You are currently reviewing an older revision of this page.
Go to current version

Forefront UAG supports an enhanced version of DirectAccess that adds several features and capabilities that aren't available with the Windows only version of DirectAccess. After installing UAG on your Windows Server 2008 R2 server, you can then enable DirectAccess using the UAG DirectAccess wizard.

Some administrators have received the message:

"The adapter configured as external-facing is connected to a domain"

After running the DirectAccess wizard. If you receive this message, the DirectAccess wizard will not complete and DirectAccess will not be configured on the UAG DirectAccess server. The reason for this failure is that if the external interface detects that it can reach a domain controller, it will set the Windows Firewall with Advanced Security Profile to "Domain Profile", which will disable the GPO settings required for the DirectAccess server to receive connections from DirectAccess clients (connection security rules, firewall rules, etc).

The problem is that many administrators have not been able to identify why the UAG DirectAccess wizard reports that it can detect a domain controller. From information we have right now (and this is admittedly incomplete informatin) there are at least two reasons for why this might happen:

  • The external interface on the UAG server can establish an IPv6 connection to a domain controller behind the UAG DirectAccess server. This might happen if there isn't physical segmentation between the network behind the UAG DirectAccess server and the domain controller behind it
  • Forwarding is enabled on the external interface of the UAG DirectAccess server

You can use the command:

netsh int ipv4 show int level=verbose

to check the forwarding state of the external interface.

Forwarding should be disabled by default on all NICs. However, when activating UAG DirectAccess, forwarding is enabled on the internal interface and on the transition technology interfaces, but never on the physical external interface. When forwarding is enabled on the external interface, Network Location Awareness (NLA) sevice tries to determine whether a domain controller is reachable by binding on each interface on the machine. When fowarding is enabled on the external interface, packets will be forwarded to the internal interface, and then to the destination domain controller. The end result being that a domain controller was detected and the Domain Profile is assigned to the external interface and the DirectAccess configuration fails.

What would cause forwarding to be enabled on the external interface? It is possible that another feature configured in UAG or TMG has enabled forwarding on the external interface. But if that is the case, we haven't yet identified what software might be doing that.

If you have more information about this issue, please feel free to update this wiki entry.

Revert to this revision