DirectAccess Fails on Windows 11 24H2

Microsoft recently released Windows 11 24H2. Not long after the release there have been numerous reports of DirectAccess failing after performing an in-place upgrade from previous versions of Windows 11. New installations of Windows 11 24H2 experience the same problem.

Update 10/28/2024: This issue is resolved with KB5044384.

Testing

After downloading and configuring a Windows 11 24H2 test client I was able to quickly reproduce the issue. While previous versions of Windows 11 can connect to my test DirectAccess server without issue, the Windows 11 24H2 client fails.

Troubleshooting

Looking at the DirectAccess status indicator in the UI the DirectAccess connection remains ‘Connecting’ perpetually. Further investigation indicates an IP-HTTPS interface error. Running the command netsh.exe interface httpstunnel show interface reveals an error code 0x57 (invalid parameter) with the following error message.

Failed to connect to the IPHTTPS server. Waiting to reconnect.

Workaround

Currently there is no known root cause for this issue and there is no available workaround. Administrators should delay upgrading to Windows 11 24H2 if DirectAccess is deployed in the organization. I will continue to investigate and post additional information as I learn more. Stay tuned!

Additional Information

Troubleshooting DirectAccess IP-HTTPS Error Code 0x800b0109

Troubleshooting DirectAccess IP-HTTPS Error Code 0x90320

Troubleshooting DirectAccess IP-HTTPS Error 0x80090326

Troubleshooting DirectAccess IP-HTTPS Error 0x2af9

Microsoft DirectAccess Now Formally Deprecated

DirectAccess and CVE-2024-38063

With the August 2024 Windows security updates, Microsoft released a fix to address a Remote Code Execution vulnerability in the Windows TCP/IP stack (CVE-2024-38063). Critically, this vulnerability affects IPv6 only and does not require authentication or user interaction to exploit. An attacker would only need to send specially crafted IPv6 packets to a Windows host, which could allow them to run arbitrary code on the server. This vulnerability presents some unique challenges for organizations that have deployed DirectAccess.

Exposure

DirectAccess servers are deployed to provide secure remote access and are, necessarily, exposed to the public Internet. Sometimes, this is a direct connection (not recommended) or behind an edge firewall or load balancer. In either case, anyone can establish a TCP connection from the Internet to the DirectAccess server by default. If the DirectAccess server has a global unicast IPv6 address assigned to its external interface, that presents a worst-case scenario for exposure. Administrators should update their DirectAccess servers immediately. There are some other mitigation options, though. See below for more details.

IPv6 Transition

DirectAccess servers are usually reachable on the public Internet via IPv4 only. The lack of direct IPv6 connectivity significantly reduces the attack vector for this vulnerability. However, DirectAccess servers use various IPv6 transition technologies that could present additional risks.

Tunnel Establishment

Clients on the Internet can establish an IPv6 transition tunnel to the DirectAccess server without authentication. Once the tunnel is established, the client will receive a router advertisement (RA) and establish an IPv6 address on link. However, communication over the link requires IPsec. Although an attacker can obtain an IPv6 address, they require authentication to send TCP and UDP traffic inside the tunnel.

ICMP

It’s important to know that ICMP traffic inside the DirectAccess IPv6 transition tunnel is exempt from IPsec policy processing, by default. It is unclear whether the “specially crafted packets” an attacker must send to exploit this vulnerability can be ICMP packets. If that’s the case, this introduces significant risks and increases exposure exponentially. I will update this post if I learn anything more about this specifically.

Mitigation

The best and most obvious way to mitigate this attack is to immediately apply the Microsoft security updates. However, some additional controls can be effective in mitigating this risk.

Authentication

As mentioned, DirectAccess allows IPv6 transition tunnels to be established by default without authentication. However, it is possible to update the DirectAccess configuration to support authentication, as described here.

https://directaccess.richardhicks.com/2016/06/13/directaccess-ip-https-preauthentication/

Note: Updating the DirectAccess configuration can be impactful for remote users. Be sure to test this change in a lab environment before implementing in production.

Load Balancers

If the DirectAccess server is behind a load balancer, it can be configured to require authentication for DirectAccess IPv6 transition tunnels. Below is published guidance for configuring popular load balancers to support this.

F5 BIG-IP

Citrix ADC (formerly NetScaler)

Additional Information

Microsoft Windows TCP/IP Remote Code Execution Vulnerability

DirectAccess IP-HTTPS Preauthentication

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IP

DirectAccess IP-HTTPS Preauthentication using Citrix ADC (formerly NetScaler)

SSL and TLS Training for Always On VPN Administrators

Understanding Transport Layer Security (TLS) is essential for Always On VPN administrators. TLS (formerly Security Sockets Layer, or SSL) is used not only for Secure Socket Tunneling Protocol (SSTP), the protocol of choice for the Always On VPN user tunnel in most deployments, but many other technologies such as secure websites and email, Remote Desktop Protocol (RDP), secure LDAP (LDAPS), and many more. High-quality, affordable TLS training is challenging to find, however.

UPDATE! This course has been further discounted for a limited time. Details below!

Practical TLS

Thankfully, Ed Harmoush from Practical Networking has a fantastic training course called Practical TLS that meets these requirements. It is the most comprehensive TLS training course I’ve seen and is surprisingly affordable too!

Course Content

The Practical TLS training course includes the following modules.

  • Module 1 – SSL/TLS Overview (free preview!)
  • Module 2 – Cryptography
  • Module 3 – x509 Certificates and Keys
  • Module 4 – Security through Certificates
  • Module 5 – Cipher Suites
  • Module 6 – SSL/TLS Handshake
  • Module 7 – TLS Defenses

TLS 1.3

The Practical TLS training course does not yet include a module on the newest TLS protocol, TLS 1.3. However, it is due out imminently! Ed is working on the content as we speak, and a preview module is included in the course today. Look for the final TLS 1.3 module soon.

Bonus Content

In addition to excellent TLS training, the course includes free OpenSSL training! Administrators working with certificates in non-Microsoft environments are sure to find this helpful. Understanding OpenSSL will benefit administrators working with network and security appliances such as firewalls and load balancers.

Enroll Now

The cost of the Practical TLS training course is regularly $297.00. It is a perpetual license, so you can view the content whenever you like and as often as you wish. You will also have access to future updates, such as the upcoming TLS 1.3 module. In addition, you can save $100.00 on the course by using promotional code RICHARDHICKS when you sign up. Don’t hesitate. Register for Practical TLS training now!

Special Discount

For a limited time, you can use the code PracticalTLS13 to get this entire course for just $49.00! This won’t last long, so register soon!

Additional Information

Practical Networking Blog

Practical TLS Training Course – $100 Off!

OpenSSL Training Course

Microsoft Always On VPN and TLS 1.3

Microsoft Always On VPN SSTP Security Configuration

Microsoft Always On VPN SSTP Certificate Renewal

Microsoft Always On VPN SSTP with Let’s Encrypt Certificates