DirectAccess IP-HTTPS Discovery Script for Nmap

DirectAccess IP-HTTPS Discovery Script for NmapWhen troubleshooting DirectAccess connectivity issues, the popular Nmap network mapping and discovery tool is an invaluable resource for verifying the communication path to the DirectAccess server from outside the network. However, just verifying that ports are open and listening often isn’t sufficient. In the case of IP-HTTPS, for example, the tried and true method of using telnet to verify that the port is open might be misleading. For instance, telnet might indicate that TCP port 443 is open and responding, but DirectAccess connectivity can still fail. This often happens as a result of a network configuration error that allows another network device other than the DirectAccess server to respond to HTTPS requests, which results in a false positive.

In an effort to conclusively determine that the DirectAccess server is responding, I’ve often relied on the SSL Labs Server Test site. Here I will enter the DirectAccess server’s public hostname and run the test, and from the results I can easily determine if indeed the DirectAccess server is responding by verifying that the HTTP server signature is Microsoft-HTTPAPI/2.0.

DirectAccess IP-HTTPS Discovery Script for NMAP

This usually works well, but it takes a few minutes to run the test, and there are a few scenarios in which it doesn’t work. For example, I might be working with a customer to perform some initial testing by using a local HOSTS file entry for the public name before the DNS record has been created. Also, if the SSL certificate on the DirectAccess server uses an IP address instead of a hostname (not recommended, but it is supported!) the SSL Labs server test won’t work.

Fortunately, the latest release Nmap (v7.00) now includes a script that enables the detection of Microsoft DirectAccess responding on TCP port 443. With the IP-HTTPS discovery script, it is now possible to determine not only if the port is open, but if the DirectAccess server is actually the service responding. The syntax for conducting a port scan using the IP-HTTPS discovery script for NMAP is as follows:

nmap.exe –n –Pn –p443 [directaccess_public_fqdn] –script [path_to_nmap_iphttps_discovery_script]

Here’s an example:

nmap.exe –n –Pn –p443 –script c:\tools\nmap\scripts\ip-https-discover.nse

DirectAccess IP-HTTPS Discovery Script for NMAP

Now it is possible, using just Nmap, to not only determine if the IP-HTTPS communication path is functioning, but to definitively determine that the DirectAccess server is the device responding.

Happy troubleshooting!

DirectAccess and VPN on RunAs Radio

DirectAccess and Windows Server 2012 R2 on RunAs RadioRecently I had the opportunity to once again join Richard Campbell on his popular RunAs Radio podcast to chat about all things remote access in Windows Server 2012 R2. The conversation starts out with DirectAccess, but we also touch upon important topics like client-based VPN and BYOD access. We also talk a little bit about DirectAccess in Windows Server 2016 and what the future might look like for DirectAccess in Windows.RunAs Radio

You can listen to the podcast here.


DirectAccess and Windows 10 Technical Preview Build 9926

Looking for more information on Windows 10 and DirectAccess? Click here!

Microsoft recently announced the availability of build 9926 of Windows 10 Technical Preview. This new update includes changes to the user interface that make it easier to view DirectAccess connection status and properties. In this latest build, using the Window Key + I keystroke combination now brings up the Settings menu.

DirectAccess and Windows 10 Technical Preview Build 9926

Figure 1 – Settings Window

To view the DirectAccess connection status, click Network & Internet and then click Show available connections.

DirectAccess and Windows 10 Technical Preview Build 9926

Figure 2 – Network & Internet (Show Available Connections)

Here you’ll find status information for all network connections including DirectAccess. Right-clicking the Workplace Connection will allow the user to disconnect their session, if that option is enabled on the DirectAccess server.

DirectAccess and Windows 10 Technical Preview Build 9926

Figure 3 – DirectAccess Connectivity Status Indicator

Selecting the DirectAccess submenu reveals detailed information about DirectAccess connectivity, including current entry point connection and optional entry point selection, if manual entry point selection is enabled on the DirectAccess server.

DirectAccess and Windows 10 Technical Preview Build 9926

Figure 4 – Network & Internet (DirectAccess Advanced Connection Properties)

Windows Server 2012 Unified Remote Access Book Coming Soon

My good friends Ben Ben-Ari and Bala Natarajan are putting the finishing touches on their latest book entitled Windows Server 2012 Unified Remote Access Planning and Deployment. This book will cover in detail how to plan and deploy remote access solutions using Windows Server 2012 including VPN (remote access and site-to-site) as well as DirectAccess. The authors are both highly qualified to write about this subject, as Ben has been supporting Forefront UAG 2010 and DirectAccess for many years, and Bala is the Program Manager for the Windows Core Networking team. The book is due to be released in January 2013 and it is sure to be an essential reference for all things remote access in Windows Server 2012. Pre-order your copy of Windows Server 2012 Remote Access today!

Windows Server 2012 Unified Remote Access Planning and Deployment

Win a Copy of Understanding IPv6 Third Edition

Recently I announced that Joe Davies’ third edition of Understanding IPv6 was available for purchase. The latest release is fully updated to cover IPv6 technologies up to and including Windows Server 2012 and Windows 8. This new edition also includes coverage of DirectAccess in Windows Server 2008 R2 and Windows Server 2012. This book will be a valuable resource for network and systems administrators implementing IPv6 on their corporate network or deploying DirectAccess to provide secure remote access. The good news is that I will be giving away several copies of this essential reference over the coming weeks and months! Stay tuned to this blog and follow me on Twitter and Facebook for details on how to win. I’ll be giving away my first copy of the book before the end of the month!

Networking and DirectAccess Sessions at TechEd 2012

This year I had the privilege of attending both TechEd North America and TechEd Europe, and presenting a session on Forefront TMG and UAG at both events. With the release of Windows 8 and Windows Server 2012 due later this year, there were many sessions about the technologies included in the new client and server operating systems. When I wasn’t delivering my session or spending time with the Microsoft team in the learning center, I attended a number of sessions on security and networking. If you were unable to attend, or perhaps missed any of these sessions, they are now all available online on MSDN Channel 9. [ North America | Europe ] Here is a list of my favorite sessions:

  • IPv6 Bootcamp: Get Up to Speed Quickly
  • Windows Server 2012 DirectAccess: How to Quickly and Easily Deploy Your Next Generation Remote Access Solution
  • Overview of Hyper-V Networking in Windows Server 2012
  • Windows Server 2012 NIC Teaming and Multichannel Solutions
  • Networking for Hybrid Cloud: BranchCache and Cross Premise Connectivity
  • Hyper-V Network Virtualization for Scalable Multi-Tenancy in Windows
  • Extending Enterprise Networks to Windows Azure using Windows Azure Virtual Networks
  • Demystifying Microsoft Forefront Edge Security Technologies: TMG and UAG
  • Ok, I have to admit that I’m somewhat biased about that last session on the list. 😉 However, Windows Server 2012 does have a lot of new networking features and capabilities that make it a compelling solution for remote access and hybrid cloud connectivity. Have a look at some of these sessions and start evaluating Windows 8 and Windows Server 2012 today!

    World IPv6 Launch Day

    It’s coming…and this time it’s for real. That’s right; World IPv6 Launch Day is set for June 6, 2012. Building on the successful World IPv6 Day, major Internet Service Providers (ISPs), home networking equipment manufacturers, and web companies from around the world are coming together to permanently enable IPv6 for their products and services. Sadly, my ISP, Cox Communications, does not appear to be participating. That means I’ll continue using Hurricane Electric’s IPv6 tunnel broker to provide me with native IPv6 access to the Internet. The world is moving to IPv6, so it’s time to get on board!

    World IPv6 Launch Day - June 6, 2012

    %d bloggers like this: