WIndows 8.1 Direct Access Client Needs to approve external wifi use before it connects - proxy not responding
Ok So I have windows 8.1 with Direct Access Client and it works fine when I am able to check and uncheck proxy settings - which is a bit of a pain and seems unnecessary (I hope). If I take the laptop to a Starbucks I get the error that the proxy server is
not responding so it never redirects for me to "accept" the rules.
If I uncheck my proxy settings it then redirects and connects to their internet wifi and off I go - DA connects and all is well.
I am using a GPO to configure the proxy settings as shown (all options are greyed out for the users)
Hi,
Your problem is a classic one when using that kind of proxy settings, unfortunately.
To solve this without the need of user interaction, there are two solutions that will sort this out for you. In your case, if you want to use your corporate connection for internet traffic even over da, I'd opt for alternative 1 or 2 depending on what you are
trying to achieve.
1. WPAD (Web Proxy Auto Discovery protocol http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol) - it actually uses the Automatic browser configuration checkbox on your client and looks for the file wpad.dat on a specific web server that you Pointout
with either dns-record called wpad or DHCP option 252.
2. Auto configuration script (pac script http://en.wikipedia.org/wiki/Proxy_auto-config) - uses the same kind of file as above. The difference is that you get the possiblity, like you want in your scenario to target what users that should get the script.
See this below article for more details on the options you have.
http://technet.microsoft.com/en-us/library/dd361918.aspx
http://techlib.barracuda.com/display/WSFLEXv41/How+to+Configure+Proxy+Settings+Using+Group+Policy+Management
Let us know if you need further assistance!
/Johan
MCT | MCSE: Private Cloud/Server, Desktop Infrastructure
Similar Messages
-
Windows Server 2012 - Direct Access clients and the Windows 8 firewall
Hi,
We're running a simple proof-of-concept for Server 2012 Direct Access, we have a single DA server behind a firewall using NAT. We have a number of client devices setup for DA and running Windows 8.
Our issue is that we can only get the Windows 8 direct access clients to connect (when outside the corporate network) and work with the windows firewall disabled (public network profile).
With the windows firewall disabled everything works exactly as expected. When outside the corporate network the client detects the network state (public network profile), connects via DA and all internal resources can be accessed successfully...fantastic.
Is there some specific guidance on manually configuring the windows 8 firewall for Direct Access ? We've tried the obvious TCP:443 with edge traversal enabled but without success.
Much of the information we have found relates to UAG rather than Windows 2012 DA.
Any assistance is appreciated.Hi,
There isn’t any specific configuration on the firewall.
Just confirm that port 443 can be forwarded to DirectAccess server.
Of course, make sure you are using IPsec first.
Check the links:
STEP 6: Test DirectAccess Client Connectivity from Behind a NAT Device
http://technet.microsoft.com/en-us/library/hh831524.aspx#TeredoCLIENT1
DirectAccess for Windows Server 2012 Installation & Configuration Guide
http://syscomlab.blog.com/2012/09/directaccess-for-windows-server-2012-guide/
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Routing back to Direct Access Clients - is this possible?
Hi,
We have been using direct access for the past few months successfully, however the one problem we are still having is we can't use programs that require a route back to the Direct Access client (such as managing a Hyper-V machine on the local lan), using SourceOffsite
or even using Remote Desktop to remote onto a direct access client or ping the direct access client.
Our local LAN uses Ipv4 and we can route fine to the Direct Access clients from the Direct Access Server where the tunnel terminates but not from any other machine on the network. Do I need to change the direct access configuration to allow this or do I need
to somehow create a route on my LAN for the direct access clients?
Thanks in advance
DavidI found out how to do this in this useful article and tested it and it is working fine - thanks.
http://www.packtpub.com/article/configuring-manage-out-to-directaccess-clients -
Is there any solution to change window title of web access client?
Hi All,
Is there any solution to change browser window title of web access client and Oracle Collaboration Suite Calendar?
Regards,
Beomwoo.While looking at such a tab, click View > Show Path Bar from Finder's menu. The information you are requesting will be displayed at the bottom of the window.
-
im having trouble using bbciplayer on my ipad it says i need to switch to wifi but im already connected can any one help? I ve uninstalled/ reinstalled switched it on and off what next?
Did you try downloading the movie from iTunes on your iPad? I know it takes longer but I'd try that.
Also try to reset all settings.
Settings > General > Reset. Reset all settings. -
Cannot apply Direct Access Client GPO on Windows 8.1 Enterprise client
Hi, I have made a Direct Access environment on Windows Server 2012 R2 Essential.
All setting seems to be ok, but i'm completely stuck when i have to export the DA client GPO to the client computer.
The client computer is a Win8.1 Enterprise, already joined to the domain.
When execute the command gpupdate /force, it complete successfully but when i do a gpresult /R i have nothing in the "Applied Group Policy Object" field (N/A) while i should have the Default domain GPO and the DA client GPO.
What is wrong at this state ?
ThanksMy user1 is in the "DirectAccess" group.
In all the tutorial i saw, i have never seen you have to add the computer object to this group but only the user.
Anyway, i have just add it to the group.
From my first post, here is what i did.
ran a Group Policy Result, from the DC to the client.
It give me the error RPC unavailable.
So i open the local policies on the client > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall >
Domain Profile > double click on "Windows Firewall: Allow inbound remote administration exception" > tick enable
I reran the Group Policy Results, and it work this time.
Now i have the result for the User1 on TECH2 client pc.
On details pane > Denied GPOs
The DA client setting is deny with the reason "access denied" ...
Now on the client computer after a GPRESULT /R
Computer settings
Applied Group Policy Object
Default Domain Policy
Local Group Policy
The following GPOs were not applied because they were filtered out
DirectAccess Client Setting
Filtering: Denied (Security)
DirectAccess Server Settings
Filtering: Denied (Security) -> normal -
Enterprise DNS servers are not responding when using Windows NLB with Direct Access 2012
Hi
We have installed Direct Access 2012 as one server installation:
- Two network cards. First one in DMZ and second one in internal network
- Two consecutive IP addresses configured in DMZ because of Teredo
- PKI because of Win7 Clients IPSec
- Our corporate network is native IPv4 so we use DNS64/NAT64 and DA-server is configured as DNS
- DA-servers are VMWare virtual machines
One server installation works fine and now we want to use Windows NLB as load balancing. NLB installation goes fine too,
but problem is DNS. If we still try to use DA-server as DNS there comes error message below
None of the enterprise DNS servers 2002:xxxx:xxxx:3333::1 used by DirectAccess clients for name resolution are responding. This might affect DirectAccess client connectivity to corporate resources.
When trying to configure DNS using Infrastructure access setup, DNS cannot be validated when using DA-servers DIP or cluster VIP. Only domain local DNS looks to be ok but those have no IPv6 addressess. So how DNS should be configured when using multicast
NLB?
Tried to remove name suffix then adding again => Detect DNS server => DA-server IPv6 address found => validate => The specified DNS server is not responding...
Then tried to ping detected address => General failure
NLB clusters are configured as multicast and static ARPs are configured too. Both clusters can be connected from those subnets as they should be.
Any clues how to fix this?
~ Jukka ~Hi,
Your question falls into the paid support category which requires a more in-depth level of support. Please visit the below link to see the various
paid support options that are available to better meet your needs.
http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone
Regards,
Mike
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Cannot connect to direct access clients from management servers
I have direct access setup on a Server 2012 machine and I have successfully added clients to it. Clients can reach internal resources and everything seems to be working great inbound. However, I am having some trouble with outbound management.
From the Direct Access server I can ping, RDP, browse files, etc... From the management server I have defined in the DA setup I can only ping the machines and nothing else.
I had worked with some MS tech support to get to this point, and they had me configure my DA server and the few management server with status IPv6 addresses. I'm not sure if this is necessary or if outbound managment should work using ISATAP?
My DA server is Server 2012, and the clients are Windows 8 and Windows 8.1.You should be able to make outbound management work using either ISATAP or native IPv6. If you have configured native IPv6 and it's not working, there may be some kind of routing issue with the way that IPv6 is setup in your environment, or even a piece
of networking equipment that is not IPv6 capable.
If you're interested in trying the ISATAP route to see if you can get it working that way, Chapter 3 in this is dedicated to the setting up of ISATAP: http://www.packtpub.com/microsoft-directaccess-best-practices-and-troubleshooting/book
(sorry, not trying to be self-serving, but these kinds of questions are exactly the reason why I put the book together) -
Direct Access client getting NameResolutionFailure error
Hi,
I'm trying to setup Direct Access on a Windows 2012 R2 server and I'm running into what is hopefully a pretty easy problem to resolve.
I've followed the instructions to setup a simple setup for DA on a Windows 2012 R2 server with everything all on one server and I'm running behind a TMG 2010 server. On the TMG server I've published the my DA server using a server publishing rule
based on these instructions
http://danstoncloud.com/blogs/simplebydesign/archive/2013/04/04/tmg-can-be-a-good-friend-of-directaccess.aspx
The setup seems pretty straight forward, but now when I'm testing my clients I'm getting the NameResolutionFailure error when I try and connect when I'm not on our internal network.
The problem I'm pretty sure is DNS related because when my test Windows 8.1 client is on our internal network everything works fine.
When I plug the machine into an external network, I get the NameResolutionFailure error for the DA client. If I try and ping anything address on our domain name I get an error that the address is unresolvable. I can ping any other domain name address fine.
On my DA server, on the DNS tab of the Infrastructure Server setup I have the following entries:
mydomain.com fdf3:137e:5133:ce07:1000::127
directaccess.mydomain.com
DirectAccess-NLS.mydomain.com
directaccess.mydomain.com is the publicly resolvable name of my DA 2012 R2 server that is bound the external IP address published on my TMG 2010 server. This name is not resolvable when on any internal machines.
If I execute the get-DNSClientNRPTPolicy command I get this:
Namespace : DirectAccess-NLS.mydomain.com
QueryPolicy :
SecureNameQueryFallback :
DirectAccessIPsecCARestriction :
DirectAccessProxyName :
DirectAccessDnsServers :
DirectAccessEnabled :
DirectAccessProxyType : UseDefault
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired : False
NameServers :
DnsSecIPsecCARestriction :
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired : False
DnsSecValidationRequired : False
NameEncoding : Utf8WithoutMapping
Namespace : directaccess.mydomain.com
QueryPolicy :
SecureNameQueryFallback :
DirectAccessIPsecCARestriction :
DirectAccessProxyName :
DirectAccessDnsServers :
DirectAccessEnabled :
DirectAccessProxyType : UseDefault
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired : False
NameServers :
DnsSecIPsecCARestriction :
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired : False
DnsSecValidationRequired : False
NameEncoding : Utf8WithoutMapping
Namespace : .mydomain.com
QueryPolicy :
SecureNameQueryFallback :
DirectAccessIPsecCARestriction :
DirectAccessProxyName :
DirectAccessDnsServers : fdf3:137e:5133:ce07:1000::127
DirectAccessEnabled :
DirectAccessProxyType : NoProxy
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired : False
NameServers :
DnsSecIPsecCARestriction :
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired : False
DnsSecValidationRequired : False
NameEncoding : Utf8WithoutMapping
So I'm thinking that the issue is related to the fact that the NRPT table says that directaccess.mydomain.com address there is no DNS specified. In fact it seems like that entry shouldn't even be there. When I was configuring DA for the first
time, I got a warning that said:
Warning: The NRPT entry for the DNS suffix .serverdomain.local contains the public name used by client computers to connect to the Remote Access server. Add the name Servername.serverdomain.local as an exemption in the NRPT.
I wasn't sure what this meant at the time but I'm guessing it's relevant to this problem.
Can some one give some help with this?
Thanks in advance
NickHi,
So here is what I did. First the IP information from my DA server IPHTTPS address from ipconfig /all
Tunnel adapter IPHTTPSInterface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : IPHTTPSInterface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : fdfd:1374:5130:1000::1(Preferred)
IPv6 Address. . . . . . . . . . . : fdfd:1374:5130:1000::2(Preferred)
IPv6 Address. . . . . . . . . . . : fdfd:1374:5130:1000:2400:8f5a:a931:1ff8(Preferred)
Link-local IPv6 Address . . . . . : fe80::2400:8f5a:a931:1ff8%17(Preferred)
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 436207616
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-4F-8E-38-00-15-5D-00-96-05
NetBIOS over Tcpip. . . . . . . . : Disabled
So the address of my IPHTTPS address appears to be -S using this address as the source and going to an internal machine with an IPV6 address and got this:
tracert -S fdfd:1374:5130:1000:2400:8f5a:a931:1ff8 testserver
Tracing route to testserver.mydomain.com [fdfd:1374:5130:ce07:1000::220]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms daserver.mydomain.com [fdfd:1374:5130:1000:2400:8f5a:a931:1ff8]
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14
So it looks like from the IPHTTPS address I can't get to any internal IPV6 addresses on my internal IPV6 network I think right? I did a route print on the DA server and got this:
===========================================================================
Interface List
12...00 15 5d 00 96 05 ......Microsoft Hyper-V Network Adapter
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
16...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
17...00 00 00 00 00 00 00 e0 IPHTTPSInterface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.21 172.16.0.127 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.16.0.0 255.255.240.0 On-link 172.16.0.127 261
172.16.0.127 255.255.255.255 On-link 172.16.0.127 261
172.16.15.255 255.255.255.255 On-link 172.16.0.127 261
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 172.16.0.127 261
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 172.16.0.127 261
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 172.16.0.21 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 261 ::/0 fdfd:1374:5130:ce07:1000::21
1 306 ::1/128 On-link
12 4205 fdfd:1374:5130::/48 fdfd:1374:5130:ce07:1000::21
17 306 fdfd:1374:5130:1000::/64 On-link
17 306 fdfd:1374:5130:1000::/128 On-link
17 306 fdfd:1374:5130:1000::1/128 On-link
17 306 fdfd:1374:5130:1000::2/128 On-link
17 306 fdfd:1374:5130:1000:2400:8f5a:a931:1ff8/128 On-link
12 261 fdfd:1374:5130:7777::/96 On-link
12 261 fdfd:1374:5130:ce07::/64 On-link
12 261 fdfd:1374:5130:ce07:1000::127/128 On-link
12 261 fdfd:1374:5130:ce07:6b8c:21b9:52b4:e7c5/128 On-link
12 261 fe80::/64 On-link
17 306 fe80::/64 On-link
17 306 fe80::2400:8f5a:a931:1ff8/128 On-link
12 261 fe80::e00f:6c15:fde4:6491/128 On-link
1 306 ff00::/8 On-link
12 261 ff00::/8 On-link
17 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
If Metric Network Destination Gateway
0 4294967295 fdfd:1374:5130:1000::/64 On-link
0 4200 fdfd:1374:5130::/48 fdfd:1374:5130:ce07:1000::21
0 256 fdfd:1374:5130:ce07::/64 On-link
0 4294967295 fdfd:1374:5130:7777::/96 On-link
0 4294967295 ::/0 fdfd:1374:5130:ce07:1000::21
===========================================================================
Am I missing a route here?
Thanks -
Direct Access client DNS Registration q.
Hi All,
We have Direct Access installed, configured and mostly working on Windows 2012 R2 server supporting WIN 8.1 clients (only).
All internal resources are accessible and have good name resolution, etc.
However, I now have to enable "manage out" functionality. SCCM based Remote Assistance etc.
There are various guides and I think manage out is working correctly. There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
I have enable "secure only" DNS registration by Group Policy.
We use split tunneling for clients.
The Direct Access server is behind a NAT firewall. (CISCO) So the only effective transition tech is IP-HTTPS.
Many thanks for any assistance in pointing me in the right direction.Hi,
>>There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
Did you deploy the IPv6 in your corpnet? If no, it's normal.
If we use the IPv4 in the corpnet, the NAT64 and DNS64 will be enabled on the DirectAccess server. When the DirectAccess client sends the DNS update packet, according to the NRPT, the packet will be sent to the DirectAccess server. DirectAccess
server will on behalf of the client to register the AAAA record.
Best Regards.
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Win8.1 Direct Access Client Stuck at "Connecting"
I'm experimenting with Direct Access in a lab setting with 1 client and 3 2012 R2 servers. The client is running Windows 8.1 Enterprise.
The client is always able to connect to the Direct Access server but is unable to ping or connect to the 2 servers that don't have RAS installed. Moreover, this behavior migrates to whichever server is running Remote Access Server: So, if I remove the role
and install on another server, the client is able to communicate with the new server, but not the old.
The connection from the client to the server is via IP-HTTPS (only option available to me in this environment). The client is able to reliably determine when it's on the Internet versus the intranet. However, when on the Internet, it stays in a "Connecting"
state and never connects, but I'm still able to access the DA server.
Does anyone have any ideas on how to resolve this?I managed to resolve the issue. I'm posting here in the hope that this may help another newbie to DA.
Here's what caused my issue: As I mentioned, this was a lab environment where the limited number of machines were fulfilling multiple roles. In particular, the DA Server was also a backup domain controller running DNS. In my research, I came across a comment
on http://directaccessguide.com that mentioned that the DA Server runs DNS64 to support clients; that made me suspicious that the regular DNS server was in some way conflicting. And, in fact, before this server was
made a backup DC, DA was functioning just fine. Removing the backup DC role resolved the issue.
So the takeaway is this: Don't run the regular DNS service on the DA Server; if you do, you will get DA client connectivity only to the DA Server. -
Direct Access 2012 - Can it be set to use an alternate port to 443
Hi all,
Just wondering if it's possible to forward from a public IP on a port other that 443 to a Direct Access 2012 server and if so how best to go about configuring it?
Thanks.Hi,
As far as I know, we can't change the default port used by DirectAccess.
If we change the default port in server side by port forwarding, DirectAccess will can't connect to the server. Because there is no option to specify the destination port used by client.
Therefore, we can't change the default port used by DirectAccess.
Best Regards.
Steven Lee
TechNet Community Support -
How to directly access a SELECTED row in a table using MasterColumn
I'm using a table with MasterColumn (TreeByNestingTableColumn) contains checkbox element.
In order to get the selected row I have to navigate the whole tree which is a very expensive when the tree is big.
I also tried without check box by just using MULTI ROW SELECTION property of the table but that didn't work.
Is there a way to directly access selected row like we do in the standrard table control?
Any help would be appretiated.
regards
Qamarhi, Qamar
Just Check out the Following Link's
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webdynpro/tutorial on creating a tree structure in a table - 27.htm
and also if u had not seen it before...............
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webdynpro/tutorial on creating tables in web dynpro - 11_0_.htm
regard's
Dheerendra -
When I click on Firefox I get a window that says: "Firefox is already running, but is not responding. To open a new window, you must first close the existing Firefox process, or restart your computer." I can't see where anything is running on firefox. I restarted the comuter and I shut down the computer. I also ran a full scan of the computer.
Sorry I am a PC user but have you seen
* [[Firefox is already running but is not responding]]
Firefox will be hanging for some reason. The quick solutions to kill the process and try again. The next step is to try to see if it will start and exit normally a couple of times, if so the problem is solved. If not the reason needs further investigation.
See [[firefox hangs]]
An immediate likely culprit after repeated problems are the duplicate session restore files, as discussed in the above KB article. -
Does a client need Acrobat 9 Pro, to use a form created with the program?
Do you need to have Adobe Acrobat 9 Pro, in order to use and/or view forms and portfolios created with Adobe Acrobat 9 Pro?
If so, is there a free version that I can direct clients to download, so that they will be able to use and or view documents I am creating with Acrobat 9 Pro?Will the user be able to save the form with the data he/she entered?
That depends upon if the file is specially Reader enabled. For some forms Acrobat Standard or higher is needed to file and save form data.
Maybe you are looking for
-
Problem Generating Document/Literal Web Service
Hi folks.. I am currently using JDeveloper 10.1.3 (Preview Edition) and I am having trouble getting the Create Java Web Service wizard to work correctly when generating a document/literal web service. After going through the wizard selecting the appr
-
How to set color of a specific pixel on an artLayer in JS
I am brand new to PS scripting. I know I can select a 1x1 pixel rectangle and fill it with a specific color, but that seem inefficient. Is there a way to quickly and directly set the color of a specified pixel? Thanks.
-
Hi Everyone The wizard button is greyed out when I try to create a template. It only allows me the option to use the "Manual" option. I need to create anonymous appraisals for appraising a course. Thanks in advance.
-
WriteUnshared and class fields of an array type
Greetings. I am trying to serialize an object multiple times (in the same file) as its state changes. In order to avoid back-references to the first serialization of the object I use ObjectOutputStream,writeUnshared(..) method. This method serializes
-
Can I have a UDA in POV or Page or row or column of a form?
Hi, Can I have a UDA in POV or Page or row or column of a form?