Clients unable to connect to DA-server

Question

I just setup a new server for directaccess. This domain previously had directaccess but it has been removed if it makes any difference.

Anyway, everything is green checked in server manager. Public certificate is installed and I have checked externally that ports 443 and 62000 (same server is hosting NLS) are open. On the client I am able to browse to the site https://da.externaldomain.com without issues.

Outputs on client:

PS C:\Users\test.testsson> netsh interface httpstunnel show interfaces

Interface IPHTTPSInterface (Group Policy)  Parameters
------------------------------------------------------------
Role                       : client
URL                        : https://da.externaldomain.com:443/IPHTTPS
Last Error Code            : 0x0
Interface Status           : IPHTTPS interface active

PS C:\Users\test.testsson> Get-DAConnectionStatus

Status    : Error
Substatus : CouldNotContactDirectAccessServer

Debug log in DirectAccess Client Troubleshooting just says this:

[2016-10-24 10:10:34]: User canceled the tests.
[2016-10-24 10:10:34]: In worker thread, going to start the tests.
[2016-10-24 10:10:34]: Running Network Interfaces tests.
[2016-10-24 10:10:34]: Ethernet0 (Intel(R) 82574L Gigabit Network Connection): SNIPPED
[2016-10-24 10:10:34]: Default gateway found for Ethernet0.
[2016-10-24 10:10:34]: iphttpsinterface (iphttpsinterface): SNIPPED
[2016-10-24 10:10:34]: No default gateway found for iphttpsinterface.
[2016-10-24 10:10:34]: Ethernet0 has configured the default gateway 192.168.100.1.
[2016-10-24 10:10:34]: Default gateway 192.168.100.1 for Ethernet0 replies on ICMP Echo requests, RTT is 2 msec.
[2016-10-24 10:10:34]: Received a response from the public DNS server (8.8.8.8), RTT is 3 msec.
[2016-10-24 10:10:34]: The public DNS Server (2001:4860:4860::8888) does not reply on ICMP Echo requests, the request or response is maybe filtered?
[2016-10-24 10:10:34]: Running Inside/Outside location tests.
[2016-10-24 10:10:34]: NLS is https://da.local.domain:62000/.
[2016-10-24 10:10:34]: NLS is not reachable via HTTPS, the client computer is not connected to the corporate network (external) or the NLS is offline.
[2016-10-24 10:10:34]: NRPT contains 2 rules.
[2016-10-24 10:10:34]:   Found (unique) DNS server: SNIPPED
[2016-10-24 10:10:34]:   Send an ICMP message to check if the server is reachable.
[2016-10-24 10:10:34]: DNS server SNIPPED is online, RTT is 11 msec.
[2016-10-24 10:10:34]: Running IP connectivity tests.
[2016-10-24 10:10:35]: The 6to4 interface service state is default.
[2016-10-24 10:10:35]: Teredo inferface status is offline.
[2016-10-24 10:10:35]:  The configured DirectAccess Teredo server is win10.ipv6.microsoft.com..
[2016-10-24 10:10:35]: The IPHTTPS interface is operational.
[2016-10-24 10:10:35]:  The IPHTTPS interface status is IPHTTPS interface active.
[2016-10-24 10:10:35]: IPHTTPS is used as IPv6 transition technology.
[2016-10-24 10:10:35]:  The configured IPHTTPS URL is https://da.externaldomain.com:443.
[2016-10-24 10:10:35]: IPHTTPS has a single site configuration.
[2016-10-24 10:10:35]: IPHTTPS URL endpoint is: https://da.externaldomain.com:443.
[2016-10-24 10:10:35]:  Failed to connect to endpoint https://da.externaldomain.com:443.
[2016-10-24 10:10:35]: No response received from skarpa.local.
[2016-10-24 10:10:35]: Running Windows Firewall tests.
[2016-10-24 10:10:35]: The current profile of the Windows Firewall is Public.
[2016-10-24 10:10:35]: The Windows Firewall is enabled in the current profile Public.
[2016-10-24 10:10:35]: The outbound Windows Firewall rule Kärnnätverket - Teredo (UDP-ut) is enabled.
[2016-10-24 10:10:35]: The outbound Windows Firewall rule Kärnnätverket - IPHTTPS (TCP-ut) is enabled.
[2016-10-24 10:10:35]: Running certificate tests.
[2016-10-24 10:10:35]: No usable machine certificate found.
[2016-10-24 10:10:35]: Found 0 machine certificates on this client computer.
[2016-10-24 10:10:35]: Running IPsec infrastructure tunnel tests.
[2016-10-24 10:10:35]: Failed to connect to domain sysvol share \\local.domain\sysvol\locla.domain\Policies.
[2016-10-24 10:10:35]: Running IPsec intranet tunnel tests.
[2016-10-24 10:10:38]: Failed to connect to :1000::1 with status TimedOut.
[2016-10-24 10:10:47]: Failed to connect to :1000::1 with status TimedOut.
[2016-10-24 10:10:50]: Failed to connect to :1000::2 with status TimedOut.
[2016-10-24 10:10:59]: Failed to connect to :1000::2 with status TimedOut.
[2016-10-24 10:10:59]: Running selected post-checks script.
[2016-10-24 10:10:59]: No post-checks script specified or the file does not exist.
[2016-10-24 10:10:59]: Finished running post-checks script.
[2016-10-24 10:10:59]: Finished running all tests.

Outputs on server

C:\Users\admin>netsh interface httpstunnel show interfaces

Interface IPHTTPSInterface Parameters
------------------------------------------------------------
Role                       : server
URL                        : https://da.externaldomain.com:443/IPHTTPS
Client authentication mode : none
Last Error Code            : 0x0
Interface Status           : IPHTTPS interface active

I am at a loss here. I have never a issue like this, usually it's an issue with NLS or DAC configuration after it has actually connected. I have tried to reinstall the client but still the same issue.

Also tried to remove configuration from the server and reconfigured it. Everything still checked green on Remote access console.

Answer 1

This is a bit old but I'll throw this out anyway in case anyone else comes across this issue. I see this all the time when people first setup their DA with an auto generated cert then later choose to use their own public cert. In your example you state "Public certificate is installed". And yet "Client authentication mode : none". Your DA might think it's using a cert but on the back end it's not. Therefore, no auth is taking place and clients can't connect. The only fix I've ever seen for this is to blow out EVERYTHING to do with the DA. From GP entries to AD entries. You also have to blow out the server you originally set it up on and start from scratch. If you were trying to share a server and you still need the other services on that server then you'll have to move it somewhere else.