Intranet Management Server Cannot Connect to a DirectAccess Client

Updated: November 18, 2009

Applies To: Windows Server 2008 R2

Management servers specified in Step 3 of the DirectAccess Setup Wizard can initiate connections with DirectAccess clients using a management tunnel, an Internet Protocol security (IPsec) tunnel similar to the infrastructure tunnel automatically established by the DirectAccess client computer to access domain controllers, Domain Name System (DNS) servers, and other types of infrastructure servers. The management server can connect to the DirectAccess client before the user has logged on. Alternately, the management tunnel can be established by the DirectAccess client computer when it initiates communication with a management server.

Just like the infrastructure tunnel, success of the tunnel mode security associations (SAs) for the management tunnel depends on the connection security rules configured on DirectAccess clients and the DirectAccess server. These rules consist of a variety of settings for the following:

• The source or destination Internet Protocol version 6 (IPv6) addresses of the management servers for which IPsec tunnel mode is required.

• The tunnel endpoints (the IPv6 addresses of the DirectAccess server).

• The computer certificate and UserNTLM (using the computer’s computer account credentials) authentication methods required to successfully authenticate the DirectAccess client and server.

• The encryption and data integrity methods.

The DirectAccess Setup Wizard configures a compatible set of connection security rules for the DirectAccess server and DirectAccess clients that should result in a successful negotiation of IPsec SAs for the management tunnel.

If DirectAccess server and DirectAccess client cannot successfully negotiate the management tunnel, the management server on the intranet cannot communicate with the DirectAccess client to remotely manage, install updates, or perform other management functions.

To verify whether the management server can successfully create the management tunnel

1. On the DirectAccess client, start a command prompt as an administrator.

2. On the DirectAccess client, click Start, type wf.msc, and then press ENTER.

3. In the tree pane of the Windows Firewall with Advanced Security snap-in console, click Connection Security Rules.

   In the details pane, you should see connection security rules whose names begin with DirectAccess Policy. If not, this DirectAccess client has not received its connection security rules from computer configuration Group Policy. Verify that the DirectAccess client is running Windows 7 Ultimate Edition, Windows 7 Enterprise Edition, or Windows Server 2008 R2 and is a member of one of the security groups specified in step 1 of the DirectAccess Setup Wizard.

4. In the tree pane of the Windows Firewall with Advanced Security snap-in console, open Monitoring\Connection Security Rules.

   In the details pane, you should see a list of connection security rules that begin with DirectAccess Policy, including a rule named DirectAccess Policy-ClientToMgmt.

5. If you do not see these rules, from the Command Prompt window, run the netsh advfirewall monitor show currentprofile command.

   This command displays the attached networks and their determined firewall profiles. None of your networks should be in the domain profile. If any of your networks has been assigned the domain profile, determine if you have an active remote access virtual private network (VPN) connection or a domain controller that is available on the Internet.

6. Double-click the DirectAccess Policy-ClientToMgmt rule and then click the Computers tab. Verify that the IPv6 address of the management server is listed in Endpoint 2. This list of IPv6 addresses was configured in step 3 of the DirectAccess Setup Wizard.

7. From the intranet, use the management server to initiate communication with the DirectAccess client. For example, use the management server to establish a remote desktop connection to the DirectAccess client.

8. On the DirectAccess client, from the Command Prompt window, run the netsh advfirewall monitor show mmsa command.

   There should be a main mode SA with the Remote IP Address set to the IPv6 address 2002:WWXX:YYZZ::WWXX:YYZZ, corresponding to the first public IPv4 address assigned to the Internet interface of the DirectAccess server. For example, if the first public IPv4 address is 131.107.0.2, the corresponding 6to4 IPv6 address is 2002:836b:2::836b:2 (836b:2 is the colon-hexadecimal notation for 131.107.0.2). The main mode SA should also have ComputerCert for Auth1 and UserNTLM for Auth2.

9. From the Command Prompt window, run the netsh advfirewall monitor show qmsa command.

   There should be a quick mode SA with the Remote IP Address set to the IPv6 address 2002:WWXX:YYZZ::WWXX:YYZZ, corresponding to the first public IPv4 address assigned to the Internet interface of the DirectAccess server.

If the DirectAccess client computer cannot establish the main and quick mode SAs for the management tunnel using the default connection security rules created by the DirectAccess Setup Wizard, the most likely problem is a certificate authentication failure. For more information, see the “IKE certificate selection process” and “IKE certificate acceptance process” sections of Public Key Certificate.

You can view the certificates in the local computer store on the DirectAccess client and server with the Certificates snap-in

To ensure that the DirectAccess server can access a domain controller to validate the credentials of the DirectAccess client, run the nltest /dsgetdc: /force command at an elevated command prompt. If there are no domain controllers listed, troubleshoot the lack of discoverability and connectivity between the DirectAccess server and Active Directory.

Similarly, use the nltest /dsgetdc: /force command on the DirectAccess client to ensure that it has access to a domain controller. If there are no domain controllers listed, ensure that the IPv6-capable domain controllers that are being used by DirectAccess clients are using site-less locator records in DNS.

To perform detailed IPsec negotiation analysis, use IPsec audit events in the Windows Logs\Security event log and network tracing for DirectAccess. For more information, see Event Viewer and Network Diagnostics and Tracing.

If you have configured DirectAccess for the end-to-end access model, verify that the management server has been configured with compatible connection security rules to use transport mode IPsec when initiating communication with DirectAccess clients.