Issue with accessing the DirectAccess console after removing a Domain Controller

31. July 2014 17:25 By Peter Selch Dahl 0 In DirectAccess | Security

Most people don't know that the DirectAccess servers are tied together with a specific domain controller. In case you decommission the specific domain controller due to upgrade or other reasons the Direct Access console will become inaccessiable.

Symptom:
Unable to open the DirectAccess configuration in the “Remote Access Management Console”
Error message unable to load configuration from “Server.domain.tld”
Error message about missing access permission on the GPO object.

Cause:
DirectAccess server has a specific EntryPointDc that is used for reading/writing GPO and AD settings.
You can see the settings using the Get-DAEntryPointDC cmdlet on DirectAccess servers.

Use get-DAEntryPointDC

EntryPointName       : DirectAccess-AU.domain.com
DomainControllerName : Server.domain.tld

EntryPointName       : DirectAccess-CN.domain.com
DomainControllerName : Server.domain.tld

EntryPointName       : DirectAccess-DK.domain.com
DomainControllerName : Server.domain.tld

EntryPointName       : DirectAccess-US.domain.com
DomainControllerName : Server.domain.tld

Fix:
This powershell will change any Entrypoint domain controllers that has “ExisitingDC” name:
Set-DAEntryPointDC –ExistingDC "Server.domain.tld" -NewDC "Server.domain.tld" –Force -PassThru
 

More information

Set-DAEntryPointDC: http://technet.microsoft.com/en-us/library/hh918412.aspx

Troubleshooting Setting the Entry Point Domain Controller: http://technet.microsoft.com/en-us/library/jj591656.aspx

 

Tags:

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Post RSSRSS comment feed

Web Application Proxy - HTTP to HTTPS redirect

25. December 2013 22:15 By Peter Selch Dahl 0 In Security | Windows 2012

This article explains how to perform HTTP to HTTPS redirect for deployments of Microsoft Web Application Proxy v1.

The guidance within this article is only for companies that doesn't use a layer 7 application firewall (with the ability to perform HTTP to HTTPS redirect). Most often these firewalls will be Citrix NetScaler, F5, Palo Alto Networks, Barracuda, Fortinet, etc. If your existing firewall support HTTP to HTTP redirect always use the firewall for the redirection.

Requirements:

  • Microsoft Internet Information Service
  • URL Rewrite

Configuring HTTP to HTTPS redirect

Install "Microsoft Internet Information Service" on the "Web Application Proxy" server. It may already be installed depend on the roles that have been added. Open "IIS Manager".

Select the "Web server" and click the "Get New Web Web Application Platform".

Click "Free Download" on the right.

Find the "URL Rewrite" module, click "Add" and then click "Install".

Click "I Accept".

Click "Finish".

Close the "IIS Manager" and re-open the "IIS Manager". Click "URL Rewrite".

Click "Add Rule (s)..."

Click "Blank Rule".

Type "HTTP to HTTPS" in the "Name" textbox and in the "Pattern" textbox type "(.*)".

Navigate down to "Condition" and click "Add".

In the "Condition input" textbox type "{HTTPS}" and under "Patterns" type "^OFF$". Click "OK".

Navigate down to "Action".

Type "https://{HTTP_HOST}/{R:1}" and click "Apply".

Testing the "HTTP to HTTPS" redirect functionality:

Try accessing your site using HTTP. You should see that the page will be automatically redirected to the HTTPS site. See the network trace below for more details. 

 

Microsoft Windows 2012 R2 - Web Application Proxy support for HTTP

WAP doesn't allow for applications to be published on port 80/HTTP. It will ONLY allow external connections to HTTPS. It will be possible to use the WAP in bridge mode from HTTPS to HTTP, if your internal applications isn't configured for HTTPS internally.

IIS Application Request Routing

If you would like support for HTTP on your Web Application Proxy server you should consider using IIS Application Request Routing (ARR):

http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing

 

You can download the IIS add-on here:

http://www.iis.net/downloads/microsoft/application-request-routing

For more information about the Web Application Proxy. See the TechNet overview page: http://technet.microsoft.com/en-us/library/dn280944.aspx

 

 

Tags:

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Post RSSRSS comment feed

Microsoft Forefront Unified Access Gateway 2010 is discontinued... What now?

18. December 2013 04:52 By Peter Selch Dahl 0 In Security | TMG/UAG

Microsoft Forefront Unified Access Gateway 2010 is discontinued!

The product will be removed from pricelists on the first of July 2014 and the Mainstream support will continue through April 14, 2015.

More information:

http://blogs.technet.com/b/server-cloud/archive/2013/12/17/important-changes-to-the-forefront-product-line.aspx

 What NOW?

Microsoft will continue the develope the Web Application Proxy (WAP) role within Microsoft Windows 2012 R2. Keep come and wait for great things to come.....

 

 

Tags:

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Post RSSRSS comment feed

The mystery about the failing DirectAccess wizard

3. January 2013 20:40 By Peter Selch Dahl 0 In Security

For some weeks ago I visted a new customer to perform a deployment of a very simpel DirectAccess installation. Everything seemed fine the PKI was in place and I though it only would take a couple of hours to deploy and test..... I was so wrong.....

I completed the DirectAccess configuration using the Remote Access Management console for Windows 2012 (MMC) and kicked off the deployment. The deployment keeps failing with the description:

"Security Group domain\SecuritGroup cannot be found"

"The operation failled. All of the specified security groups are invalid"

After a lot of troubleshooting I found that the FRS didn't replicate the newly created Group Policy and when the wizard got to the section where it should add the security Group with the computer objects It couldn't add the security Group to the GPO. For that reason it seems to be performing a rollback. The customer is currently working on fixing the issue. I just spend a lot of time on the troubleshooting so I though I would share it.

The GPO may appear in the Group Policy Management console for a short time before it disappears again due to the rollback

 

If would have found the solution or anything that may help others please comment on this thread

Check the FRS:

 http://support.microsoft.com/kb/272279

 Another thing that might be causing this issue is possible name lookup issue.

I have not had the time to perform a deeper analysis of the issue, but I'll share my findings at a later time.

 

Recovering from a deleted GPO

You will find a similar error discription when some have deleted the GPO.

"Remote Access Management will display the following error message: GPO <GPO name> cannot be found. To remove the configuration settings, take the following steps"

Source: http://technet.microsoft.com/en-us/library/jj134148.aspx#bkmk_1_7_GPOs


 

Tags:

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Post RSSRSS comment feed

Microsoft Planning TMG and UAG Updates for Exchange 2013

27. November 2012 16:23 By Peter Selch Dahl 0 In Forefront | Security | TMG/UAG

 

Microsoft is working on issuing future update releases for its Forefront Threat Management Gateway (TMG) and Unified Access Gateway (UAG) products, mostly to help with publishing Exchange 2013.

 

http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx

http://redmondmag.com/articles/2012/11/26/microsoft-planning-tmg-and-uag-updates.aspx

 

Tags:

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Post RSSRSS comment feed