All posts tagged IPv6

DirectAccess IP-HTTPS Null Cipher Suites Not Available

Microsoft first introduced support for null cipher suites for the IP-HTTPS IPv6 transition technology in Windows Server 2012, and it is supported for DirectAccess in Windows 8.x and Windows 10 clients. Using null cipher suites for IP-HTTPS eliminates the needless double encryption that occurs when using encrypted cipher suites. DirectAccess is a unique workload where SSL/TLS encryption isn’t really required because the payload being transported in HTTPS is already encrypted.

No Encryption by Design

When supporting Windows 8.x and Windows 10 clients, ensuring null cipher suites (TLS_RSA_WITH_NULL_SHA and TLS_RSA_WITH_NULL_SHA256) are enabled and operational is crucial to providing the highest levels of performance and scalability for the remote access solution. When following implementation best practices, this isn’t really an issue. However, in some cases null cipher suites may be disabled. This will result in reduced scalability and degraded performance for Windows 8.x and Windows 10 clients.

Validating SSL/TLS Configuration

The easiest way to verify that null cipher suites are being offered by the DirectAccess server is to use the Qualys SSL Labs server test site. Ideally you should see a result similar to this.

Figure 1. Qualys SSL Labs server test site results for properly configured DirectAccess server.

Don’t be alarmed by the overall rating “F”. That happens because the Qualys test site is designed to test web servers where using null cipher suites would be a serious security issue. As I stated previously, the DirectAccess workload is unique in that its HTTPS payload is already encrypted, so using null cipher suites is acceptable in this scenario.

Figure 2. Qualys SSL Labs server test site results for properly configured DirectAccess server showing support for null SSL/TLS cipher suites.

Null Cipher Suites Missing

When performing the Qualys SSL labs server test on a DirectAccess server, an overall rating of “A” is not desirable and indicates the DirectAccess server is misconfigured. This is caused by the lack of support for null cipher suites.

Figure 3. Qualys SSL Labs server test site results for misconfigured DirectAccess server.

Common Causes

Null cipher suites for SSL and TLS can be disabled for a variety of reasons. Below are some of the most common causes for the lack of support for null cipher suites for DirectAccess.

Self-Signed Certificates – Using the Getting Started Wizard (simplified deployment) will configure DirectAccess using a self-signed certificate for IP-HTTPS. Using a self-signed certificate is discouraged for numerous reasons, most importantly because it disables support for null cipher suites.

Security Hardening – Security administrators may proactively disable support for null cipher suites in a misguided effort to “improve security” for DirectAccess. While this is acceptable and recommended on a web server, it is not advisable to disable null cipher suites on a DirectAccess server.

SSL Certificate Signing Algorithm – Using an SSL certificate signed with an Elliptical Curve (EC) key as opposed to an RSA key will result in the loss of support for null cipher suites for IP-HTTPS. High security/assurance certificates signed with EC keys are not recommended for use on DirectAccess servers and should be avoided if possible.

DirectAccess Configuration Options – Enabling One-Time Password (OTP) authentication on the DirectAccess server will also result in a loss of support for null cipher suites. Also, adding additional roles to the DirectAccess server such as client-based VPN or the Web Application Proxy (WAP) can also result in null cipher suites being disabled.

Summary

Null cipher suites are implemented by design on DirectAccess servers to enhance performance for Windows 8.x and Windows 10 clients and improve overall scalability for the implementation. They eliminate the pointless double encryption of DirectAccess communication, which itself is already encrypted. For optimal performance and scalability, be sure to follow implementation best practices and use a PKI-managed (public or private) SSL certificate signed with an RSA key (SHA-256 recommended). Resist the urge to “harden” the DirectAccess server by disabling support for null cipher suites, and avoid the use of SSL certificates signed with EC keys. In addition, carefully consider DirectAccess deployment options such as OTP authentication and consider deploying roles such as VPN and WAP on a separate server.

Additional Information

DirectAccess IP-HTTPS SSL and TLS Insecure Cipher Suites

DirectAccess IP-HTTPS Null Encryption and SSTP VPN

DirectAccess and FIPS Compliant Algorithms for Encryption

SSL Certificate Considerations for DirectAccess IP-HTTPS

3 Comments

by Richard M. Hicks on December 18, 2017 • Permalink

Posted by Richard M. Hicks on December 18, 2017

https://directaccess.richardhicks.com/2017/12/18/directaccess-ip-https-null-cipher-suites-not-available/

DirectAccess Manage Out with ISATAP and NLB Clustering

DirectAccess connections are bidirectional, allowing administrators to remotely connect to clients and manage them when they are out of the office. DirectAccess clients use IPv6 exclusively, so any communication initiated from the internal network to remote DirectAccess clients must also use IPv6. If IPv6 is not deployed natively on the internal network, the Intrasite Automatic Tunnel Addressing Protocol (ISATAP) IPv6 transition technology can be used to enable manage out.

ISATAP Supportability

According to Microsoft’s support guidelines for DirectAccess, using ISATAP for manage out is only supported for single server deployments. ISATAP is not supported when deployed in a multisite or load-balanced environment.

“Not supported” is not the same as “doesn’t work” though. For example, ISATAP can easily be deployed in single site DirectAccess deployments where load balancing is provided using Network Load Balancing (NLB).

ISATAP Configuration

To do this, you must first create DNS A resource records for the internal IPv4 address for each DirectAccess server as well as the internal virtual IP address (VIP) assigned to the cluster.

Note: Do NOT use the name ISATAP. This name is included in the DNS query block list on most DNS servers and will not resolve unless it is removed. Removing it is not recommended either, as it will result in ALL IPv6-enabled hosts on the network configuring an ISATAP tunnel adapter.

Once the DNS records have been added, you can configure a single computer for manage out by opening an elevated PowerShell command window and running the following command:

Set-NetIsatapConfiguration -State Enabled -Router [ISATAP FQDN] -PassThru

Once complete, an ISATAP tunnel adapter network interface with a unicast IPv6 address will appear in the output of ipconfig.exe, as shown here.

Running the Get-NetRoute -AddressFamily IPv6 PowerShell command will show routes to the client IPv6 prefixes assigned to each DirectAccess server.

Finally, verify network connectivity from the manage out host to the remote DirectAccess client.

Note: There is a known issue with some versions of Windows 10 and Windows Server 2016 that may prevent manage out using ISATAP from working correctly. There’s a simple workaround, however. More details can be found here.

Group Policy Deployment

If you have more than a few systems on which to enable ISATAP manage out, using Active Directory Group Policy Objects (GPOs) to distribute these settings is a much better idea. You can find guidance for creating GPOs for ISATAP manage out here.

DirectAccess Client Firewall Configuration

Simply enabling ISATAP on a server or workstation isn’t all that’s required to perform remote management on DirectAccess clients. The Windows firewall running on the DirectAccess client computer must also be configured to securely allow remote administration traffic from the internal network. Guidance for configuring the Windows firewall on DirectAccess clients for ISATAP manage out can be found here.

ISATAP Manage Out for Multisite and ELB

The configuration guidance in this post will not work if DirectAccess multisite is enabled or external load balancers (ELB) are used. However, ISATAP can still be used. For more information about enabling ISATAP manage out with external load balancers and/or multisite deployments, fill out the form below and I’ll provide you with more details.

Summary

Once ISATAP is enabled for manage out, administrators on the internal network can remotely manage DirectAccess clients wherever they happen to be. Native Windows remote administration tools such as Remote Desktop, Windows Remote Assistance, and the Computer Management MMC can be used to manage remote DirectAccess clients. In addition, enterprise administration tools such as PowerShell remoting and System Center Configuration Manger (SCCM) Remote Control can also be used. Further, third-party remote administration tools such as VNC, TeamViewer, LogMeIn, GoToMyPC, Bomgar, and many others will also work with DirectAccess ISATAP manage out.

Additional Information

ISATAP Recommendations for DirectAccess Deployments

DirectAccess Manage Out with ISATAP Fails on Windows 10 and Windows Server 2016

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

DirectAccess Manage Out and System Center Configuration Manager (SCCM)

Contact Me

Interested in learning more about ISATAP manage out for multisite and external load balancer deployments? Fill out the form below and I’ll get in touch with you.

3 Important Advantages of Always On VPN over DirectAccess

Windows 10 Always On VPN hands-on training classes now forming. Details here.

Windows 10 Always On VPN provides seamless and transparent, always on remote network access similar to DirectAccess. The mechanics of how it is delivered and managed are fundamentally different, as I discussed here. Some of these changes will no doubt present challenges to our way of thinking, especially in the terms of client provisioning. However, Always On VPN brings along with it some important and significant advantages too.

No More NLS

A Network Location Server (NLS) is used for inside/outside detection by DirectAccess clients. By design, the NLS is reachable by DirectAccess machines only when they are on the internal network. NLS availability is crucial. If the NLS is offline or unreachable for any reason at all, DirectAccess clients on the internal network will mistakenly believe they are outside the network. In this scenario, the client will attempt to establish a DirectAccess connection even though it is inside. This often fails, leaving the DirectAccess client in a state where it cannot connect to any internal resources by name until the NLS is brought back online.

Always On VPN eliminates the frailty of NLS by using the DNS connection suffix for trusted network detection. When a network connection is established, an Always On VPN connection will not be established if the DNS connection suffix matches what the administrator has defined as the internal trusted network.

Full Support for IPv4

DirectAccess uses IPv6 exclusively for communication between remote DirectAccess clients and the DirectAccess server. IPv6 translation technologies allow for communication to internal IPv4 hosts. While this works for the vast majority of scenarios, there are still many challenges with applications that do not support IPv6.

Always On VPN supports both IPv4 and IPv6, so application incompatibility issues will be a thing of the past! With full support for IPv4, the need for IPv6 transition and translation technologies is eliminated. This reduces protocol overhead and improves network performance.

Infrastructure Independent

Windows servers are required to implement DirectAccess. Always On VPN can be implemented using Windows servers as well, but it isn’t a hard requirement. Always On VPN is implemented entirely on the Windows 10 client, which means any third-party VPN device can be used on the back end, including Cisco, Checkpoint, Juniper, Palo Alto, Fortinet, SonicWALL, F5, strongSwan, and others! This provides tremendous deployment flexibility, making it possible to mix and match backend infrastructure if required. For example, a Windows RRAS VPN server with Palo Alto and SonicWALL firewalls could all be implemented at the same time (using the Windows built-in VPN client). Importantly, making changes to VPN infrastructure is much less impactful and disruptive to clients in the field. VPN devices can be upgraded, replaced, and moved internally without requiring corresponding policy changes on the client.

Additional Information

Always On VPN and the Future of Microsoft DirectAccess

5 Things DirectAccess Administrators Should Know about Always On VPN

Contact Me

Have questions about Windows 10 Always On VPN? Interested in learning more about this new solution? Fill out the form below and I’ll get in touch with you.

13 Comments

by Richard M. Hicks on December 4, 2017 • Permalink

Posted in Always On VPN, DirectAccess, F5, IPv6, IPv6 Transition, Remote Access, Security, VPN, Windows 10, Windows Server 2016

Posted by Richard M. Hicks on December 4, 2017

https://directaccess.richardhicks.com/2017/12/04/3-important-advantages-of-always-on-vpn-over-directaccess/

Outlook Offline over DirectAccess on Windows 10

You may encounter a scenario in which Outlook on Windows 10 reports that it is working offline while connected remotely via DirectAccess. The Network Connectivity Status Indicator (NCSI) shows DirectAccess is in a connected state and all other internal resources are accessible.

This is caused by the default settings of the IP-HTTPS tunnel interface on the DirectAccess server not advertising a default route for connected DirectAccess clients. To resolve this issue, enable default route advertising for IP-HTTPS on each DirectAccess server in the enterprise by running the following PowerShell command.

Get-NetIPInterface | Where-Object {$_.InterfaceAlias -eq “IPHTTPSInterface”} | Set-NetIPInterface -AdvertiseDefaultRoute Enabled -PassThru

In the past I’ve heard reports of this setting being overwritten after group policy refresh. Recent testing on Windows Server 2016 does not show this behavior, however. Please report any results you may have in the comments below. Thanks!

17 Comments

by Richard M. Hicks on November 27, 2017 • Permalink

Posted in DirectAccess, IP-HTTPS, IPv6, IPv6 Transition, PowerShell, Remote Access, troubleshooting, Windows 10, Windows Server 2016

Posted by Richard M. Hicks on November 27, 2017

https://directaccess.richardhicks.com/2017/11/27/outlook-offline-over-directaccess-on-windows-10/

SSL Certificate Considerations for DirectAccess IP-HTTPS

DirectAccess uses IPv6 exclusively for communication between the client and server. IPv6 transition technologies are used to support DirectAccess communication over the IPv4 public Internet. One of those IPv6 transition technologies, IP-HTTPS, uses HTTP for encapsulation and SSL/TLS for authentication of the DirectAccess server.

SSL Certificates

When configuring DirectAccess, an SSL certificate must be provided for IP-HTTPS. There are three different types of SSL certificates that can be used.

Public SSL Certificate – Using an SSL certificate signed by a public certification authority (CA) is the recommended best practice for configuring DirectAccess IP-HTTPS. This provides the highest level of assurance for DirectAccess clients connecting via IP-HTTPS.

Private SSL Certificate – Using an SSL certificate issued by the organization’s internal CA is an acceptable alternative to using a public SSL certificate in most cases. This can reduce the cost associated with obtaining the certificate, especially for multisite deployments.

Self-Signed Certificate – Using a self-signed certificate is not recommended and should be avoided in most deployment scenarios. A self-signed certificate provides no real assurance for DirectAccess clients. Crucially, using a self-signed certificate will disable support for null SSL and TLS cipher suites. This reduces the overall scalability and performance of the remote access solution.

Figure 1. Null cipher suites not supported when using a self-signed SSL certificate for IP-HTTPS.

Certificate Requirements

The SSL certificate must include the Server Authentication (1.3.6.1.5.5.7.3.1) Enhanced Key Usage (EKU) Object Identifier (OID). It should use an RSA key of 2048 bits and be signed with SHA256. Using stronger keys provides no additional protection and should not be used. In addition, SSL certificates using ECDSA keys is not recommended, as they do not support null cipher suites.

Summary

In most cases, using a public SSL certificate is ideal. However, issuing a certificate from a private CA is also acceptable. Using self-signed certificates can be used for non-production testing and in very small production deployments, but should generally be avoided.

Additional Resources

DirectAccess IP-HTTPS SSL and TLS Insecure Cipher Suites

DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS

9 Comments

by Richard M. Hicks on October 30, 2017 • Permalink

Posted in DirectAccess, IP-HTTPS, IPv6, IPv6 Transition, multisite, Security, SSL and TLS, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012 R2, Windows Server 2016

Tagged certificate, certificates, cipher, cipher suites, DirectAccess, ECDSA, encryption, HTTP, HTTPS, IPv6, IPv6 transition technology, null cipher suites, performance, PKI, Remote Access, RSA, scalability, SSL, TLS, VPN

Posted by Richard M. Hicks on October 30, 2017

https://directaccess.richardhicks.com/2017/10/30/ssl-certificate-considerations-for-directaccess-ip-https/

DirectAccess Force Tunneling and Proxy Server Configuration

By default, DirectAccess is configured to use split tunneling. In this scenario, a remote DirectAccess client is connected to the internal corporate network and the public Internet at the same time. Some security administrators perceive split tunneling as a security risk, and the use of split tunneling may be prohibited by corporate security policy. In addition, enforcing web browsing policies on remote DirectAccess clients might be desired to reduce the risk of exposure from browsing unapproved web sites. In either case, force tunneling can be configured to meet these requirements.

When force tunneling is enabled, DirectAccess administrators can also define an on-premises proxy server for DirectAccess clients to use. The following is guidance for enabling force tunneling and configuring DirectAccess clients to use a proxy server to access the Internet.

Enabling Force Tunneling

To enable force tunneling, open the Remote Access Management console and perform the following steps.

Expand Configuration and select DirectAccess and VPN.
Click Edit on Step 1 Remote Clients.
Click Select Groups in the navigation tree.
Select the option to Use force tunneling.

Figure 1. Enable DirectAccess force tunneling in the Remote Access Management console.

Alternatively, force tunneling can quickly be enabled by opening an elevated PowerShell command window and running the following command.

Set-DAClient -ForceTunnel Enabled -PassThru

Figure 2. Enable DirectAccess force tunneling using PowerShell.

Configure a Proxy Server

Once force tunneling has been enabled, run the following PowerShell script to configure an on-premises proxy server for DirectAccess clients to use. Be sure to substitute the fully-qualified domain name (FQDN) and port for your proxy server in the $proxy variable below.

$gpo = (Get-RemoteAccess).ClientGpoName
$gpo = $gpo.Split(‘\’)[1]

$proxy = “proxy.corp.example.net:8080”

$rule = (Get-DnsClientNrptRule -GpoName $gpo | Where-Object Namespace -eq “.” | Select-Object -ExpandProperty “Name”)

Set-DnsClientNrptRule -DAEnable $true -DAProxyServerName $proxy -DAProxyType “UseProxyName” -Name $rule -GpoName $gpo

If multisite is enabled and Windows 7 clients are supported, run the following PowerShell script on one DirectAccess server in each entry point.

$downlevelgpo = (Get-RemoteAccess).DownlevelGpoName
$downlevelgpo = $downlevelgpo.Split(‘\’)[1]

$proxy = “proxy.corp.example.net:8080”

$downlevelrule = (Get-DnsClientNrptRule -GpoName $downlevelgpo | Where-Object Namespace -eq “.” | Select-Object -ExpandProperty “Name”)

Set-DnsClientNrptRule -DAEnable $true -DAProxyServerName $proxy -DAProxyType “UseProxyName” -Name $downlevelrule -GpoName $downlevelgpo

Remove Proxy Server

Run the following PowerShell script to remove the proxy server, if necessary.

$gpo = (Get-RemoteAccess).ClientGpoName
$gpo = $gpo.Split(‘\’)[1]

Set-DnsClientNrptRule -DAEnable $true -DAProxyType “UseDefault” -Name $rule -GpoName $gpo

$downlevelgpo = (Get-RemoteAccess).DownlevelGpoName
$downlevelgpo = $downlevelgpo.Split(‘\’)[1]

Set-DnsClientNrptRule -DAEnable $true -DAProxyType “UseDefault” -Name $downlevelrule -GpoName $downlevelgpo

Disable Force Tunneling

To disable force tunneling completely, run the following PowerShell command.

Set-DAClient -ForceTunnel Disabled -PassThru

Force Tunneling Caveats

When force tunneling is enabled, the user experience is typically poor when accessing the Internet. Web browsing performance is significantly reduced because of the added protocol overhead imposed by DirectAccess IPv6 transition technologies and IPsec encryption. This problem is further compounded when users access resources that are already encrypted, such as secure web sites. Increased packet fragmentation, along with the additional network latency caused by suboptimal network paths and increased network load on the server and Internet connection all contribute to degraded network performance for DirectAccess clients.

Force Tunneling Alternatives

Instead of enabling force tunneling, consider alternative solutions to address the security concerns associated with split tunneling. For example, implement technologies that enforce web browsing policies on the client. Many secure web gateways and next-generation firewalls (NGFW) have remote filtering capabilities that allow administrators to enforce web browsing policies on remote client machines. In addition, there are some excellent cloud-based solutions such as Zscaler and OpenDNS that can protect DirectAccess clients without the drawbacks associated with force tunneling.

Additional Information

Planning and Implementing DirectAccess with Windows Server 2016 video training course on Pluralsight
Managing and Supporting DirectAccess with Windows Server 2016 video training course on Pluralsight
Implementing DirectAccess with Windows Server 2016 Book

30 Comments

by Richard M. Hicks on July 27, 2017 • Permalink

Posted in DirectAccess, IPv6, IPv6 Transition, multisite, PowerShell, Remote Access, Security, Windows 10, Windows 8, Windows 8.1, Windows Server 2012 R2, Windows Server 2016

Tagged DirectAccess, firewall, force tunnel, force tunneling, IPv6, IPv6 transition technology, next generation firewall, NGFW, PowerShell, proxy, Remote Access, script, scripting, security, split tunnel, split tunneling, transition technology

Posted by Richard M. Hicks on July 27, 2017

https://directaccess.richardhicks.com/2017/07/27/directaccess-force-tunneling-and-proxy-server-configuration/

Always On VPN and the Future of Microsoft DirectAccess

Windows 10 Always On VPN hands-on training classes now forming. Details here.

Since the introduction of Windows Server 2012 in September of 2012, no new features or functionality have been added to DirectAccess. In Windows Server 2016, the only real change aside from bug fixes for DirectAccess is the removal of Network Access Protection (NAP) integration support.

Figure 1. Remote Access Setup wizard with NAP integration option in Windows Server 2012/R2.

Figure 2. Remote Access Setup wizard without NAP integration option in Windows Server 2016.

DirectAccess Roadmap

It’s clear to see that Microsoft is no longer investing in DirectAccess, and in fact their field sales teams have been communicating this to customers for quite some time now. Microsoft has been actively encouraging organizations who are considering a DirectAccess solution to instead implement client-based VPN with Windows 10.

Always On VPN

New features introduced in the Windows 10 Anniversary Update allow IT administrators to configure automatic VPN connection profiles. This Always On VPN connection provides a DirectAccess-like experience using traditional remote access VPN protocols such as IKEv2, SSTP, and L2TP/IPsec. It comes with some additional benefits as well.

Conditional access and device compliance with system health checks
Windows Hello for Business and Azure multifactor authentication
Windows Information Protection (WIP) integration
Traffic filters to restrict VPN network access
Application-trigger VPN connections

DirectAccess Deprecated?

There has been rampant speculation that Microsoft plans to deprecate and retire DirectAccess. While that may in fact be true, Microsoft has yet to make a formal end-of-life announcement. There’s no reason DirectAccess and VPN couldn’t co-exist, so it’s not a certainty Microsoft will do this. However, there’s also no need to have multiple remote access solutions, and it is abundantly clear that the future for Microsoft remote access is Always On VPN and not DirectAccess.

Source: https://social.technet.microsoft.com/wiki/contents/articles/38546.new-features-for-vpn-in-windows-10-and-windows-server-2016.aspx#Advanced_VPN_Connectivity

Always On VPN Advantages and Disadvantages

Windows 10 Always On VPN has some important advantages over DirectAccess. It has some crucial limitations as well.

Advantages

Always On VPN supports non-Enterprise Windows 10 client SKUs (Windows 10 Home and Professional)
Always On VPN includes support for granular network access control
Always On VPN can use both IPv4 and IPv6
Always On VPN is infrastructure independent. In addition to supporting Windows RRAS, any third-party network device can be used such as Cisco, Checkpoint, Juniper, Palo Alto, SonicWALL, Fortinet, and many more

Disadvantages

Always On VPN works only with Windows 10. It is not supported for Windows 7
Always On VPN cannot be managed natively using Active Directory and group policy. It must be configured and managed using Microsoft Intune. Alternatively, Microsoft System Center Configuration Manager (SCCM) or PowerShell can be used.

DirectAccess or Always On VPN?

Should you deploy DirectAccess today or implement Always On VPN with Windows 10 instead? That depends on a number of factors. It’s important to understand that DirectAccess will be fully supported through the lifecycle of Windows Server 2019. If DirectAccess meets your needs today, you can deploy it with confidence that it will still have a long support life. If you have reservations about the future viability of DirectAccess, and if you meet all of the requirements to support Always On VPN with Windows 10, then perhaps that’s a better choice. If you’d like to discuss your remote access options in more detail, fill out the form below and I’ll get in touch with you.

Additional Resources

5 Things DirectAccess Administrators Should Know About Always On VPN

3 Important Advantages of Always On VPN over DirectAccess

NetMotion Mobility as an Alternative to DirectAccess

Windows 10 Always On VPN Hands-On Training Classes

13 Comments

by Richard M. Hicks on July 24, 2017 • Permalink

Posted in Always On VPN, DirectAccess, Enterprise, IPv6, PowerShell, Remote Access, Security, VPN, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on July 24, 2017

https://directaccess.richardhicks.com/2017/07/24/always-on-vpn-and-the-future-of-microsoft-directaccess/

Top 5 DirectAccess Troubleshooting PowerShell Commands

Native PowerShell commands in Windows 10 make DirectAccess troubleshooting much easier than older operating systems like Windows 7. For example, with one PowerShell command an administrator can quickly determine if a DirectAccess client has received the DirectAccess client settings policy. In addition, PowerShell can be used to view the status of the connection and retrieve additional information or error codes that can be helpful for determining the cause of a failed connection. Further, PowerShell can also be used to review configuration details and perform other troubleshooting and connectivity validation tasks.

Here are my top 5 PowerShell commands for troubleshooting DirectAccess on Windows 10.

1. Get-DAClientExperienceConfiguration

Ensuring that the DirectAccess Client Settings group policy has been applied to the client is one of the first steps in troubleshooting failed DirectAccess connections. While it is possible to use gpresult to do this, using the Get-DAClientExperienceConfiguration PowerShell command is much simpler. If DirectAccess client settings have been applied, the output of the command will include information such as the IPsec tunnel endpoint IPv6 addresses and the Network Connectivity Assistant (NCA) corporate resource URL. If DirectAccess client settings have not been applied, this information will be missing.

Figure 1. DirectAccess Client Settings group policy successfully applied.

Figure 2. DirectAccess Client Settings group policy not applied.

2. Get-NetIPHttpsState

Performance improvements first introduced in Windows 8 have made IP-HTTPS the IPv6 transition technology of choice when it comes to supporting DirectAccess client connectivity. Also, if the DirectAccess server is located behind an edge device performing Network Address Translation (NAT), IP-HTTPS is the only supported transition technology. Using the Get-NetIPHttpsState PowerShell command, the DirectAccess administrator can quickly determine if the IP-HTTPS connection was successful. If it was not, the command will return an error code and interface status that will indicate why the IP-HTTPS connection was unsuccessful.

Figure 3. Get-NetIPHttpsState

3. Get-NetIPHttpsConfiguration

When troubleshooting IP-HTTPS connection failures, it is necessary to obtain additional information to continue the troubleshooting process. Using the Get-NetIPHttpsConfiguration PowerShell command, the DirectAccess administrator can obtain the public hostname for the DirectAccess server and ensure that the name resolves to the correct IP address in DNS and that it is reachable on TCP port 443.

Figure 4. Get-NetIPHttpsConfiguration

4. Resolve-DnsName

Using the Resolve-DnsName PowerShell command is crucial when performing any name resolution tasks on the DirectAccess client. This is because Resolve-DnsName is aware of the Name Resolution Policy Table (NRPT) and will direct name resolution requests accordingly. Tools like nslookup are DNS server testing tools and are unaware of the NRPT. Typically they do not yield expected results when testing name resolution on a DirectAccess client.

Figure 5. Name resolution results from Resolve-DnsName and nslookup.

5. Get-DnsClientNrptPolicy

Often the cause of DirectAccess client connectivity issues is a misconfigured NRPT. Using the Get-DnsClientNrptPolicy PowerShell command the DirectAccess administrator can validate that name resolution requests for host names in any internal namespaces are being sent to the DirectAccess DNS64 IPv6 address.

Figure 6. Get-DnsClientNrptPolicy

Additional Resources

Top 5 DirectAccess Troubleshooting Tips

Troubleshooting Name Resolution Issues on DirectAccess Clients

Learn PowerShell in a Month of Lunches Book by Don Jones and Jeff Hicks

Implementing DirectAccess with Windows Server 2016 Book

Planning and Implementing DirectAccess with Windows Server 2016 Video Training Course

Managing and Supporting DirectAccess with Windows Server 2016 Video Training Course

10 Comments

by Richard M. Hicks on July 10, 2017 • Permalink

Posted in DirectAccess, DNS, IP-HTTPS, IPv6, IPv6 Transition, NCA, network connectivity assistant, PowerShell, Remote Access, troubleshooting, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Tagged DirectAccess, DNS64, group policy, IP-HTTPS, IPsec, IPv6, IPv6 transition technology, name resolution policy table, NCA, network connectivity assistant, NRPT, NSlookup, PowerShell, Remote Access, transition technology, troubleshooting, Windows 7, Windows 8.x, Windows 8.x/10

Posted by Richard M. Hicks on July 10, 2017

https://directaccess.richardhicks.com/2017/07/10/top-5-directaccess-troubleshooting-powershell-commands/

DirectAccess Manage Out and System Center Configuration Manager (SCCM)

The seamless and transparent nature of DirectAccess makes it wonderfully easy to use. In most cases, it requires no user interaction at all to access internal corporate resources while away from the office. This enables users to be more productive. At the same time, it offers important connectivity benefits for IT administrators and systems management engineers as well.

Always Managed

DirectAccess clients are automatically connected to the corporate network any time they have a working Internet connection. Having consistent corporate network connectivity means they receive Active Directory group policy updates on a regular basis, just as on-premises systems do. Importantly, they check in with internal management systems such as System Center Configuration Manager (SCCM) and Windows Server Update Services (WSUS) servers, enabling them to receive updates in a timely manner. Thus, DirectAccess clients are better managed, allowing administrators to more effectively maintain the configuration state and security posture for all their managed systems, including those that are predominantly field-based. This is especially crucial considering the prevalence WannaCry, Cryptolocker, and a variety of other types of ransomware.

DirectAccess Manage Out

When manage out is configured with DirectAccess, hosts on the internal network can initiate connections outbound to remote connected DirectAccess clients. SCCM Remote Control and Remote Desktop Connection (RDC) are commonly used to remotely connect to systems for troubleshooting and support. With DirectAccess manage out enabled, these and other popular administrative tools such as VNC, Windows Remote Assistance, and PowerShell remoting can also be used to manage remote DirectAccess clients in the field. In addition, enabling manage out allows for the proactive installation of agents and other software on remote clients, such as the SCCM and System Center Operation Manager (SCOM) agents, third-party management agents, antivirus and antimalware software, and more. A user does not have to be logged on to their machine for manage out to work.

IPv6

DirectAccess manage out requires that connections initiated by machines on the internal network to remote-connected DirectAccess clients must be made using IPv6. This is because DirectAccess clients use IPv6 exclusively to connect to the DirectAccess server. To enable connectivity over the public IPv4 Internet, clients use IPv6 transition technologies (6to4, Teredo, IP-HTTPS), and IPv6 translation components on the server (DNS64 and NAT64) enable clients to communicate with internal IPv4 resources. However, DNS64 and NAT64 only translate IPv6 to IPv4 inbound. They do not work in reverse.

Native or Transition?

It is recommended that IPv6 be deployed on the internal network to enable DirectAccess manage out. This is not a trivial task, and many organizations can’t justify the deployment for just this one specific use case. As an alternative, IPv6 can be configured with an IPv6 transition technology, specifically the Intrasite Automatic Tunnel Addressing Protocol (ISATAP). ISATAP functions as an IPv6 overlay network, allowing internal hosts to obtain IPv6 addresses and routing information from an ISATAP router to support manage out for DirectAccess clients.

ISATAP

When DirectAccess is installed, the server is automatically configured as an ISATAP router. Guidance for configuring ISATAP clients can be found here. Using ISATAP can be an effective approach to enabling DirectAccess manage out for SCCM when native IPv6 is not available, but it is not without its drawbacks.

• Using the DirectAccess server for ISATAP is only supported with single server DirectAccess deployments.
• Using the DirectAccess server for ISATAP does work when using Network Load Balancing (NLB) with some additional configuration, but it is not supported.
• Using the DirectAccess server for ISATAP does not work when an external load balancer is used, or if multisite is enabled.

ISATAP with Load Balancing and Multisite

It is technically possible to enable DirectAccess manage out for SCCM using ISATAP in load-balanced and multisite DirectAccess deployments, however. It involves deploying a separate ISATAP router and some custom configuration, but once in place it works perfectly. I offer this service to my customers as part of a consulting engagement. If you’re interested in restoring DirectAccess manage out functionality to support SCCM remote control, RDC, or VNC in load-balanced or multisite DirectAccess deployments, fill out the form below and I’ll provide you with more information.

Additional Resources

ISATAP Recommendations for DirectAccess Deployments
DirectAccess Manage Out with ISATAP Fails on Windows 10 and Windows Server 2016
DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out
Video: Windows 10 DirectAccess in action (includes manage out demonstration)

2 Comments

by Richard M. Hicks on June 12, 2017 • Permalink

Posted by Richard M. Hicks on June 12, 2017

https://directaccess.richardhicks.com/2017/06/12/directaccess-manage-out-and-system-center-configuration-manager-sccm/

Top 5 DirectAccess Troubleshooting Tips

DirectAccess is a thing of beauty when everything is working as it should. When it isn’t, troubleshooting can be quite challenging. DirectAccess relies on many Windows platform technologies such as Active Directory for authentication, PKI for certificate management, group policy for settings deployment, IPsec for encryption, and IPv6 for transport. With so many dependencies, locating the source of the problem can be a difficult and daunting task.

I’m frequently called upon to help organizations of all sizes with DirectAccess troubleshooting. While this post is not intended to be a detailed, prescriptive guide for DirectAccess troubleshooting, I did want to share some common troubleshooting tips based on many years of troubleshooting DirectAccess.

Here are my top 5 DirectAccess troubleshooting tips:

Check Prerequisites – Before diving in and collecting network traces and scouring event logs for clues as to why DirectAccess isn’t working, it’s essential to start at the beginning. Often the source of trouble is missing or misconfigured prerequisites. For example, is the DirectAccess client running a supported operating system? Remember, clients must be running Windows 10 Enterprise or Education, Windows 8.x Enterprise, or Windows 7 Enterprise or Ultimate. Also, ensure that the Windows firewall is enabled on DirectAccess servers and clients, that certificates are installed and valid (trusted, correct EKU, etc.), and that the DirectAccess settings GPO has been applied to servers and clients.
Validate External Connectivity – If you are following implementation and security best practices for DirectAccess, the DirectAccess server will be in a perimeter/DMZ network behind an edge firewall. The firewall must be configured to allow inbound TCP port 443 only. If the firewall is also performing Network Address Translation (NAT), the NAT rule must be configured to forward traffic to the DirectAccess server’s dedicated or virtual IP address (VIP), or the VIP of the load balancer. Watch for routing issues when using load balancers too. It’s a good idea to confirm external connectivity using the Test-NetConnection PowerShell command. Even better, use the open source tool Nmap for more thorough testing.
Remove Third Party Software – I can’t tell you how many times I’ve resolved DirectAccess connectivity issues by removing (not just disabling!) third party software on the client and/or server. It’s not uncommon for third-party security software to interfere with IPsec and/or IPv6 communication, both of which are vital to DirectAccess. If your DirectAccess troubleshooting efforts reveal no underlying issues with prerequisites or external connectivity, I’d suggest removing (at least temporarily) any third-party software and testing again.
Isolate Environmental Issues – Occasionally other settings applied manually or via Active Directory group policy will interfere with DirectAccess. Examples include IPv6 being disabled in the registry, IPv6 transition technologies required to support DirectAccess are turned off, essential firewall rules for DirectAccess are disabled, or manipulating local security settings such as Access this computer from the network. To assist with troubleshooting it might be necessary to temporarily place DirectAccess clients and servers in their own dedicated Organizational Units (OUs) and block inheritance to isolate the configuration as much as possible. In addition, if DirectAccess clients are servers are provisioned using images or templates, testing with a clean build straight from the installation source (ISO or DVD) can be helpful.
Check for Unsupported Configurations – If DirectAccess isn’t working, it might be possible the configuration you are trying to use is not supported. Examples including strong user authentication with OTP when force tunneling is enabled, provisioning Windows 7 clients when using Kerberos Proxy authentication, or provisioning Windows 10 clients when Network Access Protection (NAP) integration is enabled. These configurations won’t work and are formally documented here.

This is by no means a comprehensive or exhaustive troubleshooting guide. For more information and additional DirectAccess troubleshooting guidance I would encourage you to purchase my book Implementing DirectAccess with Windows Server 2016, which has an entire chapter devoted just to troubleshooting. In addition, watch my DirectAccess video training courses on Pluralsight for details and information about DirectAccess installation, configuration, management, support, and troubleshooting. And if you’re still struggling to resolve a DirectAccess problem, use the form at the bottom of this page to contact me to inquire about additional troubleshooting help.

Additional Resources

Microsoft Windows DirectAccess Client Troubleshooting Tool
DirectAccess and Windows 10 Professional
DirectAccess Troubleshooting with Nmap
DirectAccess Unsupported Configurations
Planning and Implementing DirectAccess with Windows Server 2016 Video Training Course on Pluralsight
Implementing DirectAccess with Windows Server 2016 Book

Need assistance with DirectAccess troubleshooting? Complete the form below and I’ll get in touch with you.

1 Comment

by Richard M. Hicks on May 15, 2017 • Permalink

Posted in DirectAccess, IPv6, IPv6 Transition, PowerShell, Remote Access, Security, SSL and TLS, troubleshooting, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on May 15, 2017

https://directaccess.richardhicks.com/2017/05/15/top-5-directaccess-troubleshooting-tips/

Search for:
Always On VPN Book

Pre-order Now!
DirectAccess Book
NetMotion Mobility

DirectAccess-like Remote Access for Windows, Mac, iPhone, iPad, and Android

Learn More!
Recent Posts
Always On VPN Resources
DirectAccess Resources

Richard M. Hicks Consulting, Inc.

Awards

Consulting

Connect

Mailing List

RSS Feed

Archives

Categories

All posts tagged IPv6

DirectAccess IP-HTTPS Null Cipher Suites Not Available

Like this:

3 Important Advantages of Always On VPN over DirectAccess

Like this:

SSL Certificate Considerations for DirectAccess IP-HTTPS

Like this:

DirectAccess Force Tunneling and Proxy Server Configuration

Like this:

Always On VPN and the Future of Microsoft DirectAccess

Like this:

DirectAccess Manage Out and System Center Configuration Manager (SCCM)

Like this:

Always On VPN Book

DirectAccess Book

NetMotion Mobility

Recent Posts

Always On VPN Resources

DirectAccess Resources

Awards

Consulting

Connect

Mailing List

RSS Feed

Archives

Categories

Tag Cloud

All posts tagged IPv6

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Always On VPN Book

DirectAccess Book

NetMotion Mobility

Recent Posts

Always On VPN Resources

DirectAccess Resources