Hello,

I'm fairly new to DA and I was just trying to figure out if this is a normal occurrence.

I have DA 2012 R2 configured, load balanced, running without issues, clients connect through Win7 and Win 8.1 and access what they need. When I run the Reporting tool it's showing all my connections, as expected, but it's showing multiple sessions - and I'm talking over 1700 average sessions per day with a testing group of only 15 people. The majority of the sessions have no user name, just the host name of the users machine. All these connections range from 1 to 4 minutes and in/out bytes of 20,000 to 80,000.

Is this normal? It's both Win7 and Win8.1 connections doing this.

Any info would be appreciated, thanks.

There could be several reasons:

Let's first look at how DirectAccess establishes tunnels:

• When you connect your DirectAccess Client remotely without logging on it establishes a so called infrastructure-tunnel, which gives only access to your Domain Controllers and Infrastructure Servers defined in the DirectAccess Wizard (step 3). On the DirectAccess Server you will see the HOSTNAMES only.
• When you login on a DirectAccess Clients while it is connected remotely, it will establish a so called intranet-tunnel, which will give you full access to everything accessable by NRPT. On the DirectAccess Server you will see the HOSTNAME and username.

In fact, it does not establish two tunnels, the tunnel type changes. So in theory you should only see one tunnel. But it is possible you see more tunnels, when a computer reboots or lost connection temporary. The old IPsec tunnel is still available (not expired yet), but instead the DirectAccess Client establishes a new connection. Most often you will see they first connect with let's say use the Teredo protocol, after reboot with IP-HTTPS protocol. You will then see two tunnels. The old tunnels dissapear after a few minutes (don't ask me the exact timeframe).

I know this is sometimes confusing, but in my opinion you can ignore this. Unless you are seeing excessive number of tunnels which are not cleared properly.

I hope this makes a bit more sense.

I was wondering if this was the infrastructure tunneling (since we have multiple agents on the machines). Thanks for the explanation

To me, this is kind of excessive. For example, last night between 3-4AM only 2 machines connecting and combined there were over 100 sessions. It was like this all night with connections of 1-4 minutes.

No complaints when the user is actually connected though. Praises actually...which is rare...lol.

I'll investigate further if there's any network issues on these boxes. Thanks.

• Edited by CompNerd84 18 hours 17 minutes ago

I was wondering if this was the infrastructure tunneling (since we have multiple agents on the machines). Thanks for the explanation

To me, this is kind of excessive. For example, last night between 3-4AM only 2 machines connecting and combined there were over 100 sessions. It was like this all night with connections of 1-4 minutes.

No complaints when the user is actually connected though. Praises actually...which is rare...lol.

I'll investigate further if there's any network issues on these boxes. Thanks.

• Edited by CompNerd84 Friday, June 26, 2015 1:03 PM

I was wondering if this was the infrastructure tunneling (since we have multiple agents on the machines). Thanks for the explanation

To me, this is kind of excessive. For example, last night between 3-4AM only 2 machines connecting and combined there were over 100 sessions. It was like this all night with connections of 1-4 minutes.

No complaints when the user is actually connected though. Praises actually...which is rare...lol.

I'll investigate further if there's any network issues on these boxes. Thanks.

• Edited by CompNerd84 Friday, June 26, 2015 1:03 PM

I was wondering if this was the infrastructure tunneling (since we have multiple agents on the machines). Thanks for the explanation

To me, this is kind of excessive. For example, last night between 3-4AM only 2 machines connecting and combined there were over 100 sessions. It was like this all night with connections of 1-4 minutes.

No complaints when the user is actually connected though. Praises actually...which is rare...lol.

I'll investigate further if there's any network issues on these boxes. Thanks.

• Edited by CompNerd84 Friday, June 26, 2015 1:03 PM

I was wondering if this was the infrastructure tunneling (since we have multiple agents on the machines). Thanks for the explanation

To me, this is kind of excessive. For example, last night between 3-4AM only 2 machines connecting and combined there were over 100 sessions. It was like this all night with connections of 1-4 minutes.

No complaints when the user is actually connected though. Praises actually...which is rare...lol.

I'll investigate further if there's any network issues on these boxes. Thanks.

• Edited by CompNerd84 Friday, June 26, 2015 1:03 PM

Apart from other expert's explanation, i just wanted that, DirectAccess is more like JUST a LAN Cable that you plug on to your machine.

So the "REAL" data that is transmitted between the Client and the Servers depends on the application that is running inside your Windows machines. 

If you think data transmission is unusual may be you could check if your SCCM Clients or AV clients are downloading updates.

Thanks for the info guys.