MVP Profile
DirectAccess Training

TechMentor Redmond 2017
Connect
Mailing List

Sign Up Now!
Richard M. Hicks Consulting Newsletter
Buy This!

Learn PowerShell!
@richardhicks
- #DirectAccess load balancing in the #cloud. @KEMPtech rmhci.co/2pROPhN:: 20 minutes ago
- RT @SCTimesNews: Planes are dropping fire suppression on @MCIWPendletonCA wild land fire. #SanClemente https://t.co/2ZNcC0GpVe:: 8 hours ago
- Yep...just a bit smoky here in the South OC tonight. :/ #orangecounty twitter.com/MCIWPendletonC…:: 8 hours ago
- RT @yuridiogenes: #Petya #ransomware prevention & detection in #Azure #Security Center azure.microsoft.com/en-us/blog/pet…:: 8 hours ago
- Spied this guy in the backyard a few days ago. :) #coopershawk @ Mission Viejo, California instagram.com/p/BV5xllBDKMT/:: 12 hours ago
Follow @richardhicks
Facebook

Facebook
RSS Feed
- RSS - Posts
- RSS - Comments
Archives
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- November 2014
- October 2014
- September 2014
- August 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- July 2012
- June 2012
- May 2012
- April 2012
Categories
- 6to4
- ADC
- Amazon EC2
- Amazon Web Services
- application delivery controller
- AWS
- Azure
- cloud
- Consulting Services
- DirectAccess
- DirectAccess Book
- DNS
- EC2
- education
- Encryption
- Enterprise
- F5
- Forefront TMG 2010
- Forefront UAG 2010
- Geographic Redundnacy
- High Availability
- Hotfix
- iManage
- Important Links
- IP-HTTPS
- IPv6
- IPv6 Transition
- ISATAP
- Kemp
- learning
- Load Balancing
- LoadMaster
- Manage Out
- multisite
- MVP
- NAP
- NCA
- Netscaler
- network connectivity assistant
- nmap
- Offline Domain Join
- OTP
- Pluralsight
- PowerShell
- Professional Services
- public cloud
- Recommended Reading
- Remote Access
- Security
- SSL and TLS
- Surface Pro
- Surface Pro 4
- System Center 2012
- Teredo
- Training
- troubleshooting
- Uncategorized
- Update
- video
- VPN
- Web Application Proxy
- webinar
- Windows 10
- Windows 7
- Windows 8
- Windows 8.1
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- WorkSite
Tag Cloud
6to4 Active Directory ADC application delivery controller authentication Azure book certificate certificates conference configuration DirectAccess DirectAccess 2012 DNS education error F5 Forefront Forefront UAG Forefront UAG 2010 geographic redundancy GPO group policy high availability hotfix Important Links IP-HTTPS IPsec IPv6 IPv6 transition protocol IPv6 transition technology ISATAP Kemp Kemp Technologies load balancer load balancing LoadMaster management Manage Out Microsoft multisite Networking network load balancing network location server NLB NLS OTP performance PKI PowerShell redundancy Remote Access scalability security Server 2012 SSL Teredo TLS training troubleshooting UAG UAG 2010 update VPN Windows Windows 7 Windows 8 Windows 8.1 Windows 8.x Windows 10 Windows Server Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016

Uninstalling and Removing DirectAccess

Uninstalling and Removing DirectAccess This web site is primarily dedicated to installing, configuring, managing, and troubleshooting DirectAccess on Windows Server 2012 R2 and Windows Server 2016. However, there’s little documentation on how to properly uninstall and remove DirectAccess. This post provides guidance for gracefully uninstalling and removing DirectAccess after it has been deployed.

DirectAccess Clients

It is recommended that all clients be deprovisioned prior to decommissioning a DirectAccess deployment. This is especially true if the Network Location Server (NLS) is hosted on the DirectAccess server itself. Remove all client computers from the DirectAccess client security group or unlink DirectAccess client settings GPOs (but don’t delete them!) from any OUs where they are applied. Allow sufficient time for all clients to process security group membership changes and update group policy before uninstalling DirectAccess.

Network Location Server

If the NLS is installed separate from the DirectAccess server, it is recommended that it remain online for a period of time after DirectAccess has been decommissioned. Clients will be unable to access local resources if they still have DirectAccess client settings applied and the NLS is offline. Keeping the NLS online prevents this from happening. If this does happen, you’ll need to delete the Name Resolution Policy Table (NRPT) on the client to restore connectivity. To do this, run the following command in an elevated PowerShell command window and restart the computer.

Get-Item -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig” | Remove-Item -Confirm:$false

Uninstall DirectAccess

It is not recommended to decommission DirectAccess by simply turning off all DirectAccess servers and manually deleting all of the associated group policy objects (GPOs) in Active Directory. A better way is to gracefully remove DirectAccess using the GUI or PowerShell.

To uninstall DirectAccess using the GUI, open the Remote Access Management console, highlight DirectAccess and VPN, and then click Remove Configuration Settings in the Tasks pane.

Uninstalling and Removing DirectAccess

Alternatively, DirectAccess can be removed by running the following command in an elevated PowerShell command window.

Uninstall-RemoteAccess -Force

Additional Resources

DirectAccess Network Location Server (NLS) Guidance

DirectAccess Network Location Server (NLS) Deployment Considerations for Large Enterprises

Implementing DirectAccess with Windows Server 2016

6 Comments

by Richard M. Hicks on April 13, 2017 • Permalink

Posted in DirectAccess, Remote Access

Tagged configuration, decommission, DirectAccess, DNS, GUI, installation, name resolution policy table, NRPT, PowerShell, Remote Access, remove, troubleshooting, uninstall

Posted by Richard M. Hicks on April 13, 2017

https://directaccess.richardhicks.com/2017/04/13/uninstalling-and-removing-directaccess/

DirectAccess IPv6 Support for WorkSite and iManage Work

DirectAccess IPv6 Support for WorkSite and iManage Work iManage Work (formerly WorkSite) is a popular document management system commonly used in the legal, accounting, and financial services industries. Historically, there have been issues getting WorkSite to function over DirectAccess, because WorkSite used IPv4 addresses and DirectAccess clients use IPv6. When a DirectAccess client is outside of the office, it communicates with the DirectAccess server using IPv6 exclusively, so applications that make calls directly to IPv4 addresses won’t work.

One way DirectAccess administrators could make WorkSite function was to use portproxy to create v4tov6 address and port mappings on the client. However, this method is error prone, difficult to troubleshoot and support, and doesn’t scale effectively.

The good news is that beginning with release 9, the iManage Work client application has been upgraded to support IPv6. However, it is not enabled by default. To enable IPv6 support for iManage Work, add the following registry key on the client side (not the server!). No other changes are required.

HKLM\Software\Wow6432Node\Interwoven\WorkSite\Server Common\

Type: REG_SZ
String: IP Address Family
Value: IPv6

You can also use the following PowerShell command to add this registry entry.

New-Item -Path “HKLM:\Software\Wow6432Node\Interwoven\WorkSite\Server Common\” -Force
New-ItemProperty -Path “HKLM:\Software\Wow6432Node\Interwoven\WorkSite\Server Common\”-Name “IP Address Family” -PropertyType String -Value IPv6 -Force

After validation testing is complete, deploy the registry setting via Active Directory group policy preferences to all DirectAccess clients and iManage Work will function perfectly over DirectAccess!

Additional Resources

Active Directory Group Policy Preferences on Microsoft TechNet

iManage Web Site

Implementing DirectAccess with Windows Server 2016

1 Comment

by Richard M. Hicks on April 10, 2017 • Permalink

Posted in DirectAccess, iManage, IPv6, IPv6 Transition, PowerShell, Remote Access, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, WorkSite

Tagged Active Directory, DirectAccess, document management, GPO, group policy, group policy object, group policy preferences, iManage, iManage Work, IPv4, IPv6, IPv6 transition technology, IPv6 transition tunnel, netsh, portproxy, registry, Remote Access, v6v4tunnel, WorkSite

Posted by Richard M. Hicks on April 10, 2017

https://directaccess.richardhicks.com/2017/04/10/directaccess-ipv6-support-for-worksite-and-imanage-work/

Troubleshooting DirectAccess IP-HTTPS Error Code 0x800b0109

A Windows 7 or Windows 8.x/10 client may fail to establish a DirectAccess connection using the IP-HTTPS IPv6transition technology. When troubleshooting this issue, running ipconfig.exe show that the media state for the tunnel adapter iphttpsinterface is Media disconnected.

Running the Get-NetIPHttpsState PowerShell command on Windows 8.x/10 clients or the netsh interface httpstunnel show interface command on Windows 7 clients returns an error code of 0x800b0109 with an interface status Failed to connect to the IPHTTPS server; waiting to reconnect.

Error code 0x800b0109 translates to CERT_E_UNTRUSTEDROOT, indicating the client was unable to establish an IP-HTTPS connection because the certificate presented during the SSL handshake was issued by a certification authority that was not trusted. This commonly occurs when the DirectAccess server is configured with an SSL certificate issued by the internal PKI and DirectAccess clients are provisioned using offline domain join without using the /rootcacerts switch.

Troubleshooting DirectAccess IP-HTTPS Error 0x800b0109

To resolve IP-HTTPS error code 0x800b0109, obtain the root certificate for the certificate authority that issued the SSL certificate used for IP-HTTPS and import it in to the DirectAccess client’s Trusted Root Certification Authorities local computer certificate store. Once complete, restart the IP helper service to reinitiate an IP-HTTPS connection.

Additional Information

Provisioning DirectAccess Clients using Windows Offline Domain Join

Troubleshooting DirectAccess IP-HTTPS Error Code 0x90320

Troubleshooting DirectAccess IP-HTTPS Error 0x2af9

DirectAccess Expired IP-HTTPS Certificate and Error 0x800b0101

Implementing DirectAccess with Windows Server 2016

Leave a comment

by Richard M. Hicks on April 6, 2017 • Permalink

Posted in DirectAccess, IP-HTTPS, IPv6, IPv6 Transition, Offline Domain Join, PowerShell, Remote Access, SSL and TLS, troubleshooting, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Tagged 0x800b0109, certificate, DirectAccess, error, error code, IP-HTTPS, IPv6, IPv6 transition technology, netsh, PKI, PowerShell, Remote Access, SSL, SSL/TLS, TLS, troubleshooting

Posted by Richard M. Hicks on April 6, 2017

https://directaccess.richardhicks.com/2017/04/06/troubleshooting-directaccess-ip-https-error-code-0x800b0109/

Troubleshooting DirectAccess IP-HTTPS Error 0x80090326

A Windows 7 or Windows 8.x/10 client may fail to establish a DirectAccess connection using the IP-HTTPS IPv6 transition technology. When troubleshooting this issue, running ipconfig.exe shows that the media state for the tunnel adapter iphttpsinterface is Media disconnected.

Running the Get-NetIPHttpsState PowerShell command on Windows 8.x/10 clients or the netsh interface httpstunnel show interface command on Windows 7 clients returns and error code of 0x80090326, with an interface status Failed to connect to the IPHTTPS server; waiting to reconnect.

Error code 0x80090326 translates to SEC_E_ILLEGAL_MESSAGE, indicating the client encountered a fatal error during the SSL handshake.

There are a number of things that can cause this to happen. The most common scenario occurs when an Application Delivery Controller (ADC) is improperly configured to perform client certificate authentication for IP-HTTPS connections. Common examples are an incorrect or missing root CA certificate, or null SSL/TLS cipher suites not enabled when supporting Windows 8.x/10 clients.

To troubleshoot DirectAccess IP-HTTPS error 0x80090326, perform a network trace on the DirectAccess client and observe the TLS handshake for clues as to which configuration error is the culprit. If the TLS handshake failure occurs immediately after the client sends a Client Hello, it is likely that the ADC does not have null cipher suites enabled.

Troubleshooting DirectAccess IP-HTTPS Error 0x80090326

If the TLS handshake failure occurs after the Server Hello, it is likely that the ADC is configured to perform client certificate authentication incorrectly, or the client does not have a valid certificate.

IP-HTTPS error 0x80090326 can also occur if an intermediary device is performing SSL/TLS inspection or otherwise tampering with the TLS request. It can also happen if the edge firewall and/or NAT device is forwarding IP-HTTPS connections to the wrong internal server, or if the firewall itself is responding to the HTTPS connection request. Remember, just because the server is responding on TCP port 443 doesn’t necessarily mean that it is the DirectAccess server responding!

Additional Information

Troubleshooting DirectAccess IP-HTTPS Error Code 0x90320

Troubleshooting DirectAccess IP-HTTPS Error 0x2af9

DirectAccess Troubleshooting Consulting Services

Implementing DirectAccess with Windows Server 2016

Leave a comment

by Richard M. Hicks on April 3, 2017 • Permalink

Posted in ADC, application delivery controller, Encryption, F5, IP-HTTPS, IPv6 Transition, Netscaler, PowerShell, Remote Access, Security, SSL and TLS, troubleshooting, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Tagged 0x80090326, DirectAccess, encryption, error, IP-HTTPS, IPv6 transition technology, PowerShell, Remote Access, security, SSL, SSL/TLS, support, TLS, troubleshooting

Posted by Richard M. Hicks on April 3, 2017

https://directaccess.richardhicks.com/2017/04/03/troubleshooting-directaccess-ip-https-error-0x80090326/

DirectAccess Troubleshooting and Configuration Training at TechMentor Redmond 2017

DirectAccess and Windows 10 in Education I’m really excited to announce that I have once again been invited to speak at the upcoming TechMentor event in Redmond, WA August 7-11, 2017! This year I’ll be presenting two important deep-dive training sessions on DirectAccess. The first is a three-hour course on implementing DirectAccess using Windows Server 2016. This session will cover infrastructure prerequisites as well as tips, tricks, and best practices for implementing DirectAccess using Windows Server 2016. In addition I will also be delivering a three-hour deep dive on DirectAccess troubleshooting. In this session, I’ll share valuable insight, tools, and techniques for quickly identifying and resolving many common DirectAccess connectivity and performance issues. In addition I will also be giving a short talk on getting started with Azure site-to-site networking. If you want to take advantage of the power and flexibility that the Azure public cloud has to offer, extending your on-premises datacenter using site-to-site VPN is essential.

M01: Implementing DirectAccess with Windows Server 2016
T03: DirectAccess Troubleshooting Deep Dive
T07: Getting Started with Azure Site-to-Site Networking

Leave a comment

by Richard M. Hicks on March 30, 2017 • Permalink

Posted in Azure, cloud, DirectAccess, education, Remote Access, Training, troubleshooting

Tagged Azure, configuration, deep dive, DirectAccess, education, hybrid cloud, implementation, learn, learning, Networking, Remote Access, site-to-site VPN, support, TechMentor, training, troubleshooting, VPN, Windows Server 2016

Posted by Richard M. Hicks on March 30, 2017

https://directaccess.richardhicks.com/2017/03/30/directaccess-troubleshooting-and-configuration-training-at-techmentor-redmond-2017/

DirectAccess and Azure Multifactor Authentication

Introduction

DirectAccess and Azure Multifactor Authentication DirectAccess can be configured to enforce strong user authentication using smart cards or one-time passwords (OTP). This provides the highest level of assurance for remote users connecting to the internal network via DirectAccess. OTP solutions are commonly used because they require less administration and are more cost effective than typical smart card implementations. Most OTP solutions will integrate with DirectAccess as long as they support Remote Access Dial-In User Service (RADIUS).

DirectAccess and Azure Multifactor Authentication

Azure Authentication-as-a-Service

Azure Multifactor Authentication (MFA) is a popular OTP provider used to enable strong user authentication for a variety of platforms, including web sites and client-based VPN. Unfortunately, it doesn’t work with DirectAccess. This is because Azure MFA uses a challenge/response method for which DirectAccess does not support. To use OTP with DirectAccess, the user must be able to enter their PIN and OTP immediately when prompted. There is no provision to begin the authentication process and wait for a response from the OTP provider.

PointSharp ID Multifactor Authentication

An excellent alternative to Azure MFA is PointSharp ID. PointSharp is a powerful OTP platform that integrates easily with DirectAccess. It is also very flexible, allowing for more complex authentication schemes for those workloads that support it, such as Exchange and Skype for Business.

Evaluate PointSharp

You can download a fully-functional trial version of PointSharp ID here (registration required). The PointSharp ID and DirectAccess integration guide with detailed step-by-step instructions for configuring DirectAccess and PointSharp ID can be downloaded here. Consulting services are also available to assist with integrating PointSharp ID with DirectAccess, VPN, Exchange, Skype for Business, Remote Desktop Services, or any other solution that requires strong user authentication. More information about consulting services can be found here.

Additional Information

PointSharp Multifactor Authentication
Configure DirectAccess with OTP Authentication
DirectAccess Consulting Services
Implementing DirectAccess with Windows Server 2016

Leave a comment

by Richard M. Hicks on March 27, 2017 • Permalink

Posted in Azure, cloud, Consulting Services, DirectAccess, OTP, Professional Services, public cloud, Remote Access, Security, VPN, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Tagged authentication, Azure, DirectAccess, MFA, multifactor authentication, one-time password, one-time passwords, OTP, PointSharp, PointSharp ID, RADIUS, Remote Access, security, strong authentication, strong user authentication

Posted by Richard M. Hicks on March 27, 2017

https://directaccess.richardhicks.com/2017/03/27/directaccess-and-azure-multifactor-authentication/

Troubleshooting DirectAccess IP-HTTPS Error Code 0x90320

Running the Get-NetIPHttpsState PowerShell command on Windows 8.x/10 clients or the netsh interface httpstunnel show interface command on Windows 7 clients returns an error code of 0x90320, with an interface status Failed to connect to the IPHTTPS server; waiting to reconnect.

Error code 0x90320 translates to SEC_I_INCOMPLETE_CREDENTIALS, indicating the client was unable to authenticate to the DirectAccess server during the TLS handshake when establishing the IP-HTTPS IPv6 transition tunnel. This occurs when the DirectAccess server or an Application Delivery Controller (ADC) is configured to perform client certificate authentication for IP-HTTPS connections. The client may fail to authenticate if it does not have a valid certificate issued by the organization’s internal certification authority (CA) or if the DirectAccess server or ADC is configured to perform IP-HTTPS client authentication incorrectly.

To resolve this issue, ensure that a valid certificate is installed on the DirectAccess client. In addition, ensure that the DirectAccess server or ADC is configured to use the correct CA when authenticating clients establishing IP-HTTPS connections.

Additional Information

DirectAccess IP-HTTPS Preauthentication

DirectAccess IP-HTTPS Preauthentication using Citrix NetScaler

DirectAccess SSL Offload and IP-HTTPS preauthentication using Citrix NetScaler

DirectAccess IP-HTTPS preauthentication using F5 BIG-IP

2 Comments

by Richard M. Hicks on March 20, 2017 • Permalink

Posted in ADC, application delivery controller, DirectAccess, IP-HTTPS, IPv6, IPv6 Transition, Netscaler, PowerShell, Remote Access, Security, SSL and TLS, troubleshooting, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on March 20, 2017

https://directaccess.richardhicks.com/2017/03/20/troubleshooting-directaccess-ip-https-error-code-0x90320/

DirectAccess WinRM Conflicts and Errors

Introduction

When installing DirectAccess for the first time, an administrator may encounter the following error message while running the Remote Access Setup wizard.

Error. The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: “winrm quickconfig”.

Troubleshooting

Running winrm quickconfig in an elevated PowerShell command window returns the following message.

WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.

Clicking Check prerequisites again does not resolve the error message.

Post-Installation Errors

If DirectAccess is already installed and working properly, an administrator may encounter a scenario in which the operations status page displays nothing, yet remote DirectAccess clients are connected and able to access corporate resources without issue.

In addition, clicking Edit on Step 2 in the Remote Access Management console and choosing Network Adapters produces an error message stating “An error occurred when validating interfaces”. You can select a network adapter from the drop-down list, but the Next and Finish buttons are grayed out.

Conflicts with WinRM

These errors are commonly caused by a conflict with WinRM Service settings enforced via Active Directory group policy. To confirm this, open an elevated PowerShell command window run the winrm enumerate winrm/config/listener command. The listener configuration source will be listed as GPO.

The administrator will also find the presence of the following registry keys on the DirectAccess server.

HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\AllowAutoConfig
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\IPv4Filter
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\IPv6Filter

Resolution

To resolve this conflict, prevent the GPO with this setting from being applied to the DirectAccess server(s). You will find this GPO setting in the Group Policy Management console (GPMC) by navigating to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service and setting the state of Allow remote server management through WinRM to Not configured.

Additional Resources

DirectAccess and Windows 10 Better Together

DirectAccess and Windows 10 in Education

VIDEO – DirectAccess and Windows 10 in Action

BOOK – Implementing DirectAccess with Windows Server 2016

Leave a comment

by Richard M. Hicks on February 13, 2017 • Permalink

Posted in DirectAccess, PowerShell, Remote Access, troubleshooting, Windows Server 2012 R2, Windows Server 2016

Tagged DirectAccess, error, group policy, IIS, management, prerequisites, Remote Access, remote management, troubleshooting, WinRM, WinRM quickconfig

Posted by Richard M. Hicks on February 13, 2017

https://directaccess.richardhicks.com/2017/02/13/directaccess-winrm-conflicts-and-errors/

Troubleshooting DirectAccess IP-HTTPS Error 0x2af9

When troubleshooting DirectAccess client connectivity issues, you may encounter a scenario where clients are unable to connect using the IP-HTTPS IPv6 transition technology. Running ipconfig shows that the tunnel adapter IPHTTPSInterface media state is Media disconnected.

Running the Get-NetIpHttpsState PowerShell command shows that the LastErrorCode is 0x2af9 (WSAHOST_NOT_FOUND) and the InterfaceStatus is Failed to connect to the IPHTTPS server; waiting to reconnect.

The 0x2af9 error differs slightly from the more common 0x274c IP-HTTPS connection time out error (WSAETIMEDOUT). In this scenario the DirectAccess client can successfully resolve the DirectAccess public hostname to an IPv4 address, and if ICMP echo requests are allowed on the DirectAccess server’s public IPv4 address it will respond to ping.

The DirectAccess client is also able to establish a TCP connection to the DirectAccess server using the Test-NetConnection PowerShell command.

So, why is the IP-HTTPS interface unable to establish a transition tunnel connection when the DirectAccess server’s public hostname resolves correctly via DNS and the client can establish a TCP connection on port 443? Commonly this is caused by proxy server settings configured in the web browser on the DirectAccess client computer. Disabling the proxy server in the client’s web browser should restore DirectAccess client connectivity over IP-HTTPS.

DirectAccess IP-HTTPS Error 0x2af9

If clearing the proxy server settings in the client machine’s web browser still does not restore IP-HTTPS connectivity, it may be that a proxy server is also configured for winhttp. You can confirm this by opening an elevated PowerShell command window and running the netsh winhttp show proxy command.

To clear the winhttp proxy server settings run the netsh winhttp reset proxy command.

Additional Resources

DirectAccess Expired IP-HTTPS Certificate and Error 0x800b0101

DirectAccess IP-HTTPS Preauthentication

DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

DirectAccess SSL Offload using F5 BIG-IP

DirectAccess IP-HTTPS Preauthentication with F5 BIG-IP

DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS

Implementing DirectAccess with Windows Server 2016 Book

4 Comments

by Richard M. Hicks on February 6, 2017 • Permalink

Posted in DirectAccess, IP-HTTPS, IPv6 Transition, PowerShell, Remote Access, troubleshooting, Windows 10, Windows 7, Windows 8, Windows 8.1

Posted by Richard M. Hicks on February 6, 2017

https://directaccess.richardhicks.com/2017/02/06/directaccess-ip-https-error-0x2af9/

DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

Introduction

Communication between the DirectAccess client and server takes place exclusively over IPv6. When DirectAccess servers and/or clients are on the IPv4 Internet, an IPv6 transition technology must be employed to allow those clients to connect to the DirectAccess server. DirectAccess deployment best practices dictate that only the IP-HTTPS IPv6 transition technology be used. IP-HTTPS uses SSL/TLS for server authentication and optionally encryption. To improve security and performance for IP-HTTPS, an Application Delivery Controller (ADC) like the Citrix NetScaler can be configured to perform SSL offloading and client preauthentication for DirectAccess IP-HTTPS connections.

Please note that the following caveats apply when enabling SSL offload for DirectAccess clients:

Enabling SSL offload and IP-HTTPS preauthentication on an ADC for DirectAccess is formally unsupported by Microsoft.
SSL offload should not be enabled with DirectAccess is configured to use one-time password (OTP) authentication. Offloading SSL will break OTP functionality.

IP-HTTPS Challenges

The IP-HTTPS IPv6 transition technology is a simple and effective way to allow DirectAccess clients and servers to communicate by encapsulating IPv6 traffic in HTTP and routing it over the public IPv4 Internet. However, there are two critical issues with the default implementation of IP-HTTPS in DirectAccess. One is a security issue, the other affects performance.

Security

The DirectAccess server does not authenticate clients establishing IP-HTTPS connections. This could allow an unauthorized client to obtain an IPv6 address from the DirectAccess server using the IPv6 Neighbor Discovery (ND) process. With a valid IPv6 address, the unauthorized user could perform internal network reconnaissance or launch a variety of Denial of Service (DoS) attacks on the DirectAccess infrastructure and connected clients. More details here.

Performance

Windows 7 DirectAccess clients use encrypted cipher suites when establishing IP-HTTPS connections. However, the payload being transported is already encrypted using IPsec. This double encryption increases resource utilization on the DirectAccess server, reducing performance and limiting scalability. More details here.

Note: Beginning with Windows Server 2012 and Windows 8, Microsoft introduced support for null encryption for IP-HTTPS connections. This eliminates the needless double encryption, greatly improving scalability and performance for DirectAccess clients using IP-HTTPS.

SSL Offload for DirectAccess IP-HTTPS

The Citrix NetScaler can be configured to perform SSL offload to improve performance for Windows 7 DirectAccess clients using IP-HTTPS. Since DirectAccess does not natively support SSL offload, the NetScaler must be configured in a non-traditional way. While the NetScaler will be configured to terminate incoming IP-HTTPS SSL connections, it must also use SSL for the back-end connection to the DirectAccess server. However, the NetScaler will be configured only to use null cipher suites when connecting to the DirectAccess server. Even though Windows 7 clients will still perform double encryption to the NetScaler, this configuration effectively offloads from the server the heavy burden of double encrypting every IP-HTTPS connection for all connected DirectAccess clients. This results in reduced CPU utilization on the DirectAccess server, yielding better scalability and performance.

SSL Offload and Windows 8.x/10 Clients

Offloading SSL for Windows 8.x/10 clients will not improve performance because they already use null cipher suites for IP-HTTPS when connecting to a Windows Server 2012 or later DirectAccess server. However, terminating SSL on the NetScaler is still required to perform IP-HTTPS preauthentication.

Supported NetScaler Platforms for DirectAccess SSL Offloading

The following configuration for Citrix NetScaler can be performed on any release of the VPX virtual ADC platform. However, be advised that there is a known issue with older releases on the MDX and SDX hardware platforms that will prevent this from working. For MDX and SDX deployments, upgrading to release 11.1 build 50.10 or later will be required.

Configure Citrix NetScaler for IP-HTTPS SSL Offload

To enable SSL offloading for DirectAccess IP-HTTPS on the Citrix NetScaler, open the NetScaler management console, expand Traffic Management and Load Balancing, and then perform the following procedures in order.

Add Servers

Click Servers.
Click Add.
In the Name field enter a descriptive name for the first DirectAccess server.
Select IP Address.
In the IP Address field enter the IP address of the first DirectAccess server.
Click Create.
Repeat these steps for any additional servers in the load-balanced cluster.

DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

Add Services

Click Services.
Click Add.
In the Service Name field enter a descriptive name for the service.
Select Existing Server from the Server drop-down list.
Choose the first DirectAccess server in the cluster.
Choose SSL from the Protocol drop-down list.
Click Ok.
Edit SSL Parameters.
1. In the Protocol section uncheck SSLv3.
2. Click Ok.
Edit SSL Ciphers.
1. Click Remove All.
2. Click Add.
3. Type NULL in the Search Ciphers box.
4. Check the box next to the first entry for SSL3-NULL-SHA.
5. Click the right arrow to add the cipher to the list.
6. Click Ok.
7. Click Done.
8. Repeat these steps for any additional servers in the load-balanced cluster.

A warning message may be displayed indicating that no usable ciphers are configured on the SSL vserver/service. This message can be safely ignored.

DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

Add Virtual Server

Click Virtual Servers.
1. Click Add.
2. In the Name field enter a descriptive name for the virtual server.
3. Choose SSL from the Protocol drop-down list.
4. In the IP Address field enter the IP address for the virtual server.
5. Click Ok.
  
  Note: When enabling load balancing in DirectAccess, the IP address assigned to the first DirectAccess server is reallocated for use as the load balancing Virtual IP Address (VIP). Ideally this IP address will be assigned to the load balancing virtual server on the NetScaler. However, this is not a hard requirement. It is possible to configure the VIP on the NetScaler to reside on any subnet that the load balancer has an interface to. More details here.
In the Services and Groups section click No Load Balancing Virtual Server Service Binding.
1. Click on the Select Service field.
2. Check all DirectAccess server services and click Select.
3. Click Bind.
4. Click Continue.
In the Certificate section click No Server Certificate.
1. Click on the Select Server Certificate field.
2. Choose the certificate to be used for DirectAccess IP-HTTPS.
3. Click Select.
4. Click Bind.
5. Click Continue.
Edit SSL Ciphers.
1. Click Remove All.
2. Click Add.
3. Type ECDHE in to the Search Ciphers box.
4. Check the box next to TLS1-ECDHE-RSA-AES128-SHA.
5. Click the right arrow to add the cipher to the list.
6. Type NULL in to the Search Ciphers box.
7. Check the box next to SSL3-NULL-SHA.
8. Click the right arrow to add the cipher to the list.
9. Click Ok.
10. Click Done.
  
  Note: If Windows 8.x/10 clients are supported exclusively, SSL3-NULL-SHA is the only cipher suite required to be configured on the virtual server. If Windows 7 client support is required, the TLS1-ECDHE-RSA-AES128-SHA cipher suite should also be configured on the virtual server.
Edit SSL Parameters.
1. Uncheck SSLv3.
2. Click Ok.
  
  Note: If Windows 8.x/10 clients are supported exclusively, TLSv1 can also be unchecked on the virtual server. If Windows 7 client support is required, TLSv1 must be enabled.
In the Advanced Settings section click Persistence.
1. Choose SSLSESSION.
2. Enter 10 minutes for the Time-out (mins) value.
3. Click Ok.
4. Click Done.

Optional IP-HTTPS Preauthentication

To enable IP-HTTPS preauthentication to prevent unauthorized network access, perform the following procedures on the Citrix NetScaler appliance.

Expand Traffic Management, Load Balancing, and then click Virtual Servers.
Select the DirectAccess virtual server and click Edit.
1. In the Certificate section click No CA Certificate.
2. Click the Select CA Certificate field.
3. Choose the certificate for the CA that issues certificates to DirectAccess clients and servers.
  
  Note: The CA certificate used for DirectAccess can be found by opening the Remote Access Management console, clicking Edit on Step 2, and then clicking Authentication. Alternatively, the CA certificate can be found by running the following PowerShell command.
  
  (Get-RemoteAccess).IPsecRootCertificate | Format-Table Thumbprint
4. Click Select.
5. Choose CRL Optional from the CRL and OCSP Check drop-down list.
6. Click Bind.
Edit SSL Parameters.
1. Check the box next to Client Authentication.
2. Choose Mandatory from the Client Certificate drop-down list.
3. Click Ok.
4. Click Done.

Summary

Leveraging the advanced capabilities of the Citrix NetScaler ADC can improve performance when supporting Windows 7 clients and enhance security for all DirectAccess clients using IP-HTTPS. In terms of supportability, all of the changes described in this article are completely transparent and do not alter the native DirectAccess client or server configuration. If a Microsoft support engineer declines support due to this configuration, switching from SSL offload to SSL bridge is all that’s required to restore full supportability.

Additional Resources

NetScaler release 11.1 build 50.10 (requires login) – https://www.citrix.com/downloads/netscaler-adc/firmware/release-111-build-5010

Release notes for build 50.10 of NetScaler 11.1 release – https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/NS_11_1_50_10.html

VIDEO: Enable Load Balancing for DirectAccess – https://www.youtube.com/watch?v=3tdqgY9Y-uo

DirectAccess IP-HTTPS preauthentication using F5 BIG-IP – https://directaccess.richardhicks.com/2016/05/23/directaccess-ip-https-preauthentication-using-f5-big-ip/

DirectAccess SSL offload for IP-HTTPS using F5 BIG-IP – https://directaccess.richardhicks.com/2013/07/10/ssl-offload-for-ip-https-directaccess-traffic-from-windows-7-clients-using-f5-big-ip/

Implementing DirectAccess with Windows Server 2016 book – http://directaccessbook.com/

7 Comments

by Richard M. Hicks on January 17, 2017 • Permalink

Posted in ADC, application delivery controller, DirectAccess, High Availability, IP-HTTPS, IPv6, IPv6 Transition, Load Balancing, Netscaler, Remote Access, Security, SSL and TLS, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on January 17, 2017

https://directaccess.richardhicks.com/2017/01/17/directaccess-ssl-offload-and-ip-https-preauthentication-with-citrix-netscaler/

Search for:
DirectAccess Book

DirectAccess Book

Available Now!
Consulting

DirectAccess Consulting Services

Now Available!
KEMP Technologies

LoadMaster Load Balancers

Download a free trial!
PointSharp ID

Multifactor Authentication

for DirectAccess!
Recent Posts
DirectAccess Resources

MVP Profile

Connect

Mailing List

Buy This!

RSS Feed

Archives

Categories

Tag Cloud

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

DirectAccess Book

Consulting

KEMP Technologies

PointSharp ID

Recent Posts

DirectAccess Resources