If you would like to read the other parts in this article series please go to:
- Microsoft Forefront UAG – Configuring Forefront UAG as a DirectAccess Server (Part 1)
- Microsoft Forefront UAG – Configuring Forefront UAG as a DirectAccess Server (Part 2)
Let’s begin
In part I of this article series we finished installing all prerequisites for a successful Forefront UAG DirectAccess implementation. In part II we configured Forefront UAG as a DirectAccess server. This article will show you how to monitor DirectAccess clients connected to the Forefront UAG Server and how to troubleshoot DirectAccess connection problems.
Get your copy of the German language “Microsoft ISA Server 2006 – Das Handbuch”
After the DirectAccess group policy settings have been applied to the DirectAccess client, the client should now be able to access the corporate network with DirectAccess. It is possible to monitor the DirectAccess connection with the help of the Forefront UAG Web Monitor. Start the Forefront UAG Web Monitor and navigate to the DirectAccess Monitor and click Active Sessions. You will see all connected clients, the computer name of the DirectAccess client, the username, the type of the IPsec tunnel and the DirectAccess connection technology (Teredo, 6to4, IP-HTTPS) used.
The Forefront UAG Web Monitor allows you to monitor the connected DirectAccess clients as shown in the following screenshot:
Figure 1: DirectAccess Monitor – Active sessions
It is possible to create a filter to search for example for specific client computer accounts and user accounts
Monitoring the DirectAccess status at the Forefront UAG Server
The Forefront UAG Web Monitor provides some high level information about the overall state of the health of the Forefront UAG DirectAccess implementation. Start the Forefront UAG Web Monitor and navigate to the DirectAccess Monitor and you will see the state of the Forefront UAG services in the current status view.
Figure 2: DirectAccess Monitor – Current Status
With the Forefront UAG Web Monitor you are also able to filter the event logs created by Forefront UAG regarding DirectAccess. The following screenshot shows the event logs related to DirectAccess connections from clients.
Figure 3: Forefront UAG – event viewer
Troubleshooting DirectAccess on Forefront UAG Server
Before we go deeper into troubleshooting steps on the Forefront UAG Server, make sure that the DirectAccess group policy for the Forefront UAG Server has been applied to the system.
Next, check if all Forefront UAG services are running. Keep special attention for the Microsoft Forefront UAG DNS64 Service which is responsible for DNS IPv4 to IPv6 translation.
Forefront UAG comes with a Powershell Snap-in for UAG DirectAccess monitoring, which monitors the current Forefront UAG DirectAccess users and the status of Forefront UAG services, as shown in the following screenshot.
Figure 4: Forefront UAG PowerShell Snap In
For more DirectAccess related troubleshooting steps, I recommend you to read the following article.
Common DirectAccess troubleshooting
For common DirectAccess troubleshooting guidelines Microsoft provides a great flowchart for troubleshooting:
Figure 5: DirectAccess troubleshooting reference (Source: click here)
Troubleshooting the DirectAccess client computer
Before we go deeper into troubleshooting, make sure that the following requirements are fulfilled:
- Windows 7 Ultimate or Enterprise
- DirestAccess client must be joined to the Active Directory Domain
- Computer certificate stored in the local computer certificate store
- DirectAccess group policy has been applied
- DirectAccess client must have a global IPv6 address
- Check NRPT (Name Resolution Policy Table) on the DirectAccess client computer
- Ensure that the Windows Firewall on the DirectAccess client is activated and the public Firewall profile is used
Windows Firewall
As a next step, check if the Windows Firewall on the DirectAccess client computer has been enabled, the public Windows Firewall profile is used and the DirectAccess group policy settings has been applied to the client as shown in the following screenshot.
Figure 6: Windows Firewall with Advanced Security on the DirectAccess client
DCA (DirectAccess Connectivity Assistant)
As an optional step it is possible to automatically deploy the DCA software on the DirectAccess computer. The DCA will tell the end user if he has successfully established a connection to the corporate network and if there are some connection problems the DCA displays a warning message that DirectAccess connectivity cannot be established. The end user is now able to generate a set of log files regarding DirectAccess which may be helpful for Forefront UAG Administrators to analyse the reason for the connectivity problem.
Figure 7: DCA and Advanced Log File creation
Helpful NETSH commands for troubleshooting
Troubleshooting DirectAccess at client and Server side is based on a number of command line tools like Netsh. Here are some helpful Netsh commands at DirectAccess client side:
netsh dns show state
Displays the DirectAccess status and general configuration state.
netsh namespace show policy
This command displays the content of the NRPT (Name Resolution Policy Table) at client side, created by the group policy wizard in Forefront UAG.
netsh namespace show effectivepolicy
This command shows the active NRPT content on the client and not only the group policy settings.
The following two commands show the state of the Teredo and IP-HTTPS interface:
netsh interface teredo show state
netsh interface httpstunnel show interfaces
The following three commands are very helpful to see the state of the Windows Firewall on the DirectAccess client, the current Firewall profile used and the created IPSec Main mode Security Association (SA)
netsh advfirewall monitor show firewall
netsh advfirewall show currentprofile
netsh advfirewall monitor show mmsa
Conclusion
In this third article I showed you how to monitor DirectAccess client connections and how to troubleshoot DirectAccess connectivity problems. In my opinion troubleshooting DirectAccess connectivity problems can be painful but with the right tools and techniques you should be able to successfully resolve the cause of DirectAccess connection problems.
Related links
- DirectAccess Troubleshooting Guide
- Test Lab Guide: Troubleshoot DirectAccess
- General Methodology for Troubleshooting DirectAccess Connections
- New UAG DirectAccess Troubleshooting Content on the TechNet Wiki
- Microsoft Forefront UAG – Overview of Microsoft Forefront UAG
- Forefront UAG technical overview
If you would like to read the other parts in this article series please go to:
