Direct Access / UAG Troubleshooting Steps

I spent last week installing, configurating and troubleshooting UAG for Direct Access. Considering that nobody likes troubleshooting, I thought I’d share some tips and a list of the steps I took to get it up and running.

This guide/list focuses on troubleshooting Direct Access through Microsoft Forefront Unified Access Gateway (UAG), but also applies on Direct Access enabled through Windows Server 2008 R2.

Thanks to Hasain Alshakarti for answering all my questions and giving me a quick lesson on PKI!

Try to test your first client from the same network as your outside addresses on your DA/UAG, I’ve spent almost a day troubleshooting a configuration where it turned out that the 3G operator blocks 6to4 (IP Protocol 41). If it works on that network, then you can try it out with 3G.

If it doesn’t work then, you’ll need to create another GPO that disables 6to4 which will make your clients use either Teredo or IPHTTPS instead. Check the netsh-section further down for how to disable it manually. If you don’t it might work with some operators and not work with others, troubleshooting this when your users are road warriors isn’t as fun as one might think…

Note on images: All ip’s / hostnames are masked for customer security.

Server side:

External interface

IPv4 + Ipv6 enabled
Two consecutive IP’s entered
No DNS – This forces the server to always lookup in the internal DNS / through forwarders
No client for Microsoft networks
No file / printer sharing

(click for Lightbox)

Internal interface

No gateway
Internal DNS

(click for Lightbox)

Client side:
Check certificate – Needs to contain a subject name or SAN (Subject Alternative Name) which matches the DNS name of the client. (This also applies to the certificate used for the UAG-server’s SSL-connection.) If the certificate is not properly configured you’ll most likely get eventid 4653 for IPSec.

(click for Lightbox)

Checking the tunnels:
Start Windows Firewall with Advanced Security
Open Monitoring, Security Associations and check under Main + Quick Mode that your tunnels are established. This could also be done with netsh, see below.

(click for Lightbox)


(click for Lightbox)

Show main/quick mode connections (read here for more information on IPSec and connections)

netsh advfirewall monitor
show mmsa
show qmsa

Show 6to4 adapter state
netsh int 6to4
show state

Show Teredo adapter state
netsh int teredo
show state

Show IPHTTPS adapter state
netsh in http
show int

Show dns client settings
netsh dnsclient
show state

Show DNS effective name resolution policy table(NRPT)
netsh namespace
show effective

Useful resources and reading:
A useful 6to4 calculator –

Designing a Direct Access solution –
Direct Access Management –
The Direct Access Test Lab Step-by-Step Guide –
General troubleshooting for Direct Access –

Hope that you’ll get it up and running. I have another post drafted that will deal with the “manage out”-perspective that will allow you to remotely manage / access your clients, will post ASAP!

Leave a Reply

Your email address will not be published. Required fields are marked *