Cannot Reach the DirectAccess Server with IP-HTTPS

  • Article

Updated: April 15, 2010

Applies To: Windows Server 2008 R2

A DirectAccess client on the Internet that has a private Internet Protocol version 4 (IPv4) address attempts to use Teredo to obtain Internet Protocol version 6 (IPv6) connectivity to the DirectAccess server. However, private networks can block Teredo traffic because they only allow very specific types of Internet traffic, such as Domain Name System (DNS), Hypertext Transfer Protocol (HTTP), and Secure Hypertext Transfer Protocol (HTTPS). In this case, the Teredo client on the DirectAccess client cannot communicate with its Teredo server to obtain a Teredo-based IPv6 address.

To provide IPv6 connectivity in this case and other situations where Teredo traffic is not forwarded, DirectAccess attempts to use Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS), in which IPv6 packets are sent over an IPv4-based HTTPS session. Since most private firewalls and web proxies forward HTTPS traffic, IP-HTTPS provides IPv6 connectivity in these restrictive networking environments.

The DirectAccess client obtains a 64-bit IPv6 address prefix by performing a router discovery exchange with the DirectAccess server acting as the IP-HTTPS server. The IPv6 address prefix is either automatically created by the DirectAccess Setup Wizard or specified in the Prefix Configuration page of step 2.

On the IPv4 Internet, there must be a routing path between the DirectAccess client and server that allows Transmission Control Protocol (TCP) destination port 443 traffic for HTTPS-encapsulated traffic to the DirectAccess server and TCP source port 443 traffic for HTTPS-encapsulated traffic from the DirectAccess server.

To verify IP-HTTPS functionality and configuration on a DirectAccess client

  1. On the DirectAccess client, start a command prompt as an administrator.

  2. From the Command Prompt window, run the reg query HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters /v DisabledComponents command.

    If the DisabledComponents registry value is present, the command displays its value. If the DisabledComponents registry value is not present, the command displays ERROR: The system was unable to find the specified registry key or value.

    If DisabledComponents is present and it is not 0, convert it to a binary number. If the first bit from the right in the binary number is 1, DisabledComponents has disabled IP-HTTPS. You must change the first bit from the right to 0 to enable IP-HTTPS.

  3. From the Command Prompt window, run the netsh interface httpstunnel show interfaces command.

    This command should display client in Role and the IP-HTTPS URL in URL.

  4. If the netsh interface httpstunnel show interfaces command displays More data is available, your IP-HTTPS URL is longer than 256 characters. Run the reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition\iphttps\iphttpsinterface /f command, install an IP-HTTPS certificate on the DirectAccess server that has a Subject field value less than 235 characters, configure the DirectAccess server with the DirectAccess Setup Wizard to use the new certificate, apply the DirectAccess server settings, and update the computer configuration Group Policy on your DirectAccess clients. For more information, see Install an IP-HTTPS Certificate.

If the DirectAccess client is on an intranet behind a proxy server, it must be able to locate and use the intranet proxy server for IP-HTTPS-based connections. To quickly check this, use your Internet browser and attempt to reach an Internet website (such as www.microsoft.com). If successful, the DirectAccess client has determined the proper intranet proxy server. If not successful accessing any Internet locations, perform the following procedure.

To configure the DirectAccess client to use an intranet proxy server

  1. Configure your Internet browser to use the intranet proxy server.

    For Internet Explorer:

    • Click Tools, and then click Internet Options.

    • Click the Connections tab, and then click LAN settings.

  2. On the DirectAccess client, start a command prompt as an administrator.

    From the Command Prompt window, run the netsh winhttp import proxy source=ie command.

If you must reconfigure the proxy server settings after leaving the intranet, repeat the previous procedure with the original proxy settings.

To verify IP-HTTPS functionality and configuration on the DirectAccess server

  1. On the DirectAccess server, start a command prompt as an administrator.

  2. From the Command Prompt window, run the reg query HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters /v DisabledComponents command.

    If the DisabledComponents registry value is present, the command displays its value. If the DisabledComponents registry value is not present, the command displays ERROR: The system was unable to find the specified registry key or value.

    If DisabledComponents is present and it is not 0, convert it to a binary number. If the first bit from the right in the binary number is 1, DisabledComponents has disabled IP-HTTPS. You must change the first bit from the right to 0 to enable IP-HTTPS.

  3. From the Command Prompt window, run the netsh interface httpstunnel show interfaces command.

    This command should display server in Role, the IP-HTTPS URL in URL, and IPHTTPS interface active in Interface Status.

  4. If the netsh interface httpstunnel show interfaces command displays More data is available, your IP-HTTPS URL is longer than 256 characters. Run the reg delete HKLM\CurrentControlSet\services\iphlpsvc\Parameters\IPHTTPS\IPHTTPSInterface /f command, install an IP-HTTPS certificate on the DirectAccess server that has a Subject field value less than 235 characters, configure the DirectAccess server with the DirectAccess Setup Wizard to use the new certificate, apply the DirectAccess server settings, and update the computer configuration Group Policy on your DirectAccess server. For more information, see Install an IP-HTTPS Certificate.

To troubleshoot connectivity from an IP-HTTPS-based DirectAccess client on the IPv4 Internet to the DirectAccess server

  1. On the DirectAccess client, open an Internet browser and ensure that you can access Internet locations.

    A DirectAccess client behind a captive portal that requires you to login or provide billing information can initially prevent an IP-HTTPS-based DirectAccess connection. After you have access to the Internet, try to access an intranet resource.

  2. Start a command prompt as an administrator.

  3. From the Command Prompt window, run the ipconfig command.

    Check the configuration of the Tunnel adapter iphttpsinterface. If IP-HTTPS is being used, there should be an IPv6 address assigned. If there is no IPv6 address assigned, look at the other interfaces for a global IPv6 address (one beginning with 2 or 3). If there is an interface with a public IPv4 address, IP-HTTPS will not be used.

  4. From the Command Prompt window, run the netsh interface httpstunnel show interfaces command.

    This command displays the IP-HTTPS URL in URL.

  5. From the Command Prompt window, ping the fully qualified domain name (FQDN) from the URL in step 4.

    This ensures that the DirectAccess client can resolve the name of the IP-HTTPS server in the URL and reach the resolved IPv4 address of the DirectAccess server.

  6. Paste the URL from step 4 into your Internet browser and attempt to access it.

    Ensure that the IP-HTTPS website is accessible and has no certificate errors. If there are certificate errors, see the To troubleshoot certificate problems for an IP-HTTPS-based connection to the DirectAccess server procedure in this topic.

  7. From the Command Prompt window, run the netsh –c advfirewall command.

  8. From the netsh advfirewall prompt, run the set store gpo="DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}" command.

  9. From the netsh advfirewall prompt, run the consec show rule name=”DirectAccess Policy-ClientToDnsDc” command.

  10. From the netsh advfirewall prompt, run the consec show rule name=”DirectAccess Policy-ClientToCorp” command.

  11. From the netsh advfirewall prompt, run the exit command.

  12. From the Command Prompt window, ping the IPv6 address in RemoteTunnelEndpoint from the display in step 9. This is the IPv6 address of the DirectAccess server for the infrastructure tunnel.

    If the IPv6 address is not a 6to4 address and you cannot reach this IPv6 address, use the tracert –d IPv6Address command to trace the route to the destination.

  13. From the Command Prompt window, ping the IPv6 address in RemoteTunnelEndpoint from the display in step 10. This is the IPv6 address of the DirectAccess server for the intranet tunnel.

    If the IPv6 address is not a 6to4 address and you cannot reach this IPv6 address, use the tracert –d IPv6Address command to trace the route to the destination.

To troubleshoot certificate problems for an IP-HTTPS-based connection to the DirectAccess server

  1. From the display of the netsh interface httpstunnel show interfaces command on the DirectAccess client, note the value in the Last Error Code.

    For an explanation of the IP-HTTPS error code, find the Last Error Code number in the list of COM Error Codes (Security and Setup) (https://go.microsoft.com/fwlink/?LinkId=180807).

  2. Ensure that the FQDN in the IP-HTTPS URL on the DirectAccess client matches the Subject field of the IP-HTTPS certificate on the DirectAccess server.

    If not, you need to either select the correct certificate on the DirectAccess server or install a certificate that can be used for IP-HTTPS connections. For information about IP-HTTPS certificate requirements, see Design Your PKI for DirectAccess.

  3. Using the Certificates snap-in to view the properties of the IP-HTTPS certificate on the DirectAccess server, determine the Internet certificate revocation list (CRL) distribution point locations for the IP-HTTPS certificate (the URL without the file name).

  4. From a Command Prompt window on the DirectAccess client, ping the FQDN from the CRL distribution point location in step 2.

    This step ensures that the DirectAccess client can resolve the name of the CRL distribution point server location and reach the resolved address.

  5. Type the Internet CRL distribution point from step 2 into your Internet browser. You should see a series of files with the .crl extension. Ensure that you can open the .crl files.

    If you cannot reach the CRL distribution point and open the .crl files from the DirectAccess client, you cannot use IP-HTTPS.

  6. Perform certificate troubleshooting on the DirectAccess client and server to ensure that the DirectAccess client can successfully validate the IP-HTTPS certificate of the DirectAccess server and the DirectAccess server can successfully validate the IP-HTTPS certificate of the DirectAccess client.

IP-HTTPS and authenticating proxies

IP-HTTPS does not support proxy servers that require authentication with each connection, which might cause problems with IP-HTTPS connections. To determine if you are behind this type of proxy, open your Internet browser and browse a public website. You might be prompted for authentication. Open a second Internet browser window or tab and browse a different public website. If you can get to the second website without having to specify authentication credentials, IP-HTTPS should work across the proxy. If you need to enter credentials each time you access a different website, IP-HTTPS might be blocked.