Tag Archives: UAG

Manage Out with Direct Access on UAG

Having implemented Direct Access with UAG (Microsoft Unified Access Gateway) at a customer location there were some questions when we were done. Their helpdesk is using SCCM (System Center Configuration Manager) and the remote management tools included, how would they go about managing the clients? Would that work even if the user wasn’t logged in? Well, after some research we found out that they could actually manage the client if someone was logged in. If nobody was, no remote management would occur.

The reason? Well, traffic initiated from the inside of the network have to go through the management tunnel if nobody is logged in. For that to happen the servers or workstations that wish to communicate have to be included in the management group. If you’re going to use a management server or workstation for your work it’ll have to be IPv6 capable too because DA / UAG won’t translate IPv4 to IPv6 for traffic initiated from the inside.

UAG configuration:

The UAG needs to include ALL the computers you want to use for remote management of DA clients where nobody is logged on. Ie using the management tunnel. As soon as a user logs on communication can occur on the user tunnel.

Client configuration:

If you’re using mobile connections you’ll need to make sure that they will register their address in DNS. If you don’t do this your clients won’t register, and you won’t be able to find them from your internal network.

(click for Lightbox)

Clients needs to have their firewall configuration updated with rules that allow the traffic you need, for example RDP. Please note that the profile you must use for this is the PUBLIC profile since that’s the one applied when the DA client is connected from the internet. You must also allow “edge traversal” for these rules to work over all tunnels.

(click for Lightbox)

More resources for manage out with Direct Access:

Direct Access / UAG Troubleshooting Steps

I spent last week installing, configurating and troubleshooting UAG for Direct Access. Considering that nobody likes troubleshooting, I thought I’d share some tips and a list of the steps I took to get it up and running.

This guide/list focuses on troubleshooting Direct Access through Microsoft Forefront Unified Access Gateway (UAG), but also applies on Direct Access enabled through Windows Server 2008 R2.

Thanks to Hasain Alshakarti for answering all my questions and giving me a quick lesson on PKI!

Try to test your first client from the same network as your outside addresses on your DA/UAG, I’ve spent almost a day troubleshooting a configuration where it turned out that the 3G operator blocks 6to4 (IP Protocol 41). If it works on that network, then you can try it out with 3G.

If it doesn’t work then, you’ll need to create another GPO that disables 6to4 which will make your clients use either Teredo or IPHTTPS instead. Check the netsh-section further down for how to disable it manually. If you don’t it might work with some operators and not work with others, troubleshooting this when your users are road warriors isn’t as fun as one might think…

Note on images: All ip’s / hostnames are masked for customer security.

Server side:

External interface

IPv4 + Ipv6 enabled
Two consecutive IP’s entered
No DNS – This forces the server to always lookup in the internal DNS / through forwarders
No client for Microsoft networks
No file / printer sharing

(click for Lightbox)

Internal interface

No gateway
Internal DNS

(click for Lightbox)

Client side:
Check certificate – Needs to contain a subject name or SAN (Subject Alternative Name) which matches the DNS name of the client. (This also applies to the certificate used for the UAG-server’s SSL-connection.) If the certificate is not properly configured you’ll most likely get eventid 4653 for IPSec.

(click for Lightbox)

Checking the tunnels:
Start Windows Firewall with Advanced Security
Open Monitoring, Security Associations and check under Main + Quick Mode that your tunnels are established. This could also be done with netsh, see below.

(click for Lightbox)


(click for Lightbox)

Show main/quick mode connections (read here for more information on IPSec and connections)

netsh advfirewall monitor
show mmsa
show qmsa

Show 6to4 adapter state
netsh int 6to4
show state

Show Teredo adapter state
netsh int teredo
show state

Show IPHTTPS adapter state
netsh in http
show int

Show dns client settings
netsh dnsclient
show state

Show DNS effective name resolution policy table(NRPT)
netsh namespace
show effective

Useful resources and reading:
A useful 6to4 calculator – http://waldner.netsons.org/f6-6to4.php

Designing a Direct Access solution – http://technet.microsoft.com/en-us/library/dd637836(WS.10).aspx
Direct Access Management – http://technet.microsoft.com/en-us/library/ee624048(WS.10).aspx
The Direct Access Test Lab Step-by-Step Guide – http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=8d47ed5f-d217-4d84-b698-f39360d82fac
General troubleshooting for Direct Access – http://technet.microsoft.com/es-es/library/ee624058(WS.10).aspx

Hope that you’ll get it up and running. I have another post drafted that will deal with the “manage out”-perspective that will allow you to remotely manage / access your clients, will post ASAP!

Celebrations and reading

Yey, today is Geek Pride Day, which is celebrated by all geeks/nerds around the world. According to Wikipedia:

“Geek Pride Day is an initiative which claims the right of every person to be a nerd or a geek. It has been celebrated on May 25 since 2006, celebrating the premiere of the first Star Wars movie in 1977.

It shares the same day as two other science-fiction fan ‘holidays’ – Towel Day, for fans of the Hitchhiker’s Guide to the Galaxy Trilogy by Douglas Adams, and the Glorious 25th of May, for fans of Terry Pratchett’s Discworld.”

And for the reading I’ve been reading on the Hyper-V security model at http://blogs.technet.com/b/jhoward/archive/2009/08/31/explaining-the-hyper-v-authorization-model-part-one.aspx and how to avoid the old “domain could not be contacted”-error which you usually get with snapshots or offline machines at http://www.petri.co.il/working-with-domain-member-virtual-machines-and-snapshots.htm

Currently busy working with my presentation for TechEd and my new job offers some challenges too… Learning all there is to know about Salesforce and administration, and trying to get my head around SCCM (don’t miss the beta 1 of v.Next over at http://blogs.technet.com/b/systemcenter/archive/2010/05/24/the-next-generation-of-client-management.aspx) and Direct Access in multi-site deployments with UAG which isn’t happening until SP 1 apparently.