I'm trying to implement L2TP VPN to same network with DirectAccess. The reason for this is that not all services work with DirectAccess, due to their total incompatibility with IPV6. With Windows XP everything works fine. With Windows 7 the VPN connection is established perfectly, and it works, but not to corporate LAN! If I remove DirectAccess policies from the workstation, then everything works. As far as I'm concerned, this is due to DirectAccess policies. The workstation tries to use IPV6 name resolution for internal names, just as DirectAccess policies tell it to. Of course, IPV6 does not work over L2TP, and name resolution fails. If you try to access services with plain ipv4 address, that works fine. The problem seems to be that the workstation tries to use DNS64 for internal names - and naturally without DirectAccess that does not work. With third-party VPN clients (Cisco) it works perfectly: The DirectAccess realizes there's another VPN connection that works, and suppresses itself. What is the problem with Microsoft VPN, what do I have to do to get it working same way? About environment: There's a UAG 2010 SP1 for DirectAccess, and a separate TMG 2010 SP1 for VPN connections. There are no problems in establishing the VPN connection, just the name resolution fails, because DirectAccess does not realize there's a VPN connection to internal network. This has also been checked and implemented, no help: Choosing a Forefront UAG DirectAccess and VPN coexistence design

Does DirectAccess Mean No More VPN? http://social.technet.microsoft.com/wiki/contents/articles/does-directaccess-mean-no-more-vpn.aspx?wa=wsignin1.0

Hi, How is it going? Does the link provided by _p_k_ help? Please feel free to give us any updates. Regards, Juke TechNet Subscriber support in form. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, the link does not help. It only states what we are facing: Not all applications work with DirectAccess. It also states, that you can use traditional VPN, and in that case DirectAccess components will shut down. Now the problem is that they don't. The only technical information in that article is a link to the same Technet article I showed in the first post, and that does not help. Still need help to get VPN working when DirectAccess has been implemented.

Hi, As you say, I also suspect the DirectAccess client has not detected itself to be located in the intranet when the traditional VPN is established. A network location server installed on the internal network is used to determine whether a DirectAccess client is connected to the internal network. When a DirectAccess client connects to a network, it attempts to access the specified HTTPS based URL on a network location server. If the connection to the HTTPS based URL is successful, the DirectAccess client determines that it is on the internal network, and DirectAccess functionality is not used. If the network location server is unavailable, and the DirectAccess client is connected to the internal network, DirectAccess functionality is enabled for the client. This impairs the client's ability to reach internal network resources. Therefore, the VPN server needs to communicate with the network location server and then the network location server can determine whether the DirectAccess functionality on the VPN client should be disabled. Have you checked the following things? The remote access VPN server is not blocking access to the network location server on the intranet, even when the network access of VPN clients is restricted. When the remote access VPN connection is active, the DirectAccess client should successfully detect that it is located on the intranet, regardless of its VPN-based network access status (restricted or full access). Firewall or connection security rules of the DirectAccess client should not block access to locations needed to remediate the system health of the computer when it has its access restricted as a remote access VPN client. The fully qualified domain name (FQDN) of the VPN server on the Internet either does not match the intranet namespace or there is a corresponding exemption rule for the FQDN in the Name Resolution Policy Table (NRPT). Can you access the Network Location Server via VPN when you disable the DirectAccess policies? Check the permission setting in Routing and Remote Access Role. The following links for your reference. Network Location Server http://technet.microsoft.com/en-us/library/gg315317.aspx Using DNS with Forefront UAG DirectAccess http://technet.microsoft.com/en-us/library/gg315312.aspx Regards, Juke TechNet Subscriber support in form. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hello, The specified NLS website is accessible via VPN tunnel, with and without DirectAccess Policies. I agree it sounds very very strange, since this is the detection method for DirectAccess. There has to be something strange with this detection method, it looks like it only works partially - as far as I'm concerned, there's no other alternative. Thanks a lot for all this, I will perform double-checks for everything today and report what I find. Meanwhile, all suggestions for troubleshooting are more than welcome!

Nope. NLS is the only single place on intranet I can access, nothing else. Despite NLS access, DA components do not shut down. Due to HW failure (my own laptop) I'm able to test this only this weekend. I'll provide more information as soon as I have it.

Hi, If you can access the Network Location Server, it indicates that you are already in the intranet. It looks like it works fine. I am looking forward to you providing the more specific symptom. Regards, Juke TechNet Subscriber support in form. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, If you can access the NLS, the Direct Access should access the NLS, then disable itself. But it can not now, So I suspect that the detection package of DirectAccess is blocked somewhere. Please diable all the firewalls for a test. Also, because the Forefront servers participate in this process and I am not familiar with this product. So I also suggest to post at http://social.technet.microsoft.com/Forums/en/category/forefront for assistance. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

Hi, thanks for this. After surviving from hw failures, I was able to continue troubleshooting. The detection package is definitely blocked for some reason. Since there are Forefront TMG 2010 as well as HW firewalls included, one of these must stop the package, checked with Telnet as well. The troubleshooting continues, thank you for help! Jack

Hi, Thanks for your update. I will mark my reply as "Answered". If you have any further concerns, please feel free to let me know. Regards, Juke TechNet Subscriber support in form. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for your troubleshooting help. We found out there was a routing issue with TMG, local default gateway and VPN address pool. Because TMG relayed ping and http traffic (not https), it made solving this quite difficult. It works now.