectAccessProxyName            :
  DirectAccessDnsServers           : fdf3:137e:5133:ce07:1000::127
  DirectAccessEnabled              :
  DirectAccessProxyType            : NoProxy
  DirectAccessQueryIPsecEncryption :
  DirectAccessQueryIPsecRequired   : False
  NameServers                      :
  DnsSecIPsecCARestriction         :
  DnsSecQueryIPsecEncryption       :
  DnsSecQueryIPsecRequired         : False
  DnsSecValidationRequired         : False
  NameEncoding                     : Utf8WithoutMapping
  So I'm thinking that the issue is related to the fact that the NRPT table says that directaccess.mydomain.com address there is no DNS specified.  In fact it seems like that entry shouldn't even be there.  When I was configuring DA for the first
  time, I got a warning that said:
  Warning: The NRPT entry for the DNS suffix .serverdomain.local contains the public name used by client computers to connect to the Remote Access server. Add the name Servername.serverdomain.local as an exemption in the NRPT.
  I wasn't sure what this meant at the time but I'm guessing it's relevant to this problem.
  Can some one give some help with this?
  Thanks in advance
  Nick

  Hi,
  So here is what I did.  First the IP information from my DA server IPHTTPS address from ipconfig /all
  Tunnel adapter IPHTTPSInterface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : IPHTTPSInterface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : fdfd:1374:5130:1000::1(Preferred)
     IPv6 Address. . . . . . . . . . . : fdfd:1374:5130:1000::2(Preferred)
     IPv6 Address. . . . . . . . . . . : fdfd:1374:5130:1000:2400:8f5a:a931:1ff8(Preferred)
     Link-local IPv6 Address . . . . . : fe80::2400:8f5a:a931:1ff8%17(Preferred)
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 436207616
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-4F-8E-38-00-15-5D-00-96-05
     NetBIOS over Tcpip. . . . . . . . : Disabled
  So the address of my IPHTTPS address appears to be -S using this address as the source and going to an internal machine with an IPV6 address and got this:
  tracert -S fdfd:1374:5130:1000:2400:8f5a:a931:1ff8 testserver
  Tracing route to testserver.mydomain.com [fdfd:1374:5130:ce07:1000::220]
  over a maximum of 30 hops:
    1    <1 ms    <1 ms    <1 ms  daserver.mydomain.com [fdfd:1374:5130:1000:2400:8f5a:a931:1ff8]
    2     *        *        *     Request timed out.
    3     *        *        *     Request timed out.
    4     *        *        *     Request timed out.
    5     *        *        *     Request timed out.
    6     *        *        *     Request timed out.
    7     *        *        *     Request timed out.
    8     *        *        *     Request timed out.
    9     *        *        *     Request timed out.
   10     *        *        *     Request timed out.
   11     *        *        *     Request timed out.
   12     *        *        *     Request timed out.
   13     *        *        *     Request timed out.
   14 
  So it looks like from the IPHTTPS address I can't get to any internal IPV6 addresses on my internal IPV6 network I think right?  I did a route print on the DA server and got this:
  ===========================================================================
  Interface List
   12...00 15 5d 00 96 05 ......Microsoft Hyper-V Network Adapter
    1...........................Software Loopback Interface 1
   14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
   16...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
   17...00 00 00 00 00 00 00 e0 IPHTTPSInterface
  ===========================================================================
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0      172.16.0.21     172.16.0.127    261
          127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
          127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
    127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
         172.16.0.0    255.255.240.0         On-link      172.16.0.127    261
       172.16.0.127  255.255.255.255         On-link      172.16.0.127    261
      172.16.15.255  255.255.255.255         On-link      172.16.0.127    261
          224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
          224.0.0.0        240.0.0.0         On-link      172.16.0.127    261
    255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    255.255.255.255  255.255.255.255         On-link      172.16.0.127    261
  ===========================================================================
  Persistent Routes:
    Network Address          Netmask  Gateway Address  Metric
            0.0.0.0          0.0.0.0      172.16.0.21  Default
  ===========================================================================
  IPv6 Route Table
  ===========================================================================
  Active Routes:
   If Metric Network Destination      Gateway
   12    261 ::/0                     fdfd:1374:5130:ce07:1000::21
    1    306 ::1/128                  On-link
   12   4205 fdfd:1374:5130::/48      fdfd:1374:5130:ce07:1000::21
   17    306 fdfd:1374:5130:1000::/64 On-link
   17    306 fdfd:1374:5130:1000::/128  On-link
   17    306 fdfd:1374:5130:1000::1/128      On-link
   17    306 fdfd:1374:5130:1000::2/128      On-link
   17    306 fdfd:1374:5130:1000:2400:8f5a:a931:1ff8/128        On-link
   12    261 fdfd:1374:5130:7777::/96 On-link
   12    261 fdfd:1374:5130:ce07::/64 On-link
   12    261 fdfd:1374:5130:ce07:1000::127/128                    On-link
   12    261 fdfd:1374:5130:ce07:6b8c:21b9:52b4:e7c5/128    On-link
   12    261 fe80::/64                On-link
   17    306 fe80::/64                On-link
   17    306 fe80::2400:8f5a:a931:1ff8/128              On-link
   12    261 fe80::e00f:6c15:fde4:6491/128           On-link
    1    306 ff00::/8                 On-link
   12    261 ff00::/8                 On-link
   17    306 ff00::/8                 On-link
  ===========================================================================
  Persistent Routes:
   If Metric Network Destination      Gateway
    0 4294967295 fdfd:1374:5130:1000::/64 On-link
    0   4200 fdfd:1374:5130::/48      fdfd:1374:5130:ce07:1000::21
    0    256 fdfd:1374:5130:ce07::/64 On-link
    0 4294967295 fdfd:1374:5130:7777::/96 On-link
    0 4294967295 ::/0                     fdfd:1374:5130:ce07:1000::21
  ===========================================================================
  Am I missing a route here?
  Thanks

• Direct Access client DNS Registration q.

  Hi All,
  We have Direct Access installed, configured and mostly working on Windows 2012 R2 server supporting WIN 8.1 clients (only).
  All internal resources are accessible and have good name resolution, etc.
  However, I now have to enable "manage out" functionality. SCCM based Remote Assistance etc.
  There are various guides and I think manage out is working correctly. There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
  I have enable "secure only" DNS registration by Group Policy.
  We use split tunneling for clients.
  The Direct Access server is behind a NAT firewall. (CISCO) So the only effective transition tech is IP-HTTPS.
  Many thanks for any assistance in pointing me in the right direction.

  Hi,
  >>There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
  Did you deploy the IPv6 in your corpnet? If no, it's normal.
  If we use the IPv4 in the corpnet, the NAT64 and DNS64 will be enabled on the DirectAccess server. When the DirectAccess client sends the DNS update packet, according to the NRPT, the packet will be sent to the DirectAccess server. DirectAccess
  server will on behalf of the client to register the AAAA record.
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Win8.1 Direct Access Client Stuck at "Connecting"

  I'm experimenting with Direct Access in a lab setting with 1 client and 3 2012 R2 servers. The client is running Windows 8.1 Enterprise.
  The client is always able to connect to the Direct Access server but is unable to ping or connect to the 2 servers that don't have RAS installed. Moreover, this behavior migrates to whichever server is running Remote Access Server: So, if I remove the role
  and install on another server, the client is able to communicate with the new server, but not the old.
  The connection from the client to the server is via IP-HTTPS (only option available to me in this environment). The client is able to reliably determine when it's on the Internet versus the intranet. However, when on the Internet, it stays in a "Connecting"
  state and never connects, but I'm still able to access the DA server.
  Does anyone have any ideas on how to resolve this?

   I managed to resolve the issue. I'm posting here in the hope that this may help another newbie to DA.
  Here's what caused my issue: As I mentioned, this was a lab environment where the limited number of machines were fulfilling multiple roles. In particular, the DA Server was also a backup domain controller running DNS. In my research, I came across a comment
  on http://directaccessguide.com that mentioned that the DA Server runs DNS64 to support clients; that made me suspicious that the regular DNS server was in some way conflicting. And, in fact, before this server was
  made a backup DC, DA was functioning just fine. Removing the backup DC role resolved the issue.
  So the takeaway is this: Don't run the regular DNS service on the DA Server; if you do, you will get DA client connectivity only to the DA Server.

• Direct Access 2012 - Can it be set to use an alternate port to 443

  Hi all,
  Just wondering if it's possible to forward from a public IP on a port other that 443 to a Direct Access 2012 server and if so how best to go about configuring it?
  Thanks.

  Hi,
  As far as I know, we can't change the default port used by DirectAccess.
  If we change the default port in server side by port forwarding, DirectAccess will can't connect to the server. Because there is no option to specify the destination port used by client.
  Therefore, we can't change the default port used by DirectAccess.
  Best Regards.
  Steven Lee
  TechNet Community Support

• How to directly access a SELECTED row in a table using MasterColumn

  I'm using a table with MasterColumn (TreeByNestingTableColumn) contains checkbox element.
  In order to get the selected row I have to navigate the whole tree which is a very expensive when the tree is big.
  I also tried without check box by just using MULTI ROW SELECTION property of the table but that didn't work.
  Is there a way to directly access selected row like we do in the standrard table control?
  Any help would be appretiated.
  regards
  Qamar

  hi, Qamar
  Just Check out the Following Link's
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webdynpro/tutorial on creating a tree structure in a table - 27.htm
  and also if u had not seen it before...............
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webdynpro/tutorial on creating tables in web dynpro - 11_0_.htm
  regard's
  Dheerendra

• When I try to access Firefox I get this message: "Firefox is already running, but is not responding. To open a new windwo, you must first close the existing Firefox process, or restart your computer."

  When I click on Firefox I get a window that says: "Firefox is already running, but is not responding. To open a new window, you must first close the existing Firefox process, or restart your computer." I can't see where anything is running on firefox. I restarted the comuter and I shut down the computer. I also ran a full scan of the computer.

  Sorry I am a PC user but have you seen
  * [[Firefox is already running but is not responding]]
  Firefox will be hanging for some reason. The quick solutions to kill the process and try again. The next step is to try to see if it will start and exit normally a couple of times, if so the problem is solved. If not the reason needs further investigation.
  See [[firefox hangs]]
  An immediate likely culprit after repeated problems are the duplicate session restore files, as discussed in the above KB article.

• Does a client need Acrobat 9 Pro, to use a form created with the program?

  Do you need to have Adobe Acrobat 9 Pro, in order to use and/or view forms and portfolios created with Adobe Acrobat 9 Pro?
  If so, is there a free version that I can direct clients to download, so that they will be able to use and or view documents I am creating with Acrobat 9 Pro?

  Will the user be able to save the form with the data he/she entered?
  That depends upon if the file is specially Reader enabled. For some forms Acrobat Standard or higher is needed to file and save form data.