Some 3G Connections May Not Enable DirectAccess Always-On Connectivity
DirectAccess is about being “always-on”. When I start my laptop in the morning, I’m ready to get to work. Even though I don’t work on the Microsoft campus, I’m able to connect to anything I want (that I have permissions to connect to) on the Microsoft intranet without thinking about connecting to an SSL VPN portal, some web application gateway, or a traditional network layer VPN connection. I just start the laptop and BAM! I’m connected. And IT is always connected to me too, so my laptop is always up to date and managed by Microsoft IT.
DirectAccess connections consist of two IPsec tunnels that fire up when the Private or Public Windows Firewall with Advanced Profiles are assigned to the machine configured as a DirectAccess client. When the Public or Private Profile is active, the machine configured to be a DirectAccess client will attempt to establish two IPsec tunnels with the DirectAccess server:
- the infrastructure tunnel
- the intranet tunnel
The infrastructure tunnel is established after computer certificate authentication and computer account NTLMv2 authentication. The infrastructure tunnel allows the DirectAccess client to connect to key resources on the intranet, such as domain controllers and management servers (WSUS, SCCM, SCOM, etc.). Intranet tunnel connectivity enables you to always manage the DirectAccess client, even if the user isn’t logged on to the computer. In addition, the intranet tunnel provides the connectivity required for the user to log on and establish the intranet tunnel.
The intranet tunnel is established after both computer certificate and user account Kerberos authentication is successful. In order to complete the user account authentication (Kerberos), the user needs access to a domain controller. That’s why you need the infrastructure tunnel to come up before the second tunnel can be established. The intranet tunnel cannot be established by using cached credentials on the client.
How Does 3G Connectivity Influence DirectAccess Always-On Connectivity
So what does this all to do with 3G connectivity? Mobile computers with 3G adapters are becoming increasingly popular. These 3G adapters are tremendously convenient, as you no longer need to depend on being able to connect to whatever local network where you might be physically located . All of us have gone through “the drill” of trying to connect to a customer’s network, a hotel network, or some public Wi-Fi network. Sometimes it’s easy, but more often than not there are some bumps that eat into your productivity. The 3G adapter allows you to get around those time-eating complications.
The problem is that not all 3G adapters and their supporting software are the same. The following describes an interesting issue that came up when a customer was using a particular 3G adapter:
“This morning I tested the “always-on” 3G connection scenario with my Rogers 3G adapter (https://www.rogers.com/web/content/wireless_network) and the built-in 3G GOBI (built-in mobile broadband technology - https://www.gobianywhere.com/) adapter in my HP Tablet and found that when using the Rogers USB 3G adapter an “always-on” connection is not possible, but when using an integrated 3G GOBI module it is possible (it really comes down to the software that is provided). The details of my test methodology and results are below…
Rogers Rocket™ Stick – The Rogers Communication Manager software runs in User Mode only (does not run as a Service), so the connection is invoked when a user is logged on and disconnected when the user logs off. There is an “Auto-Connect” checkbox, but it only makes the connection when a user logs on to the device. Therefore the current software provided by Rogers does not support an “always-on” scenario. I verified this by looking at the activity light on the USB stick itself – Red is device is not ready, solid Blue is network detected, blinking Blue is network connected and active. For the duration of the test the activity light remained sold Blue, indicating that a connection to the 3G network was never established. It only began blinking after I logged in to the computer.
HP Built-In 3G GOBI Adapter – The HP software is installed as a Service that can be configured to automatically start at boot (in the Services console), and there is also an option to “Auto-Connect” to the 3G broadband. Since the HP Tablet does not have external lights to indicate network activity I had to find another method to determine if the 3G connection was active prior to logon, so I did the following:
- Disabled the wireless adapter, so that the HP Tablet could only connect using the 3G broadband
- Installed the Windows Live Mesh software on the HP Tablet, added the HP Tablet to my managed device list and configured it to allow remote connections
- I completely shut down the HP Tablet, then turned it on (cold boot) and left it alone (did not log on)
- At my other computer (Lenovo laptop), I logged on to https://mesh.live.com and was able to successfully Remote Desktop to my HP Tablet via the website
- To verify that only the 3G broadband connection was active, from the Remote Desktop session I checked the active network connections on the HP Tablet, then double-checked by logging on to the HP Tablet locally – and yes, throughout the entire time the only active connection was the 3G broadband.
Therefore the HP built-in 3G adapter (with a Rogers SIM), appropriately configured, will allow for an “always-on” 3G connection that could be used for device management prior to user logon. A similar test would have to be run for the any other 3G adapter you will be using to verify if the 3G adapter’s software provides the same capability.”
Later another interesting finding was that with the HP GOBI 3G adapter, if the user logged off the computer the 3G adapter shut down and does not start again until the user logs on again or until the machine is restarted.
Summary
When considering a 3G solution to work with your DirectAccess capable mobile computer, make sure to check on the adapter software’s connectivity behavior. The adapter should be able to initialize and connect to the 3G network before the user logs on to the DirectAccess client computer. You can use the methods described in this article to determine if the adapter is capable of this behavior.
(Hat tip to Pat Telford for informing me of this issue.)
Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Forefront iX
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time): https://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: https://twitter.com/tshinder
Facebook: https://www.facebook.com/tshinder
Visit the TechNet forums to discuss all your UAG DirectAccess issues https://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/threads Stay up-to-date with “just in time” UAG DirectAccess information on the TechNet wiki https://social.technet.microsoft.com/wiki/tags/DirectAccess/default.aspx |
Comments
- Anonymous
January 01, 2003
Richardf, DirectAccess will work but not until the Internet connection is established. So if the connection is not established until AFTER a user logs in, that means new users will not be able to log on to that laptop because it would not have connectivity to a DC to authenticate their credentials. This is just because it does not have an Internet connection, and therefore could not establish the infrastructure tunnel while at the log on / welcome screen. To summarize, some 3G vendors who promote their products to be "always on" can really mean one of two things:
- The computer is "always online" once a user has logged on to it (the Rogers Rocket Stick scenario)
- The computer is "always online" while the computer is running (the HP Built-In 3G GOBI Adapter scenario) What you should take from this post is that you need to identify how your 3G vendor software works and how that will affect the functionality of DirectAccess.
Anonymous
January 01, 2003
Another issue might come arround is the Access Point Name (APN) configuration of your mobile network provider. Some IPv6 translation methods aren´t supported by default. I´d an issue with 6to4 and Teredo where IP-HTTPS does work.Anonymous
January 01, 2003
Hi Ronny, Yes, that is another important issue! Interesting that Teredo is a problem, given that it uses UDP as a transport on a port number that shouldn't catch anybody's attention. Of course, IP-HTTPS isn't going to catch any operator's attention. Thanks! TomAnonymous
January 18, 2011
The comment has been removed