I am the founder and principal consultant at Richard M. Hicks Consulting, Inc. I am a widely recognized enterprise mobility expert with more than 25 years of experience implementing secure remote access and public key infrastructure (PKI) solutions for organizations worldwide. I understand that providing visibility, control, and assurance for field-based devices is vital to ensuring the highest level of security and productivity for today’s highly mobile workforce.
I am the author of Implementing Always On VPN (ISBN 978-1484277409) by Apress Media. This book is a comprehensive implementation guide for deploying Microsoft Windows Always On VPN in the enterprise.
I am also the author of Implementing DirectAccess with Windows Server 2016 (ISBN 978-1484220580), also by Apress Media. This book is the definitive guide for planning, implementing, and supporting a DirectAccess solution based on Windows Server 2012 R2 or Windows Server 2016.
I live and work in beautiful, sunny Southern California.
In addition to this blog, you can also find me here:
LinkedIn – https://www.linkedin.com/in/richardhicks
Twitter – https://twitter.com/richardhicks/
Facebook – https://www.facebook.com/richardhicksmvp/
YouTube – https://www.youtube.com/richardmhicks/
GitHub – https://github.com/richardhicks/
Website – https://www.richardhicks.com/
Always On VPN Book – https://amzn.to/3CORD0T
DirectAccess Book – https://amzn.to/2djzDlZ
Pluralsight Training Courses – https://richardhicks.com/pluralsight
Enterprise Mobility Newsletter – https://richardhicks.com/newsletter
If you have any questions, please fill out the form below and I’ll get in touch with you.
AndrejK
/ March 30, 2014Hi,
I’m intalling DA in multi forest environment. I have three separated forests with two-way trust.I can add computer accounts from two of them, on one, I get this error when I run ADD-DAClient:
I’m confused, why can’t DA find security group? If I add security group throu GUI, I can browse security group from AD, but when I click finish, result is the same?
any ideas, what I can check?
VERBOSE: Retrieving server GPO details…
VERBOSE: Opening the server GPO…
VERBOSE: Validating security group (XXX\u_dacomps) in the domain…
Add-DAClient : Security group XXX\u_dacomps cannot be found.
At line:1 char:1
+ Add-DAClient -SecurityGroupNameList XXX\u_dacomps -v
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceExists: (XXX\u_dacomps:root/Microsoft/…ess/
nt], CimException
+ FullyQualifiedErrorId : HRESULT 800700ea,Add-DAClient
Add-DAClient : The operation failed. All of the specified security groups are invalid.
At line:1 char:1
+ Add-DAClient -SecurityGroupNameList XXX\u_dacomps -v
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (SecurityGroupNameList:root/Microsoft/…ess/PS
], CimException
+ FullyQualifiedErrorId : HRESULT 80070057,Add-DAClient
kind regards,
Andrej
Richard Hicks
/ April 3, 2014As long as there are two-way trusts established between each of the forests, you should be able to add those users. I’m not sure why Add-DAClient is failing here though. :/
Simon
/ April 22, 2014Hello Richard,
Thanks for the blog, it is a very useful resource for understanding more about how DirectAccess works and knowing common pitfalls and problems before encountering them in our deployments.
I have my deployment working quite nicely, with a single exception. Kaspersky.
I have Kaspersky Security Center 10 and using it to publish security policies to my clients and servers. But when ever KAV gets anywhere near DirectAccess there is nothing but trouble. I have tried setting KAV to not filter traffic on port 443 as I am using IPHTTPS tunnels.
Not only can external clients not connect to the server, but once back inside the network, KAV seems to stop them to correctly communicating with the internal NLS servers and think they are still outside and then attempt to establish an IPHTTPS link to the server. The network interface also reports back as being not connected to the domain..
The strange part is that from the clients, I can enter the https address of the internal FQDN for the NLS site in Internet and it is creating a secure connection using my internal Root CA certificates to authentic it. The client can also resolve and ping internal servers, but can’t connect to them (presumably because of the attempted connection to the DirectAccess server).
So this brings me to my question, of what security software you recommend for DirectAccess and how to ensure that the software you use does not interfere with it?
Richard Hicks
/ April 25, 2014I’ve heard numerous horror stories about DirectAccess deployments not working with Kaspersky Anti-Virus. To a lesser extent, I’ve also heard that some DirectAccess users are reporting issues when Symantec Endpoint Protection is installed. At this point, I don’t have a recommendation regarding desktop AV. Obviously the native Microsoft security features work, but that doesn’t help you from an enterprise perspective. 🙂
Andy Thomson
/ June 25, 2015Hi Rich,
Do you know of any way to change the order of Entry Points in a Multisite configuration, without removing and re-adding the Entry Points from the configuration?
So for example, I want to change:
Multisite
Site1
Site1-EntryPoint
Site2
Site2-EntryPoint
Site3
Site3-EntryPoint
to this:
Multisite
Site3
Site3-EntryPoint
Site2
Site2-EntryPoint
Site1
Site1-EntryPoint
I was hoping there would be some PowerShell cmdlets but can’t find anything that will do what I’m looking for (which I agree is probably a rare scenario!).
Many thanks for any help you can provide,
Andy
Richard Hicks
/ June 26, 2015Hi Andy. It’s not possible to change the order of entry points, nor is it really necessary. Windows 7 clients are homed to a specific entry point. Windows 8.x clients are either assigned to a single entry point, or they can be configured to automatically select one. For automatic selection, the entry point order is irrelevant. The Windows 8 client will probe all entry points and connect to whichever entry point responds first. If you have a specific reason to have all clients connect to one entry point first (for example a disaster recovery scenario) and then fail over to another site later, then I would suggest using a Global Server Load Balancer (GSLB). Using GSLB you have much more granular control over traffic distribution.
BenZ
/ June 27, 2015Im having the same issue, I pulled the script and basically the Add-DAClient doesnt work. If I run the wizard over and over each time I get different errors. Sometimes it says name cannot be same as certificate. Certificate not found, and I *always* get DA-Client could not find security group. from the server if I do net group ‘VPNComputerGroup’ /domain it comes back instantly with the computer(s) in that group.
This DA definitely has a LONG way to go even after 5 years the walk throughs dont work, and manually doing the script yields the same results with 800700ea ‘not found’ error on the security group. Anyone figure this out? I have a single domain, 20 servers, 500 workstations, 2 DC’s , flat network.
Thanks!
Richard Hicks
/ July 1, 2015It is entirely possible that this might be a bug. It wouldn’t be the first one. 😉 I’d suggest opening a support case with Microsoft to have them troubleshoot. If they can’t resolve the issue, perhaps they can identify a workaround. If indeed it is a defect, they can produce a hotfix too.
Andy Thomson
/ June 29, 2015Thanks Rich, the reason being that Site 3 has a much faster connection but the clients do not seem to be selecting it as I would have expected. Think I will need to do a bit more digging…
Richard Hicks
/ July 1, 2015In practice, the native site selection process doesn’t seem to work all that well for some reason. I’d suggest implementing a Global Server Load Balancing (GSLB) solution to address this. A GSLB will allow much more granular control over traffic management. Using GSLB you should be able to configure all of your clients to use site 3 first and fall back to other sites if it isn’t available.
Brett Thomas
/ September 22, 2015Rich,
We initially set up our DA with a NAP. now we would like to remove the NAP. My concern is this. Removing the NAP will alter the DA GPO’s. Offline devices will still have older policies. Will this cause the off line devices any problems attempting connection after GPO is altered?
Thank you
Richard M. Hicks
/ September 22, 2015Hi Brett,
You bring up an interesting scenario. Honestly, I’m not certain how the client will behave. However, it might not be disruptive because NAP validation is enforced by the DirectAccess server. If you remove the NAP validation requirement from the server, it’s possible that the clients will be unaffected. I can’t say this with certainty though because I’ve never configured NAP for any of my customers to this point.
Let me know how it goes! 🙂
Jose L Castro
/ October 1, 2015I am using an F5 Load Balancer for Direct Access (Single NIC in the DA server). There are no F5 interfaces in the VLAN where the DA servers connect to. I was able to add the VIP with the external F5 IP address but the previous address of the DA server is also added as a VIP when I configure Load Balancing. How can I remove this VIP?
Richard M. Hicks
/ October 3, 2015There’s no need to use the DirectAccess VIP (originally the dedicated IP address of the first DirectAccess server) on the F5. The VIP on the F5 can be anything, really. The pool members would then be the dedicated IP address of each DirectAccess server. The only thing you’ll need to do is pay attention to the web probe host URL. If you’re using the default, you’ll either have to create a virtual service for that or use another resource.
Jose L Castro
/ October 3, 2015Thank you. I enjoy reading you blog and I have watched your videos in pluralsight.
Richard M. Hicks
/ October 4, 2015Thanks! 🙂
Jose L Castro
/ November 11, 2015I have a question about the Windows Firewall in DirectAccess for Windows Server 2012 R2. How does it interact with Symantec’s firewall? Can Symantec Firewall be used instead of the Windows firewall? If it cannot, can both be enabled at the same time?
Thanks,
Jose L Castro
Richard M. Hicks
/ November 11, 2015You can use any third-party firewall as long as the Windows Firewall is still enabled. Also, the third-party firewall must not block IPv6. You cannot replace the Windows Firewall a with a third-party firewall, however.
CASTRO, JOSE L
/ November 11, 2015Thank you. I guess we either use both or standardize on Windows Firewall.
Chris Duncan
/ January 21, 2016Hi Richard,
We have two 2012 direct access servers running on a windows NLB cluster
At the end of December we encountered an issue with the cluster. As a temporary work around we disabled one of the servers while we investigated. This allowed the remaining server to service clients.
Earlier this week the live servers ip-https certificate expired. We are using PKI certificate supplied by an internal CA server. We went ahead and created a new IPHTTP certificate from template on the CA and applied to Direct Access.
All errors within Direct Access disappeared however clients could not connect and reported that they could not connect to the ip-https server and so no ipv4-ipv6 translation was available. We used the troubleshooting tool on the client to view errors.
We noticed the other direct access server still had a valid certificate and had not expired. We switched to using this server instead and everything worked again at least for two days when it broke again. Clients now are reporting again that they cannot connect to the iphttps server. We have made no changes other than what is listed here (importing a new certificate to one of the direct access servers)
We have also run the DA Client Troubleshooting Tool and I would be happy to supply the logs.
Any help or ideas on where to start troubleshooting would be greatly appreciated.
Regards
Chris
Richard M. Hicks
/ January 21, 2016Can you reach out to me via email please? I’d like to see some information from your DirectAccess server. Thanks!
Peter
/ March 24, 2016Hi Richard,
I was wondering what your consulting services via remote access would cost.
We have a Main office with Several branch offices connected via SonicWALL VPN
We created an DA Sever behind our Edge Firewall. Remote Access Dashboard is green.
No GPo’s for Windows 7 DCA configured yet.
There is NO device assigned in the Security Group for DA Client settings.
We have issues that when a system is connect in the inside browsing is very very slow and we cannot connect to Office 365 mail or SharePoint anymore.
If the system is outside the network everything works fine.
Ay idea?
Richard M. Hicks
/ March 25, 2016Send me an email and we’ll discuss in more detail. 🙂
Rob
/ April 27, 2016Hi Richard
I have heard rumours of Direct Access potentially being deprecated in the not so far future but I can’t find any info on this.
Are you aware of the direct access roadmap and futures?
Richard M. Hicks
/ April 27, 2016I’ve not heard anything from Microsoft regarding the deprecation of DirectAccess. They’ve certainly been focusing more on client-based VPN lately, but that doesn’t necessarily mean DirectAccess will go away. Judging by the number customers rapidly deploying it since the release of Windows 10, I can’t see them giving up on it at this point.
dameronln
/ May 13, 2016Hi Richard,
I have a multi-site DirectAccess setup with two entry points running in a lab. The first entry point has 2 DirectAccess servers with NLB running (both with 2 NICs: 1 internal, 1 external). The second entry point has 1 DirectAccess server (1 internal NIC, 1 external NIC).
I have a windows 10 client able to connect to the first entry point with no problem.
If I switch that same client to the second entry point, it’s status remains as connecting. On the DA server- Remote Client Status, I briefly see the client making a connection, but then nothing gets listed in the Access Details. Running get-daconnectionstatus returns “NameResolutionFailure”. Also, running the DirectAccess Troubleshooting Tool results in failures in Network Location Tests, IP Connectivity Tests, Infrastructure Tunnel Tests and User Tunnel tests. On this DA server, in the Configuration, Step 3, the DNS server IP address entered is the same address as the DA server (not the Domain Controller/DNS). When I click on Validate, it fails. (Both DA servers in the first entry site validate without any problems.)
Any suggestions as to what can be wrong?
Richard M. Hicks
/ May 17, 2016If the client is able to connect to one entry point, it should be capable of connecting to any entry point. If it cannot, I suspect there might be a configuration issue with that individual entry point. It might also be a name resolution issue too, though.
mark Swinnich
/ May 20, 2016Is this normal? When installing DirectAccess using the get started Wizard, committing the changes that create the DirectAccess Client Settings GPO ? The issue is that the GPO drops at the domain level and assigns all domain Users to the policy. It causes all domain users to get the DA policy screwing up there Machines!. When you have 30k+ workstations and a policy refresh every 15 minutes it effects a lot of employees. I have a Domain group and GPO container that links the DirectAccess GPO and assigns them to a DAClient domain group. You have to be kidding or I am doing this incorrect.
1. When the DA wizard saves a new Direct access client settings GPO
2. The GPO deposits at the domain root
3. The GPO assigns the all Domain users AD Group.
4. Your boss comes over to yell at you.
5. You have to manually remove the domain users group at the scope in the GPO then reassign the correct AD group.
Richard M. Hicks
/ May 24, 2016That’s why you shouldn’t use the Getting Started Wizard. 😉 The GSW should be avoided at all costs, really. As you discovered, the GSW assumes you want to deploy DirectAccess settings to every mobile computer in the entire domain. Obviously that’s not a good idea. Using the Remote Access Setup Wizard (subtle but important difference!) you can apply DirectAccess with much more control.
It might be a good idea to watch my Pluralsight training course on DirectAccess. There’s a subscription required, but they also have a free trial. It should provide you with enough free time to get through the initial part of the course.
Nick
/ June 1, 2016Hi Richard,
Great blog 🙂
I have a wired issue with direct access. All works perfectly except over 4G Sim Connection.
The tunnels are not established. Wifi works fine as does cable. The sim has been tested and works fine as does the adapter on the laptop.
After enabling auditing etc I find an error in the security log relating to main mode negotiation failed, IKE Authentication credentials are unacceptable.
I also find the same error on a network trace. Do you have any advice at all?
The server is 2012 R2, The client is windows 10. One network adapter behind a nat.
All works fine except when using 4G.
Richard M. Hicks
/ June 3, 2016Can you send me the output of ipconfig /all when you’re connected to 4G please?
Vladyslav
/ June 22, 2016Hello, Richard!
I’m using your tips for DA.
But I’m struggling on such issue:
The GPO for specific user could not be applied.
GPO for computer has been applied. I’ve found that with gpresult /r
But I can connect to server over explorer and also see GPO directory: \\computer\sysvol\domain\policies…
On AD server DA GPOs are applied to the root.
This computer is in DA security group.
I’m using offline domain join. All is working except user’s GPO.
Richard, please suggest me where to look.
Thank you!
Richard M. Hicks
/ June 23, 2016When using offline domain join, the DirectAccess client computer account is not automatically added to the DirectAccess client security group. Make sure you add it and test again. 🙂
https://directaccess.richardhicks.com/2015/11/12/windows-clients-do-not-receive-directaccess-configuration-changes/
Vladyslav
/ June 23, 2016Hello, Richard!
Thank you for reply.
That account was already been added manually to security group.
But I’ve found that it was not a problem of the Direct access. GPO doesn’t apply when I join computer to domain from a local network. So I’ve reinstalled Windows, because cleaning GPOs form registry didn’t help.
Now offline join and GPO are working properly on that computer.
Thank you 🙂
Paul Yates
/ July 8, 2016Richard,
Fanstatic Blog, it helps out with some of the more quirky issues! I’m very greatful for your documentation.
I’m wondering if you might be able to point me in the right direction. We have a functiong DA deployment using isatap, but recently our DC’s stopped replicating. We think we have traced it to an IPv6 DNS issue.
We noticed that the DNS servers will not respond internally via the ISATAP adapters IPv6 address, however the same nslookup works via DA client. We can see that DNS 64 is failing internally on site, and for some reason the DC’s seem to want to use IPv6 to replicate.
DNS Servers & DC’s are 2008-R2, DA server Is Server 2012 with isatap router on the same box.
Again – many thanks for your blog!
Paul.
Richard M. Hicks
/ July 12, 2016That is certainly unusual. I’m not aware of any IPv6 DNS issues that would prevent replication from working correctly. However, your DNS server should not need an ISATAP interface (or any other IPv6 tunneling adapter) so I’d recommend disabling those on the DC/DNS servers.
GarethC
/ July 10, 2016Hi Richard, I’ve been wrestling with setting up DA for a few weeks. Finally got it mostly working today. Question about DNS. We have our DA servers in a child domain (eg abc.xyz.com), we have quite a few DNS zones in our root domain (xyz.com) that are totally different namespaces, eg company.com. Issue is the DA clients can’t resolve names like intranet.company.com, I’m guessing because it doesn’t match any of entries under “Name Suffix” on the DNS page for “Infrastructure Server Setup”, do we really need to add all these extra internal zones into this Name Suffix list with the DA servers IPv6 address? I tested and it worked for 1 zone, but seems like double handling. For a client on the LAN, DNS requests are passed from child DNS to parent DNS so it can resolve names in those zones. Any tips?
Thanks
Gareth
Richard M. Hicks
/ July 12, 2016Yes, you’ll have to add each of them to the DirectAccess DNS configuration. It’s not because of delegation, however. It’s for the client to understand which DNS server to send the requests to. If you can produce a text file with all of your internal domains, you can automate this process using the Add-DAClientDnsConfiguration PowerShell command.
omgitsjocke
/ November 8, 2017Hi! Are you aware of any problem with adding several hundreds of rows with Add-DAClientDnsConfiguration? Half of them generated: “WARNING: GPO updates cannot be applied on DC.domain.com. Changes will not take effect until the next policy refresh.”
With a sleep between the rows they finally went through and then DA crashed. After we finally got it back on we had rolled back the changes.
The next try we used the GUI instead. First we got through like 20 rows, then it got lower and now we barely squeaking by 1 row at one hour.
At the moment we have gotten through a third of all the rows needed.
Have you encountered this issue?
Richard M. Hicks
/ November 9, 2017I am aware of this issue and have encountered it before. The times I have I’ve used PowerShell to make the changes without issue. Sounds like that’s not the case for you. I’m not aware of any workaround or fix, unfortunately. :/
Megatc101
/ October 31, 2016Hi Richard, I have a question about a comment that you have in your book.
You state that “the DirectAccess server must be able to reach the public Internet”.
Are you saying the DA server needs to be able to initiate an outbound connection in order to work?
I have the DA server configured with a single interface. It is on the internal network and is accessed via a NAT on the firewall. To further complicate matters the external IP is a VIP on an loadbalancer, which is acting as a reverse proxy. This configuration is currently working, and we are able to perform manage out.
I’m just trying to understand your comment in case I’ve missed something.
Regards
Richard M. Hicks
/ November 2, 2016For deployments where the DirectAccess server is behind a NAT, then the server must only be “reachable” from the public Internet. It would not necessarily have to have Internet access itself. If the DirectAccess server were in an edge-facing scenario and needed to support Teredo, then it would require Internet access.
Stefan
/ December 12, 2016Good day Mr. Hicks,
I wanted to thank you very much for your work and the offering of deep and helpful knowledge about DirectAccess for the public.
Your DA-Blog helped me alot during my final work of my apprenticeship. With your help and other sources for Windows 2012 R2, I successfully decommissioned an old Windows 2008 CA and implemented a new 2-level 2012 R2 CA (Root and Issuing) for my DirectAccess environment. Our RDS complicated everything a bit and I had to use a little “hack” to get it on track, but everything works fine now and the Users were super happy!
Thank you again so much for sharing your knowledge and helping me to finish my apprenticeship as the second best of my whole state 🙂
Best regards from the cold and cloudy Switzerland and excuse me for my bad English writting. I hope you get the essence of it.
Richard M. Hicks
/ December 15, 2016Thanks for the kind words, Stefan! Glad you found the information on my site useful and informative! 🙂
Chandrashekar HS
/ December 13, 2016Hi Richard,
Recently we are doing a POC at our office premises on direct access on windows server 2012 R2 for supporting the following clients
1) Windows 7
2) Windows 8
3) Windows 10
4) MAC OS
We are able to do a testing with the Windows Laptops but for MAC OS we are unable to proceed because we don’t know whether direct access will support MAC OS or not but I saw your article in Celestix Networks website that Direct access is supporting MAC OS and for this we need to install the secure access client of Celestix company . So I applied for 30 days trail version of software to check how it works. Could you please let me know any document or any article which speaks about how direct access will support MAC OS.
I didn’t get trail software and once I get the software I need to do a testing on MAC OS. So it would be great if you have a document about the MAC OS on direct access
Thanks & Regards
Chandrashekar HS
Richard M. Hicks
/ December 15, 2016The Mac OS is not a supported DirectAccess client. The only operating systems that work for DirectAccess are Windows 10 Enterprise, Windows 10 Education, Windows 8.x Enterprise, Windows 7 Enterprise, and Windows 7 Ultimate. The Celestix solution is a custom VPN solution and is not DirectAccess.
Scott Jameson
/ January 23, 2017Hello, I am not clear on how to fix “Routes required to send packets to the corporate network have not been published on adapter Internal. These routes are required for remote clients to reach the corporate network.”
I have “External” NIC with 2 consecutive static public IPv4 IPs, and the Default Gateway of the ISP. “Internal” NIC with static IPv4 and static IPv6 internal, pointed to internal DNS/Domain Controller, no Default Gateway set. Edge scenario, Cisco has static internal IPv4 and IPv6 addresses set. DA server is Windows Server 2012. Wizard Step 3 “Infrastructure Servers” External adapter 2605:6001:e166:300:6e:840a:e2:f000 and internal adapter fd15:90e4:ffbd:16db:c170:eff6:4c85:effe. Self-signed auto create cert by DirectAccess. Internal network IPv6 prefixes: fd15:90e4:ffbd::/48. IPv6 prefix assigned to DirectAccess client computers: fd15:90e4:ffbd:1000::/64. IPv6 prefix assigned to VPN client computers: blank. What command exactly should I type to add the missing static route? I understand from the obvious that the route needs to be added to the Internal NIC, but which IPv6 range and pointing to what as the target? Would adding an IPv4 and/or IPv6 route on the Internal adapter pointing the local subnet to the Cisco help, like a replacement for not having Default Gateway assigned? Sorry, I am a DirectAcess noob!
Richard M. Hicks
/ January 24, 2017Run the following PowerShell command on the DirectAccess server:
New-NetRoute -DestinationPrefix fd15:90e4:ffbd::/48 -InterfaceAlias Internal -AddressFamily IPv6 -Publish Yes
Let me know if that resolves your issue. 🙂
[email protected]
/ March 6, 2017Hi Richard,
Great Blog !
I have setup direct access using force tunnelling and all is working well except for proxy exceptions, I cannot figure out how to force certain domains to by pass the configured proxy. At present WebURL’s that are used with the FQDN are being passed to the web proxy. can you tell me if there is simple way to add exceptions?
Matt Joller's
/ March 22, 2017Hello, Richard.
Thank you for DA blog. Helped me so much.
I can’t find a proper answer on the web – how to change IPHTTPS port from 443 to another. DA was working good on 443 port, but it’s needed to run other app here. Can you suggest how to setup other port in DA? I know that I can change GPO on existing machines to look for different port, but it doesn’t suites me, because I need to offline join new client to AD.
I will be waiting for your help.
Thank you.
Richard M. Hicks
/ March 24, 2017Hi Matt – Although it is possible to change the default IP-HTTPS port to use a non-standard port, it is prohibitively difficult and not really recommended. Guidance for making this change can be found here: https://technet.microsoft.com/en-us/library/jj134148(v=ws.11).aspx#bkmk_iph. Have fun! 😉
Matt Joller's
/ March 26, 2017Richard, thank you for the link!
Good guide, but something missing in it.
After making all actions, IPHTTPS doesn’t start. Red cross is showing. It’s said that IPHTTPS is waiting data from 443 port, but “netsh show interface” shows new correct port – 8443 and no errors.
And after server reboot “netsh show interface” shows 443 instead of new 8443 and it also autosets ssl certificate to 443 port.
Maybe you know what is missed?😊
Thank you.
Richard M. Hicks
/ March 26, 2017No idea…it’s not something I have ever tried, even in a lab. 😉
Dominic
/ March 12, 2018Hi there we have just deployed a multisite configuration behind a firewall device – first server in worked fine – then multisite was configured – settings for 2nd server deployed and showing green in ras management – but cannot connect to the server.
ip-https interface active
get-daconnectionstatus message name resolution failure
Richard M. Hicks
/ March 12, 2018When you enable multisite, clients that are outside will immediately lose connectivity. They must update group policy to connect after multisite is enabled. You’ll have to bring them back on the network or connect with VPN to update group policy and restore connectivity.
Dominic Applegate
/ March 12, 2018Hi there we did that but are getting a name resolution Error the iphttps interface is active and both servers are configured exactly the same.
Thanks for your assistance
Richard M. Hicks
/ March 12, 2018Interesting. Could be any number of things then, really. Send me an email and I’ll try to provide more assistance there.
Dominic
/ March 13, 2018Best to use the form to email you?
Richard M. Hicks
/ March 13, 2018Yes. 🙂
markklerkx
/ December 15, 2019Dear Richard,
Hello,
Last week I installed Always VPN at a customer. All server OS’es were 2019 (seperate NPS and RRAS server).
The client OS is Windows 10 Enterprise 1709.
Because all the other servers in their environment were W2008R2, I decided to upgrade 1 DC to W2019 and a new CA based on W2019. So all necessary certificates were issued by a W2019 CA with the highest compatibility level.
I also checked that the default domain certificates were issued by the W2019 CA.
On both the client and the server IKEv2 is configured.
The client is not able to connect. In the clients event log, there is error 20227 ending with failure 809.
On the RRAS server there were 2 errors:
20271
—————————————————————-
CoId={B5286053-DC15-80E6-3C87-A905E7AAEDD3}: The user username connected from 1.1.1.1 but failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.
——————————————————————
20225
——————————————————————
CoId={B5286053-DC15-80E6-3C87-A905E7AAEDD3}: The following error occurred in the Point to Point Protocol module on port: VPN2-1, UserName: . Negotiation timed out
——————————————————————
Does anyone have any idea what went wrong?
I already installed another AlwaysOn VPN chain in the same network and it has the same behavior.
Could it be the fact that the user is in W2088 R2 AD functional level or something like that?
Richard M. Hicks
/ December 15, 2019If you are using Windows Server 2019 NPS, be sure to have a look at the following article: https://directaccess.richardhicks.com/2018/11/27/always-on-vpn-and-windows-server-2019-nps-bug/.
Let me know if that resolves your issue!
markklerkx
/ December 15, 2019Thanks!
I will check this tomorrow.
But the firewalls are off on al servers.
I will let you know the result!
Grtz,
Mark
markklerkx
/ December 16, 2019I just an upgrade of W10 from 1709 to 1909. The same result. Still no connection. I also checked all certificates. All AOV specific certificates are issued by the new CA. All old certificates from the old CA were removed.
On the RRAS server there was this error 20255, but it is strange that is is talking about PPTP:
———————————————————
CoId={5B77563D-5DE4-66EF-CF47-54680F7CD764}: The following error occurred in the Point to Point Protocol module on port: VPN2-1, UserName: . Negotiation timed out
——————————————————–
On the W10 client, I see that a connection is established but broken for some reason.
Richard M. Hicks
/ December 17, 2019PPP is different than PPTP. Are you using IKEv2 or SSTP?
Jasiel
/ July 8, 2023did you ever figure it out?
I have the exact same issue.