Windows 7 Direct Access Client Troubleshooting – Part 1 – Client Transition Technologies

During the past few months I was heavily engaged with different DirectAccess implementations and passed by several interesting issues/problems. The Direct Access Wizard is so simple and normally things get working from the first time however sometimes things can go wrong.

In this article series I will try to go through several troubleshooting items moving from the basic commands to more advanced issues.
First of all we need to ensure that the Direct Access components on the Windows 7 client are running and functioning normally. The basic steps are as follows:

1. From the Start Menu - Right Click Computer Object – Properties – Device Manager – View (Show Hidden Devices) – Expand Network Adapters – Ensure the “IPHTTPSinterface” and “Teredo Tunneling Pseudo-Interface” are enabled.
2. From the Services, Check the “IP Helper” service startup type is Automatic and the status is up and running.
3. IPconfig /all to check which interfaces are up and which interfaces have IPV6 address.
4. Ensure the Machine is located outside the Corporate Network by running the following command:

          Netsh dnsclient show state

Which Transition Technology is my DA client using?

1.       If the Direct Access client has a public IPV4 address (Assigned to its Ethernet or Wireless NIC) and the IP Protocol 41 is allowed on Company Corporate Firewall/UAG/TMG then the client will connect using the 6to4 Transition Technology

            The Three main Netsh Commands that should be used for Troubleshooting are:

·         Netsh interface 6to4 show state (The State should be Default or Enabled, Disabled means the DA client will never bring 6to4 Interface up)

·         Netsh interface 6to4 show relay (This should list the First Consecutive public IPV4 address configured on the DA server)

·         Netsh interface 6to4 show interface (Displays the Configuration Information)

·         For detailed 6to4 Troubleshooting  http://technet.microsoft.com/en-us/library/ee844172(v=ws.10).aspx

2.       If the 6to4 Interface didn’t come up (For DA clients with public IPV4 Addresses) then the DA client will automatically fall back to IPHTTPS Interface connection.

                  The main Netsh command for IPHTTPS is:

·         Netsh interface httpstunnel show interfaces (This will list the IPHTTPS URL and the status were active means the Interface is up and running, deactivated mostly means the DA client is connected using other transition technology)

·         For detailed Direct access HTTPS troubleshooting  http://technet.microsoft.com/en-us/library/ee844126(v=ws.10).aspx

3.       If the DA client is behind a NAT device then it should connect using Teredo provided that Port 3544 (UDP) is enabled and allowed all the way to the DA Server

                  The main Netsh command used with Teredo is:

·         Netsh Interface Teredo show state (If the state is qualified then Teredo is functioning normally, otherwise there will be a problem mostly with the UDP port blocked)

·         For Detailed Teredo Troubleshooting  http://technet.microsoft.com/en-us/library/ee844188(v=ws.10).aspx

4.       If the Teredo didn’t work (Clients behind NAT) then the DA client will fall Automatically to the IPHTTPS option (Step 2)