locked
Directaccess not connecting RRS feed

  • Question

  • Hello everyone.

    I have been deploying Direct Access at my home lab, and cant get it working :(

    The only thing i have changed, is the port number from 443 -> 21500 on the public site.

    So when the request to the server gets send, it hits port 21500 and the Cisco firewall sends it to 443 to the local Direct Access server.

    Here is some info about the enviroment:

    2 x 2012 R2 DCs

    1 x 2012 R2 Core Direct Access Server.

    1 x Windows 8.1 Enterprise

    The Direct Access server reports, that everything is ok:

    Also using telnet to port 21500 from any computer connected to the internet, is showing the something is listening on the port.

    At the GPO i have specified the port:

    I can also the that the client gets the DirectAccess policy.

    When i check the log, i can see some of these messages:

    [MicrosoftServices.WS2012DA.ClientTroubleshooter.MainForm] Info: The IPHTTPS interface is operational.

    [MicrosoftServices.WS2012DA.ClientTroubleshooter.TreeViewHandler] Info: Updated the RootNode with the currently highest ChildNode status.
    17-10-2014 12:44:36[P:2140 T:1] [MicrosoftServices.WS2012DA.ClientTroubleshooter.TreeViewHandler] Info: Added ChildNode UserTunnelTestsNodeChild0.
    17-10-2014 12:44:36[P:2140 T:6] [MicrosoftServices.WS2012DA.ClientTroubleshooter.NetworkHelper] Info: Got a ping response from fd0a:33d:d27:1000::2 with RTT 8 msec.
    17-10-2014 12:44:36[P:2140 T:6] [MicrosoftServices.WS2012DA.ClientTroubleshooter.UserTunnelChecker] Info: Successfully reached fd0a:33d:d27:1000::2, RTT is 8 msec.
    17-10-2014 12:44:36[P:2140 T:6] [MicrosoftServices.WS2012DA.ClientTroubleshooter.MainForm] Info: Added child node message Successfully reached fd0a:33d:d27:1000::2, RTT is 8 msec..

    So its connecting, and is able to ping the insert servers.

    But then i also get this message:

     [MicrosoftServices.WS2012DA.ClientTroubleshooter.NetworkHelper] Info: An WebException occurred while running a HTTP request. Message: The remote name could not be resolved: 'directaccess-webprobehost.localdomain.dk'.
    17-10-2014 12:44:36[P:2140 T:6] [MicrosoftServices.WS2012DA.ClientTroubleshooter.NetworkHelper] Info: Set status code HTTP 503.

    But when pinging the directaccess-webprobehost.localdomain.dk from the servers, i get a response.

    Any help would be really appreciated!


    Datatechnician

    Saturday, November 8, 2014 4:25 PM

All replies

  • Hi,

    What is your need to change the port use for IPHTTPS? From a support point of view, it's not supported as your approach require to change DirectAccess GPO configuration : http://technet.microsoft.com/en-us/library/dn464274.aspx. I worked on such approach and published this blog post :

    http://danstoncloud.com/blogs/simplebydesign/archive/2013/04/06/publishing-iphttps-on-an-alternate-port.aspx

    Does it respond to your need?

    Keep in mind that's we are in unsupported scenarios of DirectAccess.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Sunday, November 9, 2014 1:18 PM
  • Hello.

    Sorry for the late response!

    Ive reviewed the guide, and i believe that i might have misinformed you :)

    I only have 1 public IP Address, and i have an Webserver located on port 443 - so i need the clients to hit port 21500 on the Cisco Firewall, which then puts it to port 443 on the Direct Access Server :)



    Datatechnician

    Thursday, November 13, 2014 12:15 PM
  • Hi,

    So my proposal can work. Yes it's not supported (we are changing the Port in the DirectAccess client-side GPO) but it work. It's much more easier than changing on Server-side.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, November 13, 2014 2:12 PM
  • Hi,

    So my proposal can work. Yes it's not supported (we are changing the Port in the DirectAccess client-side GPO) but it work. It's much more easier than changing on Server-side.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Hello.

    Then im not sure what your meaning - please forgive :)

    I am changing the port on the Client GPO - i do not have a TMG present at my setup.


    Datatechnician

    Thursday, November 13, 2014 2:21 PM
  • I wrote this article because I had a TMG in front of me. It's the same approach with any Firewall. And yes we need to change the GPO to set your new port : 21500.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, November 13, 2014 2:23 PM
  • I wrote this article because I had a TMG in front of me. It's the same approach with any Firewall. And yes we need to change the GPO to set your new port : 21500.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Hello.

    As far as i can see, then there is nothing different from my setup - compared to your, except for the TMG.

    I also publish it on port 21500, and then from the firewall NAT it in to port 443 on the Direct Access Server?


    Datatechnician

    Thursday, November 13, 2014 2:26 PM
  • yes but did you change the port on witch DirectAccess client must connect to? In my article, it's the powershell section with the following command : NetIPHTTPSConfiguration

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, November 13, 2014 2:28 PM