Checking Forefront UAG DirectAccess connectivity
Updated: April 8, 2010
Applies To: Unified Access Gateway
To ensure that connectivity on your Forefront Unified Access Gateway (UAG) DirectAccess server is functioning correctly, do the following checks at least on a daily basis:
Checking the relevant transition technology interfaces are enabled .
Monitoring security associations on the Forefront UAG DirectAccess server.
Verifying that the infrastructure and intranet tunnels are functioning between the DirectAccess client and the Forefront UAG DirectAccess server.
Checking connectivity from the Forefront UAG DirectAccess server to a domain controller.
Checking the relevant transition technology interfaces are enabled
The IP Helper service (Iphlpsvc) provides tunnel connectivity using IPv6 transition technologies (6to4, ISATAP, and Teredo), and IP-HTTPS. If this service is stopped, the computer will not have the enhanced connectivity benefits that these technologies offer. On a daily basis, confirm that the service is started.
You can use the following commands to assess the status of the interface for each transition technology.
Note
You should input commands from an elevated command prompt.
Command | Description | On client (C) or server (S) |
---|---|---|
ipconfig /all |
Displays all IP configuration data, and should include global IP address. |
C,S |
Netsh interface teredo show state |
Displays the current state of Teredo. |
C,S |
Netsh interface 6to4 show state |
Displays the current state of 6to4. |
C,S |
Netsh interface isatap show state |
Displays the current state of ISATAP. |
S |
Netsh interface httpstunnel show interface |
Displays the current state of IP-HTTPS interface. This should not have a status of deactivated. |
C,S |
Monitoring security associations on the Forefront UAG DirectAccess server
Before secured data can be exchanged, a security agreement between the two computers must be established. In this security agreement, called a security association (SA), both computers agree on how to exchange and protect information.
Main mode negotiation establishes a secure channel between two computers by determining a set of cryptographic protection suites, exchanging keying material to establish a shared secret key, and authenticating computer and user identities. An SA is the information maintained about that secure channel on the local computer, so that it can use the information for future network traffic to the remote computer. You can monitor main mode SAs for information such as which peers are currently connected to this computer, and which protection suite was used to form the SA.
Quick mode negotiation establishes a secure channel between two computers to protect user data exchanged between them. During quick mode negotiation, keying material is refreshed or, if necessary, new keys are generated. A protection suite that protects the IP data traffic is also selected. The exchange of information required to negotiate a quick mode SA is performed within the context of the main mode SA. After the quick mode SA is established, the two computers can exchange network packets within the context of the quick mode SA. There is only one main mode SA between a pair of computers for a given user, (traffic initiated by different users between the same pair of computers creates a different main mode SA). You can have many quick mode SAs. Monitoring quick mode SAs can provide information about which peers are currently connected to this computer, and which protection suite is protecting the data exchanged between them.
To monitor main mode and quick mode security associations
In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, expand Security Associations, and then click Main Mode.
All main mode security associations are displayed.
In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, expand Security Associations, and then click Quick Mode.
All quick mode security associations are displayed.
Verifying that the infrastructure and intranet tunnels are functioning between the DirectAccess client and the Forefront UAG DirectAccess server
By using Internet Protocol security (IPsec) and IPv6 technologies, Forefront UAG DirectAccess overcomes the limitations of VPNs by automatically establishing a bi-directional connection from client computers to the corporate network.
Forefront UAG DirectAccess:
Uses IPsec to authenticate both the computer and user, allowing IT to manage the computer before the user logs on. Optionally, you can require a smart card for user authentication.
Leverages IPsec to provide encryption for communications across the Internet. You can use IPsec encryption methods such as Triple Data Encryption Standard (3DES) and the Advanced Encryption Standard (AES).
DirectAccess clients establish an IPsec tunnel for the IPv6 traffic to the Forefront UAG DirectAccess server, which acts as a gateway to the intranet.
The DirectAccess client establishes two IPsec tunnels:
The Infrastructure IPsec Encapsulating Security Payload (ESP) tunnel using a computer certificate—This tunnel provides access to Domain Name System (DNS) servers, domain controllers, and other management servers, enabling the computer to download Group Policy objects, and to request authentication on the user’s behalf.
The intranet IPsec ESP tunnel using both a computer certificate and user credentials—This tunnel authenticates the user and provides access to intranet resources and application servers. For example, this tunnel would need to be established to access servers that are not included in the management.
To verify whether a DirectAccess client can successfully create the infrastructure tunnel
On the DirectAccess client, click Start, click All Programs, click Accessories, right-click Command prompt, and then click Run as administrator.
Note
If the User Account Control dialog box appears, confirm that it displays your required action, and then click Continue.
From the Command Prompt window, run the netsh advfirewall monitor show mmsa command.
A main mode SA with the Remote IP Address should be set to the IPv6 address 2002:WWXX:YYZZ::WWXX:YYZZ, in which WWXX:YYZZ is the colon hexadecimal representation of w.x.y.z, the second public IPv4 address assigned to the Internet interface of the Forefront UAG DirectAccess server. For example, if the second public IPv4 address is 131.107.0.3, the corresponding 6to4 IPv6 address is 2002:836b:3::836b:3 (836b:3 is the colon-hexadecimal representation for 131.107.0.3). The main mode SA should also have ComputerCert for Auth1 and UserNTLM for Auth2.
From the Command Prompt window, run the netsh advfirewall monitor show qmsa command.
A quick mode SA with the Remote IP Address should be set to the IPv6 address 2002:WWXX:YYZZ::WWXX:YYZZ, corresponding to the second public IPv4 address assigned to the Internet interface of the Forefront UAG DirectAccess server.
To verify whether a DirectAccess client can successfully create the intranet tunnel
On the DirectAccess client, click Start, click All Programs, click Accessories, right-click Command prompt, and then click Run as administrator.
Note
If the User Account Control dialog box appears, confirm that it displays your required action, and then click Continue.
From the Command Prompt window, run the net view \\IntranetFileServer command. Alternately, use your Internet Web browser to access an intranet uniform resource locator (URL) or another application to access an intranet resource.
From the Command Prompt window, run the netsh advfirewall monitor show mmsa command.
A main mode SA with the Remote IP Address should be set to the 6to4 IPv6 address corresponding to the first public IPv4 address assigned to the Internet interface of the Forefront UAG DirectAccess server. For example, if the first public IPv4 address is 131.107.0.2, the corresponding 6to4 IPv6 address is 2002:836b:2::836b:2 (836b:2 is the colon-hexadecimal notation for 131.107.0.2). The main mode SA should also have ComputerCert for Auth1 and UserKerb for Auth2.
From the Command Prompt window, run the netsh advfirewall monitor show qmsa command.
A quick mode SA with the Remote IP Address should be set to the 6to4 IPv6 address corresponding to the second public IPv4 address assigned to the Internet interface of the Forefront UAG DirectAccess server.
Checking connectivity from the Forefront UAG DirectAccess server to a domain controller
The Forefront UAG DirectAccess server must have access to a domain controller in order to successfully validate the credentials of the DirectAccess client.
To verify connectivity to a domain controller
To ensure that the DirectAccess server can access a domain controller to validate the credentials of the DirectAccess client, run the nltest /dsgetdc: /force command at an elevated command prompt. If there are no domain controllers listed, troubleshoot the lack of discoverability and connectivity between the DirectAccess server and Active Directory.
On the Forefront UAG server, click Start, click All Programs, click Accessories, right-click Command prompt, and then click Run as administrator.
Run the nltest /dsgetdc: /force command.
The domain controller to which the Forefront UAG server is connected is displayed.
Note
The nltest /dsgetdc: /force command can also be used on a DirectAccess client to ensure that it has access to a domain controller.