All posts tagged NCA

DirectAccess Network Connectivity Assistant (NCA) Configuration Guidance

DirectAccess Network Connectivity Assistant (NCA) Configuration GuidanceThe DirectAccess Network Connectivity Assistant (NCA), first introduced in Windows 8, provides DirectAccess connectivity status information as well as diagnostic support on the client. The NCA validates that DirectAccess is working end-to-end by attempting to reach internal resources defined by the administrator during the configuration of DirectAccess. NCA configuration and operation is a source of much confusion. This article serves to provide best practice configuration guidance for the NCA to ensure optimum and reliable operation.

NCA Operation

When a DirectAccess client is outside the corporate network, it will attempt to establish a DirectAccess connection any time it has an active Internet connection. After a DirectAccess connection is made, the NCA will attempt to validate DirectAccess connectivity by verifying availability of corporate resources as defined in the DirectAccess configuration (Remote Access Management console, Step 1, Edit, Network Connectivity Assistant).

If the NCA can reach the defined internal corporate resource(s), the DirectAccess connection is verified end-to-end and it will report the connection status as “Connected”. If it fails to connect to any internal corporate resource, it displays “Connecting”.

DirectAccess Network Connectivity Assistant (NCA) Configuration Guidance

Figure 1. NCA successfully validated internal corporate resource connectivity.

DirectAccess Network Connectivity Assistant (NCA) Configuration Guidance

Figure 2. NCA failed to connect to one or more corporate resources.

NCA Configuration

When first installing DirectAccess, the Remote Access Setup wizard will collect information to be used by the NCA, including corporate resources, helpdesk email address, and DirectAccess connection name. It will also provide the option to allow DirectAccess clients to use local name resolution.

Note: The NCA settings configured in the Remote Access Management console pertain only to Windows 8.x and Windows 10 clients. They are not used by Windows 7 clients at all.

DirectAccess Network Connectivity Assistant (NCA) Configuration Guidance

Intuitively it would appear that information needs to be entered in the Resource and Type fields. However, it is recommended to leave this blank when first configuring DirectAccess. This is because the Remote Access Setup Wizard will automatically populate this field later. Specifying a resource during initial configuration will result in two entries being included, as shown here.

DirectAccess Network Connectivity Assistant (NCA) Configuration Guidance

As you can see, the Remote Access Setup wizard automatically added the resource directaccess-WebProbeHost.<internal domain.>. A corresponding DNS record is created that resolves this hostname to the internal IPv4 address of the DirectAccess server. In this configuration, the DirectAccess server itself serves as the corporate resource used by the NCA.

Multiple Corporate Resources

Having more than one resource to validate connectivity to the internal network is problematic though. If there are multiple entries specified, they must ALL pass a validation check from the client to report the connection status as “Connected”. Some administrators configure multiple entries with the mistaken belief that it will provide redundancy for the NCA, but it actually has the opposite effect. Having more than one entry only increases the chance of a false positive.

NCA Configuration Best Practices

It is recommended that only a single corporate resource URL be defined for the NCA. The default directaccess-WebProbeHost running on the DirectAccess server can be used, or, alternatively, another internal web server can be specified if desired. Any web server will work, including Microsoft Internet Information Services (IIS), Apache, NGINX, and most Application Delivery Controllers (ADCs) or load balancers. HTTPS is not required for the web probe host, only HTTP. If using an internal web server, ensure that it is highly available.

Do NOT use the Network Location Server (NLS) as a corporate resource! The NLS is exempted from the Name Resolution Policy Table (NRPT) on the client and is not reachable over DirectAccess. This will result in the NCA failing and reporting a “Connecting” status perpetually. In addition, avoid the use of PING for validating internal corporate resources. Ping uses ICMP which is inherently unreliable and commonly blocked by host and intermediary firewalls, making it an unreliable indicator of corporate network connectivity over DirectAccess.

Summary

The NCA is a crucial and often misunderstood component in the DirectAccess architecture. Follow the guidance outlined here to ensure that the NCA works reliably and effectively in your environment.

Additional Resources

DirectAccess Clients in Connecting State when using External Load Balancer
Planning and Implementing DirectAccess on Windows Server 2016 on Pluralsight
Implementing DirectAccess with Windows Server 2016 book

23 Comments
by Richard M. Hicks on May 22, 2017  •  Permalink
Posted in ADC, application delivery controller, DirectAccess, NCA, network connectivity assistant, Remote Access, Windows 10, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
Tagged , , , , , , , , , , , , ,

Posted by Richard M. Hicks on May 22, 2017

https://directaccess.richardhicks.com/2017/05/22/directaccess-network-connectivity-assistant-nca-configuration-guidance/

DirectAccess and Windows 10 Professional

Does Windows 10 Professional Support DirectAccess?

This is a question I’ve received on more than one occasion. For some reason there seems to be a persistent rumor on the Internet that Windows 10 Professional is now a supported client for DirectAccess. I’m not sure where this rumor got started, but I’ll put it to rest right now – Windows 10 Professional is NOT a supported DirectAccess client! DirectAccess still requires Enterprise edition (with two exceptions) to take advantage of DirectAccess for secure remote access.

Supported DirectAccess Clients

The following is a complete list (as of this writing) of client operating systems that support DirectAccess.

  • Windows 10 Enterprise
  • Windows 10 Education
  • Windows 8.1 Enterprise
  • Windows 7 Enterprise
  • Windows 7 Ultimate

DirectAccess and Windows 10 Professional

If you are running a version of Windows that is not Enterprise edition (with the exception of Windows 7 Ultimate and Windows 10 Education) DirectAccess will not work. Be careful, because you can still provision non-Enterprise SKUs such as Windows 10 Professional for DirectAccess. All of the DirectAccess settings will be applied without issue and everything will look perfectly normal, but DirectAccess won’t work. The telltale sign on Windows 8.x and Windows 10 clients is that you won’t be able to start the Network Connectivity Assistant (NCA) service (NcaSvc). When you attempt to do so you will receive the following error message:

Failed to start service 'Network Connectivity Assistant (NcaSvc)'

DirectAccess and Windows 10 Professional

Identify OS Version

You can verify the operating system SKU by looking at the output of systeminfo.exe or by going to the control panel under System and Security and clicking System.

DirectAccess and Windows 10 Professional

DirectAccess and Windows 10 Professional

Upgrade from Windows 10 Professional to Enterprise

A new feature introduced in Windows 10 allows you to easily upgrade the product SKU without having to perform an in place upgrade or reinstall the entire operating system from scratch. So, if you have Windows 10 Enterprise licenses and you want to upgrade a Windows 10 Professional device to Enterprise (for example you want to enable your new Surface Pro 4 to use DirectAccess!) you can simply provide the enterprise product license key in Windows 10 to upgrade. You can provide a new product key by navigating to Start | Settings | Update & Security | Activation | Change Product Key, or run changepk.exe from the Run dialog box or the command line.

DirectAccess and Windows 10 Professional

Enter your Windows 10 Enterprise product key and then click Start Upgrade.

DirectAccess and Windows 10 Professional

After the system reboots it will have been upgraded to Enterprise edition and now work as a DirectAccess client.

DirectAccess and Windows 10 Professional

DirectAccess and Windows 10 Professional
Summary

With Windows 10, it’s easy to upgrade from Professional to Enterprise edition by simply providing the Enterprise edition product key. This works great if you have just a few machines to upgrade, but if you are planning to upgrade many machines I would recommend creating a deployment package using the Windows Imaging and Configuration Designer (ICD), which is included with the Windows 10 Assessment and Deployment Kit (ADK) and can be downloaded here. Once you’ve upgraded your Windows 10 Professional devices to Windows 10 Enterprise you can begin provisioning them for DirectAccess!

DirectAccess consulting services now available! Click here for more details!

18 Comments
by Richard M. Hicks on December 14, 2015  •  Permalink
Posted in DirectAccess, Enterprise, Remote Access, Surface Pro, Surface Pro 4, Windows 10
Tagged , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on December 14, 2015

https://directaccess.richardhicks.com/2015/12/14/directaccess-and-windows-10-professional/

Newer Posts »