locked
DirectAccess (Empty GPO for DA server) RRS feed

 , 
 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi all,

    trying to figure out why UAG DirectAccess: server policy is empty. It does not have any settings?

    any suggestion?

    thanks
    Monday, January 4, 2010 6:36 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    hi all,

    Finally I got UAG DA working. Thanks to Max and MS support team.

    Here is my understanding of the issue. UAG tries to write some temp files under %userprofile%temp folder when UAG script that creates GPOs run. For some reason, UAG is not able to write these temp files under %userprofile%temp (I am still trying to find out why this is the case.) This is why I am getting  "Executing Export local policy to file ... failed. Cannot create a file when that file already exists" in DirectAccess Policy Configuration window right after I hit Apply Now button on ForeFront UAG DirectAccess Configuration wizard.

    Workaround for this issue is exporting the script and replacing %userprofile%temp path with another path such as C:Temp and then running the script. 

    thanks again for all your efforts to resolve this issue.

    FB 
    • Marked as answer by FB1907 Monday, January 18, 2010 3:24 PM
    Monday, January 18, 2010 3:24 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    anyone?

    more info about my env:

    UAG RC is running on 2008 R2 Ent

    external interface has 2 public ip addresses a.b.c.163 and a.b.c.164

    design: full internet access


    I can ping internal resources but cant access any file share or any other intranet services.

    off things that I found are:

    1-empty UAG gpo for DirectAccess server

    2-Event in ApplicationLog of DirectAccess Server: Forefront TMG detected Windows Filtering Platform filters that may cause policy conflicts on the server SERVERNAME. The following providers may define filters that conflict with the Forefront TMG firewall policy: Teredo socket option filters plumbed by iphlpsvc,UAG-DA NLB,Microsoft Corporation,unnamed provider(s).

    3- I see ldap traffic request on my firewall logs. it comes from external interface of the DA server and destined to DC in tha lan.



    PS:if this forum is not the right forum for this question, please someone let me know.
    Tuesday, January 5, 2010 3:29 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi FB,

    When you say that you have an "empty GPO" are you saying that the DA server GPO wasn't created? Or that it wasn't applied?

    Thanks!
    Tom
    Friday, January 8, 2010 2:51 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi,

    it gets created but there is no settings in the gpo. So if I go to GP management and click on UAG DirectAccess: policy , all I see is "No settings defined" under Computer Configuration and User Configuration.

    Thanks for response.. I have been searching about this and can't find anything on the internet.
    Friday, January 8, 2010 4:20 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi,

    Please verify that your UAGDA machine has full domain connectivity, file share to DCs and etc. If this is not working, clients connecting from outside might hit the same.
    Make sure that all domain routes IPv4(and IPv6 if exists) are defined on the internal NIC, external NIC is recommended to have the default route(for internet traffic). Make sure internal DNS is correctly defined. Please validate this connectivity prior to any other configurations.

    Regarding the GPOs, if you had limited connectivity it might explain the issue(however I would expect an error to show up). Were you Applying the policy through the UI, or did you export it to a PS1 file?

    Either way if you want to validate the issue is not with the policy itself, you can export to file and run in on any other 2008R2 machine(that has GPMC on).

    Max
    Sunday, January 10, 2010 6:46 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    FP1907: just for interest: what happens if you open the gpo management console on the uag machine and THEN let the settings show - do they appear now?

    best rgards
    Joerg

    Sunday, January 10, 2010 9:31 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Joerg,

    Same result. no settings in the gpo.

    Update for those who are interested in this thread:

    I removed UAG 2010 RC and gpo's that were created automatically. Then I installed UAG 2010 RTM and went thru the configuration again. I got the same exact result. No settings in the UAG DAServer policy.

    I just dont see how UAG client gpo gets created with no issue but UAG daserver policy experiences this problem.

      
    Monday, January 11, 2010 3:32 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    hi,

    UAGDA machine has access to all internal resources. I got only one subnet in my lan and that is defined on the internal NIC. only external nic has a default gateway.Internal dns is set and works with no issue.

    I apply the policies through UAG DA configuration wizard. I understand your point about having a limited connectivity but that is not the case. Also, keep in mind that wizard creates UAG client policy with no issue which makes me think that UAG server has no issues connecting to DC and creating gpo and linking it to a domain.

    I also tried to exporting to file and run it on my DC which created the same result, no settings defined in the gpo.

    Another thing I want to mention about this is that I get "Executing Export local policy to file ... failed. Cannot create a file when that file already exists" in DirectAccess Policy Configuration window right after I hit Apply Now button on ForeFront UAG DirectAccess Configuration wizard.  I got this error in both my UAG RC and RTM setups.

    FB

    • Marked as answer by Erez BenariOwner Friday, January 15, 2010 10:00 PM
    • Unmarked as answer by FB1907 Monday, January 18, 2010 3:17 PM
    Tuesday, January 12, 2010 8:08 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi FB,
    Is this DA server a member of a domain that might have permissions set on folders that is different than the default?

    Also, you might want to just start over with a new DA server. While that doesn't explain the problem, it might be a faster way to go in order to get a woring solution.

    BTW - when you look in the GPMC on the DC, so you see the DA GPO object, and does it have the settings for the DA Server, for example, the WFAS settings?

    Thanks!
    Tom
    MS ISDUA
    • Marked as answer by FB1907 Monday, January 18, 2010 3:16 PM
    • Unmarked as answer by FB1907 Monday, January 18, 2010 3:16 PM
    Saturday, January 16, 2010 5:37 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote
    hi all,

    Finally I got UAG DA working. Thanks to Max and MS support team.

    Here is my understanding of the issue. UAG tries to write some temp files under %userprofile%temp folder when UAG script that creates GPOs run. For some reason, UAG is not able to write these temp files under %userprofile%temp (I am still trying to find out why this is the case.) This is why I am getting  "Executing Export local policy to file ... failed. Cannot create a file when that file already exists" in DirectAccess Policy Configuration window right after I hit Apply Now button on ForeFront UAG DirectAccess Configuration wizard.

    Workaround for this issue is exporting the script and replacing %userprofile%temp path with another path such as C:Temp and then running the script. 

    thanks again for all your efforts to resolve this issue.

    FB 
    • Marked as answer by FB1907 Monday, January 18, 2010 3:24 PM
    Monday, January 18, 2010 3:24 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi FB,

    Great! Good to hear you got it working and thanks for the follow up!

    Thanks!
    Tom
    MS ISDUA Anywhere Access Team
    Thursday, January 21, 2010 2:21 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    I am having trouble with Microsoft Forefront Treat Management Gateway 2010

     

    I get the following WFP Filter Conflict Detected error message:  

     

    "Description: Forefront TMG detected Windows Filtering Platform filters that may cause policy conflicts on the server GATEWAY. The following providers may define filters that conflict with the Forefront TMG firewall policy: unnamed provider(s)."

     

    Please Help me. I can not make head nor tale of this 
    Friday, January 13, 2012 12:28 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I am having trouble with Microsoft Forefront Treat Management Gateway 2010

     

    I get the following WFP Filter Conflict Detected error message:  

     

    "Description: Forefront TMG detected Windows Filtering Platform filters that may cause policy conflicts on the server GATEWAY. The following providers may define filters that conflict with the Forefront TMG firewall policy: unnamed provider(s)."

     

    Please Help me. I can not make head nor tale of this 


    That is a normally a cosmetic error and can safely be ignored, but it usually says 'Microsoft Corporation' as opposed to 'unnamed provider(s)'.

    Have you installed another host firewall or antivirus product on the TMG/UAG server?

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, January 13, 2012 2:38 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Anyone figured out a workaround for 2012 direct access?

    We get the same deal but since Microsoft have "integrated everything" the script doesn't get run manually so it just fails under the covers

    Wednesday, October 16, 2013 11:20 AM