DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server


This week I noticed some issues with DirectAccess on my Windows 7 client. For some strange reason both Infrastructure and Intranet tunnels are not established. When walking through the Advanced Firewall configuration I noticed that Internet Protocol security (IPsec) tunnel mode security associations (SAs) were not initiated. After some searching if found a post on Forefront forum which describes more or less the same behavior.

Thanks to Jason Jones if found my issue. By verifying the Name Resolution Policy Table (NRPT) configuration using netsh dnsclient show state and noticed that Direct Access Settings is misconfigured. The NRPT is configured using the DirectAccess Setup wizard. You can configure the rules also directly by yourself but take into account these settings are overridden when running the DirectAccess wizard!

Check the following regkey: HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\EnableDAForAllNetworks and make sure it is set to 0 and not 2.

The values for the key are shown below

Enable DA for All Networks

Key: Software\Policies\Microsoft\Windows NT\DNSClient

Value: “EnableDAForAllNetworks”

Type: REG_DWORD

Size: 32 bits.

Data: This field is a 32-bit value, which MUST contain one of the following values.

Value Meaning
0x00000000 Let Network ID determine when Direct Access settings are to be used.
0x00000001 Always use Direct Access settings regardless of location.
0x00000002 Never use Direct Access settings regardless of location.

After changing the value I rebooted my Windows 7 client and DirectAccess is working again like a charm J

Sources:

http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/cd924318-12d3-4b27-ad3c-a50320819241

http://msdn.microsoft.com/en-us/library/ff957870(PROT.10).aspx

http://technet.microsoft.com/en-us/library/ee844114(WS.10).aspx

DirectAccess Client Location Awareness – NRPT Name Resolution

Configure the NRPT with Group Policy

Advertisements

One thought on “DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server

  1. Pingback: DirectAccess–Troubleshooting case - Simple and secure by Design but Business compliant [Benoît SAUTIERE / Exakis / MVP]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s