DirectAccess

[Jason]

For those already using DirectAccess feature of WS2012E, there appears to be a bug that causes DA client to suddenly lose connectivity to the DA server.  Am working w/ Robert Pearman (MS MVP) to identify possible cause and resolution.

 

http://titlerequired.com/2012/10/15/enable-directaccess-on-windows-server-2012-essentials/

 

Those not impacted, keep an eye out.  Initially we believed this connectivity issue to be the result of a Windows Update until Robert successfully patched both his WS2012E server and Win 8 Ent DA client in a lab environment.

 

Considering how awesome and underutilized DirectAccess is, am now debating whether to do a clean WS2012E OS install (dreading it) or waiting until WS2012E R2 RTM is released and doing then.

 

More to follow.

[Jason]

New update. MS still analyzing my WS2012E server DA setup. Seems they've identified an issue where E12 firewall receives but drops DA packets from Win8 Ent clients. It's an odd behavior I suspect exists in R2 also. They're still determined to fix and believe it won't require an OS reinstall.

[ikon]

Keep on 'em Jason. It sure sounds like something they need to fix, soon.

[Jason]

Thanks. Am especially eager to resolve this before installing R2. MS's senior engineers on the DirectAccess technology are determined to fix it. They've uninstalled and reinstalled the DA role many times, gathered and analyzed countless server and client network captures, etc. pretty fascinating to see the experts remoted into your home machine running powershell commands. Oddly enough the server is accepting packets via port 443 for Remote Web Access but somehow the firewall is dropping IPSec packets also sent via port 443.

[DanielN]

I was having this issue with DirectAccess as well in 2012 Essentials, but I re-installed using 2012 Essentials R2 and haven't seen an issue since.  But not all my clients are Enterprise (Windows 8 Core), so I have to use SSTP as a backup.

 

I've used a method to simplify installing my certificates.  I use CACert.org because it's free, but their CRL (Certificate Revocation List) is over 6 megs, so I have to disable the CRL check (otherwwise the SSTP VPN connection fails because the file is too big and it times out)...

 

Powershell version (VPN_CACert_Setup.ps1):

(new-object System.Net.WebClient).DownloadFile('http://www.cacert.org/certs/root.crt', $env:temp + '\CACert_root.cer')
(new-object System.Net.WebClient).DownloadFile('http://www.cacert.org/certs/class3.crt', $env:temp + '\CACert_class3.cer')
Import-Certificate -FilePath ($env:temp + '\CACert_root.cer') -CertStoreLocation cert:\LocalMachine\Root
Import-Certificate -FilePath ($env:temp + '\CACert_class3.cer') -CertStoreLocation cert:\LocalMachine\CA
Remove-Item ($env:temp + '\CACert_root.cer')
Remove-Item ($env:temp + '\CACert_class3.cer')
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters -Name NoCertRevocationCheck -Value 1
Add-VpnConnection -Name YourDomain.com -ServerAddress remote.YourDomain.com -TunnelType Sstp -EncryptionLevel NoEncryption -AuthenticationMethod Chap,MSChapv2 -SplitTunneling -AllUserConnection

Batch version (VPN_CACert_Setup.cmd) [does not create VPN Connection, no DownloadFile or Add-VpnConnection Equivelant]:

@echo off
echo Beginning import of CACert Certifiates...
 
rem CACert.org CACert_root.cer
echo -----BEGIN CERTIFICATE----- >>%temp%\CACert_root.cer 
echo MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290 >>%temp%\CACert_root.cer
echo IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB >>%temp%\CACert_root.cer
echo IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA >>%temp%\CACert_root.cer
echo Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO >>%temp%\CACert_root.cer
echo BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi >>%temp%\CACert_root.cer
echo MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ >>%temp%\CACert_root.cer
echo ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC >>%temp%\CACert_root.cer
echo CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ >>%temp%\CACert_root.cer
echo 8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6 >>%temp%\CACert_root.cer
echo zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y >>%temp%\CACert_root.cer
echo fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7 >>%temp%\CACert_root.cer
echo w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc >>%temp%\CACert_root.cer
echo G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k >>%temp%\CACert_root.cer
echo epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q >>%temp%\CACert_root.cer
echo laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ >>%temp%\CACert_root.cer
echo QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU >>%temp%\CACert_root.cer
echo fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826 >>%temp%\CACert_root.cer
echo YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w >>%temp%\CACert_root.cer
echo ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY >>%temp%\CACert_root.cer
echo gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe >>%temp%\CACert_root.cer
echo MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0 >>%temp%\CACert_root.cer
echo IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy >>%temp%\CACert_root.cer
echo dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw >>%temp%\CACert_root.cer
echo czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0 >>%temp%\CACert_root.cer
echo dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl >>%temp%\CACert_root.cer
echo aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC >>%temp%\CACert_root.cer
echo AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg >>%temp%\CACert_root.cer
echo b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB >>%temp%\CACert_root.cer
echo ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc >>%temp%\CACert_root.cer
echo nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg >>%temp%\CACert_root.cer
echo 18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c >>%temp%\CACert_root.cer
echo gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl >>%temp%\CACert_root.cer
echo Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY >>%temp%\CACert_root.cer
echo sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T >>%temp%\CACert_root.cer
echo SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF >>%temp%\CACert_root.cer
echo CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum >>%temp%\CACert_root.cer
echo GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk >>%temp%\CACert_root.cer
echo zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW >>%temp%\CACert_root.cer
echo omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD >>%temp%\CACert_root.cer
echo -----END CERTIFICATE----- >>%temp%\CACert_root.cer
 
rem CACert.org CACert_class3.cer
echo -----BEGIN CERTIFICATE----- >>%temp%\CACert_class3.cer
echo MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv >>%temp%\CACert_class3.cer
echo b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ >>%temp%\CACert_class3.cer
echo Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y >>%temp%\CACert_class3.cer
echo dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU >>%temp%\CACert_class3.cer
echo MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 >>%temp%\CACert_class3.cer
echo Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN >>%temp%\CACert_class3.cer
echo AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a >>%temp%\CACert_class3.cer
echo iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 >>%temp%\CACert_class3.cer
echo aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C >>%temp%\CACert_class3.cer
echo jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia >>%temp%\CACert_class3.cer
echo pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 >>%temp%\CACert_class3.cer
echo FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt >>%temp%\CACert_class3.cer
echo XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL >>%temp%\CACert_class3.cer
echo oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 >>%temp%\CACert_class3.cer
echo R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp >>%temp%\CACert_class3.cer
echo rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ >>%temp%\CACert_class3.cer
echo LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA >>%temp%\CACert_class3.cer
echo BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow >>%temp%\CACert_class3.cer
echo gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV >>%temp%\CACert_class3.cer
echo BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG >>%temp%\CACert_class3.cer
echo A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS >>%temp%\CACert_class3.cer
echo c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH >>%temp%\CACert_class3.cer
echo AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr >>%temp%\CACert_class3.cer
echo BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB >>%temp%\CACert_class3.cer
echo MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y >>%temp%\CACert_class3.cer
echo Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj >>%temp%\CACert_class3.cer
echo ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5 >>%temp%\CACert_class3.cer
echo b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D >>%temp%\CACert_class3.cer
echo QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc >>%temp%\CACert_class3.cer
echo 7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH >>%temp%\CACert_class3.cer
echo Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4 >>%temp%\CACert_class3.cer
echo D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 >>%temp%\CACert_class3.cer
echo VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a >>%temp%\CACert_class3.cer
echo lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW >>%temp%\CACert_class3.cer
echo Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt >>%temp%\CACert_class3.cer
echo hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz >>%temp%\CACert_class3.cer
echo 0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn >>%temp%\CACert_class3.cer
echo ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT >>%temp%\CACert_class3.cer
echo d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 >>%temp%\CACert_class3.cer
echo 4GGSt/M3mMS+lqO3ig== >>%temp%\CACert_class3.cer
echo -----END CERTIFICATE----- >>%temp%\CACert_class3.cer
 
rem begin import
certutil -addstore Root %temp%\CACert_root.cer
certutil -addstore ca %temp%\CACert_class3.cer
del /q %temp%\CACert_root.cer
del /q %temp%\CACert_class3.cer
 
rem Disable SSTP CRL Revocation Check
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters\ /v NoCertRevocationCheck /d 1 /t REG_DWORD /f

 

Sure its not as nice or easy as DirectAccess but works when you need to connect back into your network.  You can obviously change the certificate paths to where ever you host your certs.

 

P.S.  Sorry if it's not clear.  I wrote this drinking 5 beers at Happy Hour.

[marky9074]

I was just about to start a new thread, but seen as CACert is discussed here thought it was as good as any place to post.... 

 

I've not had any problems with CACert, though are you saying it is the install of the certs or direct access itself? I have just had a message that my certificate was about to expire, so I renewed it, but have no idea how I re-import it on the server? I can only find my root certificate. Previously I went through the Anywhere Access wizard which prompts at each point for the certificate request/creation. If I do this method again I need to request a certificate again (when I already have one)...

 

Hope that makes sense...

[DanielN]

I believe you can use certutil or the certificate mmc to update the certificate.  It should be under Personal -> Certificates for certs Local Computer.

 

If you use anything with a CRL (Certificate Revocation List) such as SSTP VPN, it will fail because CACert's server are slow and the file is bloated at 6MB.

[ikon]

One of these days someone will make it so Certs aren't such a 'black art'

[jmwills]

I found this tool the other day and thought it might help someone with certs or at least to verify them.

 

http://www.sslshopper.com/csr-decoder.html

[ikon]

One of my complaints is that there is no standard way to install a cert on a computer. That, in itself, wouldn't be such a problem if there were good wizards available to take care of installing them, which there really aren't. It's confusing & frustrating to most people.