Route the Traffic Through Direct Access (Network Steve Forum)

Route the Traffic Through Direct Access

Hello,

All I need is i have a Direct Access Server and is working fine also Client Machine is Access-able to Connect through DA. I want that each client machine is having internet and is accessing through his internet but after connecting through DA the internet connectivity should be through Direct Access. Is anyone knows the Solution, help me.

thanks,

Roshan

July 23rd, 2015 1:10am

Hi,

That's the force-tunneling scenario of DirectAccess. From a technical point of view any name resolution will be performed throught the NRPT/DNS64 mechanism and all network trafic will be forcer to pass throught the DirectAccess IPSEc tunnels. Force tunneling is a checkbox located in the first step of the Advanced configuration wizard.

Free Windows Admin Tool Kit Click here and download it now

July 23rd, 2015 3:35am

ya, i am trying this but the issue is when i am applying the GPO using link.

https://technet.microsoft.com/en-us/library/ee649127(v=ws.10).aspx

I have followed this steps but while adding a IPV6 Address to any and checking DNS Settings for DA i am unable to do that as it says the name already exists.

Also Client Computer has been disconnected with Internet.

In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Windows Settings\Name Resolution Policy.
In the details pane, in To which part of the namespace does this rule apply?, click Any.
Click the DNS Settings for Direct Access tab, and then click Enable DNS settings for Direct Access in this rule.
In DNS servers (optional), click Add. In DNS server, type the IPv6 address of your dual protocol (IPv4 and IPv6) proxy server or your NAT64/DNS64 devices that are in front of your IPv4-based proxy server. Repeat this step if you have multiple IPv6 addresses.
Click Create, and then click Apply.

Edited by roshan kr 17 hours 27 minutes ago

August 1st, 2015 9:52am

ya, i am trying this but the issue is when i am applying the GPO using link.

https://technet.microsoft.com/en-us/library/ee649127(v=ws.10).aspx

I have followed this steps but while adding a IPV6 Address to any and checking DNS Settings for DA i am unable to do that as it says the name already exists.

Also Client Computer has been disconnected with Internet.

In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Windows Settings\Name Resolution Policy.
In the details pane, in To which part of the namespace does this rule apply?, click Any.
Click the DNS Settings for Direct Access tab, and then click Enable DNS settings for Direct Access in this rule.
In DNS servers (optional), click Add. In DNS server, type the IPv6 address of your dual protocol (IPv4 and IPv6) proxy server or your NAT64/DNS64 devices that are in front of your IPv4-based proxy server. Repeat this step if you have multiple IPv6 addresses.
Click Create, and then click Apply.

Edited by roshan kr Saturday, August 01, 2015 1:57 PM

Free Windows Admin Tool Kit Click here and download it now

August 1st, 2015 1:51pm

ya, i am trying this but the issue is when i am applying the GPO using link.

https://technet.microsoft.com/en-us/library/ee649127(v=ws.10).aspx

I have followed this steps but while adding a IPV6 Address to any and checking DNS Settings for DA i am unable to do that as it says the name already exists.

Also Client Computer has been disconnected with Internet.

In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Windows Settings\Name Resolution Policy.
In the details pane, in To which part of the namespace does this rule apply?, click Any.
Click the DNS Settings for Direct Access tab, and then click Enable DNS settings for Direct Access in this rule.
In DNS servers (optional), click Add. In DNS server, type the IPv6 address of your dual protocol (IPv4 and IPv6) proxy server or your NAT64/DNS64 devices that are in front of your IPv4-based proxy server. Repeat this step if you have multiple IPv6 addresses.
Click Create, and then click Apply.

Edited by roshan kr Saturday, August 01, 2015 1:57 PM

August 1st, 2015 1:51pm

ya, i am trying this but the issue is when i am applying the GPO using link.

https://technet.microsoft.com/en-us/library/ee649127(v=ws.10).aspx

I have followed this steps but while adding a IPV6 Address to any and checking DNS Settings for DA i am unable to do that as it says the name already exists.

Also Client Computer has been disconnected with Internet.

In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Windows Settings\Name Resolution Policy.
In the details pane, in To which part of the namespace does this rule apply?, click Any.
Click the DNS Settings for Direct Access tab, and then click Enable DNS settings for Direct Access in this rule.
In DNS servers (optional), click Add. In DNS server, type the IPv6 address of your dual protocol (IPv4 and IPv6) proxy server or your NAT64/DNS64 devices that are in front of your IPv4-based proxy server. Repeat this step if you have multiple IPv6 addresses.
Click Create, and then click Apply.

Edited by roshan kr Saturday, August 01, 2015 1:57 PM

Free Windows Admin Tool Kit Click here and download it now

August 1st, 2015 1:51pm

ya, i am trying this but the issue is when i am applying the GPO using link.

https://technet.microsoft.com/en-us/library/ee649127(v=ws.10).aspx

I have followed this steps but while adding a IPV6 Address to any and checking DNS Settings for DA i am unable to do that as it says the name already exists.

Also Client Computer has been disconnected with Internet.

In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Windows Settings\Name Resolution Policy.
In the details pane, in To which part of the namespace does this rule apply?, click Any.
Click the DNS Settings for Direct Access tab, and then click Enable DNS settings for Direct Access in this rule.
In DNS servers (optional), click Add. In DNS server, type the IPv6 address of your dual protocol (IPv4 and IPv6) proxy server or your NAT64/DNS64 devices that are in front of your IPv4-based proxy server. Repeat this step if you have multiple IPv6 addresses.
Click Create, and then click Apply.

Edited by roshan kr Saturday, August 01, 2015 1:57 PM

August 1st, 2015 1:51pm

Hi,

This procedure apply to Windows 2008 R2, no longer applicable to Forefront UAG and latest version of DirectAccess natively included into Windows Server editions. This might be a better procedure : https://technet.microsoft.com/en-us/library/jj134204.aspx?f=255&MSPPError=-2147217396#BKMK_forcetunnel.

Free Windows Admin Tool Kit Click here and download it now

August 3rd, 2015 8:28am

Hi,

DO you add a wildcard entry in NRPT that point to your internal proxy (using FQDN not IPv4)?

August 5th, 2015 3:43am

Hello,

I Followed the Above Link, I am Explaining My Environment What I have done is.

-> Made a Routing Server In which I have Done Nating to provide Internet to our internal Domain.

->Made a Server for Domain Controller in Which Configured ADDS, DNS & DHCP and Also Configured Root CA.

->Made a Server for Subordinate CA.

->Made another Server For Direct Access in Which Configured DA with EDGE. Also All the Server are having 2012 r2.

-> opened the following port TCP :-41,50,443

->UDP -: 41,50,500 3544 Outbound and Inbound both.

-> Client machine after offline Domain Join.

The Client Machine is getting Connected with Direct Access. But when i am enabling the Force Tunneling features the Internet on Client Gets blocked. For this i am doing:-

-> Enabling the Force tunneling Features on Direct Access Server.

->open the Gpmc.msc on Domain Controller edit the policy DirectAccess Client and then

In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Administrative Templates\Network\Network Connections.
In the details pane, double-click Route all traffic through the internal network.
In the Route all traffic through the internal network dialog box, click Enabled, and then click OK.

then in NRPT rule on this

In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Windows Settings\Name Resolution Policy.

there is two rule by default one for Direct Access Server and another for any and not knowing what to do in this rule . Also made the Changes as mentioned below.

In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies.
In the details pane, double-click 6to4 State.
In the 6to4 State dialog box, click Enabled, click Disabled State in Select from the following states, click Apply, and then click OK.
In the details pane, double-click Teredo State.
In the Teredo State dialog box, click Enabled, click Disabled State in Select from the following states, click Apply, and then click OK.
In the details pane, double-click IP-HTTPS State.
In the IP-HTTPS State dialog box, click Enabled State in Select Interface state from the following options, click Apply, and then click OK.

Now what to do please suggest me. the answer will be appreciated.

thanks

roshan

Free Windows Admin Tool Kit Click here and download it now

August 5th, 2015 11:47pm

hello,

I am not using Proxy Server

August 6th, 2015 9:19am

So if your're not using a proxy, witch DNS do you use to resolve public DNS names? Your Active Directory?

Free Windows Admin Tool Kit Click here and download it now

August 6th, 2015 10:47am

Look I have used local name like a domain.in as a domain. I am Sending u the List what i have made is

made server like this:-

1. DC:- Domain Controller - Installed ADDS, DNS & DHCP and also ADCS (Root CA) used local Domain example rk.com

2. SCA: Subordinate Server :- domain Joined the Machine and Installed ADCS (Subordinate CA)

3. DA: Direct Access Server :- Domain joined the Machine and Installed and Configured DA used two Adapter one for Internal Domain other for External in which i have used Public IP.

4. Router server in which i did Nating used two Adapter one having the Internet and other as internal network in which i have provided Internet through routing .

Thats it Now tell me what to do.???

Edited by roshan kr 1 hour 42 minutes ago

August 7th, 2015 1:23am

Hi,

So on a DirectAccess client connected on Internet, when you run the following command (NETSH NAMESPACE SHOW EF), you should see one entry for your NRPT and a second on for your internal domain. Am-i right?

If that's the case, we only need to enable the force tunneling in the remote Access Management Console. If I remember well, it's in the first step in the interface.

Free Windows Admin Tool Kit Click here and download it now

August 7th, 2015 3:42am

Look I have used local name like a domain.in as a domain. I am Sending u the List what i have made is

made server like this:-

1. DC:- Domain Controller - Installed ADDS, DNS & DHCP and also ADCS (Root CA) used local Domain example rk.com

2. SCA: Subordinate Server :- domain Joined the Machine and Installed ADCS (Subordinate CA)

3. DA: Direct Access Server :- Domain joined the Machine and Installed and Configured DA used two Adapter one for Internal Domain other for External in which i have used Public IP.

4. Router server in which i did Nating used two Adapter one having the Internet and other as internal network in which i have provided Internet through routing .

Thats it Now tell me what to do.???

Edited by roshan kr Friday, August 07, 2015 5:43 AM

August 7th, 2015 5:21am

Look I have used local name like a domain.in as a domain. I am Sending u the List what i have made is

made server like this:-

1. DC:- Domain Controller - Installed ADDS, DNS & DHCP and also ADCS (Root CA) used local Domain example rk.com

2. SCA: Subordinate Server :- domain Joined the Machine and Installed ADCS (Subordinate CA)

3. DA: Direct Access Server :- Domain joined the Machine and Installed and Configured DA used two Adapter one for Internal Domain other for External in which i have used Public IP.

4. Router server in which i did Nating used two Adapter one having the Internet and other as internal network in which i have provided Internet through routing .

Thats it Now tell me what to do.???

Edited by roshan kr Friday, August 07, 2015 5:43 AM

Free Windows Admin Tool Kit Click here and download it now

August 7th, 2015 5:21am

Look I have used local name like a domain.in as a domain. I am Sending u the List what i have made is

made server like this:-

1. DC:- Domain Controller - Installed ADDS, DNS & DHCP and also ADCS (Root CA) used local Domain example rk.com

2. SCA: Subordinate Server :- domain Joined the Machine and Installed ADCS (Subordinate CA)

3. DA: Direct Access Server :- Domain joined the Machine and Installed and Configured DA used two Adapter one for Internal Domain other for External in which i have used Public IP.

4. Router server in which i did Nating used two Adapter one having the Internet and other as internal network in which i have provided Internet through routing .

Thats it Now tell me what to do.???

Edited by roshan kr Friday, August 07, 2015 5:43 AM

August 7th, 2015 5:21am

hello,

after following the Command NETSH NAMESPACE SHOW EF

i am getting this:-

DNS Effective Name Resolution Policy Table Settings

Note: DirectAccess settings are inactive when this computer is inside a corporat
e network.

Free Windows Admin Tool Kit Click here and download it now

August 7th, 2015 6:36am

OK my fault cause your on LAN. Try NETSH NAMESPACE SHOW POLICY

August 7th, 2015 6:37am

After running the above command i am getting this:-

DNS Name Resolution Policy Table Settings

Settings for .
----------------------------------------------------------------------
DNSSEC (Certification Authority) :
DNSSEC (Validation) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (Certification Authority) :
DirectAccess (DNS Servers) :
DirectAccess (IPsec) : disabled
DirectAccess (Proxy Settings) : da.rk.in:443
Generic (DNS Servers) :
Generic (VPN Trigger) : disabled
IDN (Encoding) : UTF-8 (default)

Settings for .rk.in
----------------------------------------------------------------------
DNSSEC (Certification Authority) :
DNSSEC (Validation) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (Certification Authority) :
DirectAccess (DNS Servers) : 2008:cb84:d968:3333::1
DirectAccess (IPsec) : disabled
DirectAccess (Proxy Settings) : Bypass proxy
Generic (DNS Servers) :
Generic (VPN Trigger) : disabled
IDN (Encoding) : UTF-8 (default)

Settings for DirectAccess-NLS.rk.in
----------------------------------------------------------------------
DNSSEC (Certification Authority) :
DNSSEC (Validation) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (Certification Authority) :
DirectAccess (DNS Servers) :
DirectAccess (IPsec) : disabled
DirectAccess (Proxy Settings) : Use default browser settings
Generic (DNS Servers) :
Generic (VPN Trigger) : disabled
IDN (Encoding) : UTF-8 (default)

Also I noticed that I am not able to apply The GPO correctly I looked at the Above Mentioned Link but then also i am unable to do that. Provide me the steps so that i can do it and route the Internet traffic through DA server.

thanks

Edited by roshan kr 20 hours 2 minutes ago

Free Windows Admin Tool Kit Click here and download it now

August 7th, 2015 6:45am

Hi,

According to the result of the command you already have Force tunneling enabled as jou have awildcard entry (resolve all names). Proxy to be used is da.rk.in:443

August 7th, 2015 7:58am

ya then also Internet is limitted on the Client machine. is ther eany solution to overcome from this.

Free Windows Admin Tool Kit Click here and download it now

August 7th, 2015 9:06am

When you enable force tunneling all internet access pass throught your proxy ak da.rk.in. Force tunneling need some tuning because some Windows feature such as NCSI does not understand what happend.

August 7th, 2015 9:09am

When i am tracing the Path through Client Machine for Example

tracert google.com

my IPV6 of Da server is pinging one time and then its showing request timed out

Free Windows Admin Tool Kit Click here and download it now

August 7th, 2015 9:17am

Ping is not a good friend as it does not use NRPT, prefer NSLOOKUP -Server 2008:cb84:d968:3333::1 <name to resolve>

If you have an answer it's not a name resolution problem but a connectivity problem.

August 7th, 2015 9:20am

After running the above command i am getting this:-

thanks

Edited by roshan kr Friday, August 07, 2015 11:23 AM

Free Windows Admin Tool Kit Click here and download it now

August 7th, 2015 10:44am

After running the above command i am getting this:-

thanks

Edited by roshan kr Friday, August 07, 2015 11:23 AM

August 7th, 2015 10:44am

After running the above command i am getting this:-

thanks

Edited by roshan kr Friday, August 07, 2015 11:23 AM

Free Windows Admin Tool Kit Click here and download it now

August 7th, 2015 10:44am

now it's coming this.

C:\Windows\system32>NSLOOKUP -Server 2008:cb84:d968:3333::1
*** Invalid option: Server
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 10.2.0.4

DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

and one more thing i want to ask from you that I can do this force tunneling without Proxy or Not as i haven't made the proxy server till yet.

Edited by roshan kr 2 hours 20 minutes ago

August 8th, 2015 12:56am

now it's coming this.

and one more thing i want to ask from you that I can do this force tunneling without Proxy or Not as i haven't made the proxy server till yet.

Edited by roshan kr Saturday, August 08, 2015 5:05 AM

Free Windows Admin Tool Kit Click here and download it now

August 8th, 2015 4:55am

now it's coming this.

and one more thing i want to ask from you that I can do this force tunneling without Proxy or Not as i haven't made the proxy server till yet.

Edited by roshan kr Saturday, August 08, 2015 5:05 AM

August 8th, 2015 4:55am

now it's coming this.

and one more thing i want to ask from you that I can do this force tunneling without Proxy or Not as i haven't made the proxy server till yet.

Edited by roshan kr Saturday, August 08, 2015 5:05 AM

Free Windows Admin Tool Kit Click here and download it now

August 8th, 2015 4:55am

My fault, wrong syntax

NSLOOKUP

Server 2008:cb84:d968:3333::1

August 10th, 2015 4:01am

i did it, Actually for the Force tunneling we need to set two gateway one each for both the External and Internal network.

Edited by roshan kr 20 hours 54 minutes ago
Marked as answer by roshan kr 20 hours 53 minutes ago
Unmarked as answer by roshan kr 20 hours 53 minutes ago
Marked as answer by roshan kr 20 hours 53 minutes ago

Free Windows Admin Tool Kit Click here and download it now

August 31st, 2015 6:33am

i did it, Actually for the Force tunneling we need to set two gateway one each for both the External and Internal network.

Edited by roshan kr Monday, August 31, 2015 10:32 AM
Marked as answer by roshan kr Monday, August 31, 2015 10:32 AM
Unmarked as answer by roshan kr Monday, August 31, 2015 10:32 AM
Marked as answer by roshan kr Monday, August 31, 2015 10:32 AM

August 31st, 2015 10:32am

i did it, Actually for the Force tunneling we need to set two gateway one each for both the External and Internal network.

Edited by roshan kr Monday, August 31, 2015 10:32 AM
Marked as answer by roshan kr Monday, August 31, 2015 10:32 AM
Unmarked as answer by roshan kr Monday, August 31, 2015 10:32 AM
Marked as answer by roshan kr Monday, August 31, 2015 10:32 AM

Free Windows Admin Tool Kit Click here and download it now

August 31st, 2015 10:32am

This topic is archived. No further replies will be accepted.