Archive for July, 2012

How can I tell if DirectAccess thinks I am internal or external to the LAN ?

Sunday, July 8th, 2012

DirectAcces allows you to connect to your LAN transparently from the internet. It does this through UAG when you do not have a full IPv6 deployment.

DirectAccess checks whether or not it has access to your server identified as your network locator service, typically through the URL https://nls.domain.com. This is excluded from the NRPT table for external clients and the name is not published or made available over the internet. So, if you can connect to to this site then you must be internal, right ? That’s pretty much correct, unless you are not using IIS for your NLS web site. DirectAccess relies not only on a 200 response from the web server (connectivity) but also upon the receipt of a properly formatted page. Just opening the page in Internet Explorer may not indicate any issue with the page itself as IE may mask the issues to present the page.

The way to know whether or not the NRPT table is in use (and hence whether DirectAccess believes itself to be internal or external to the LAN) is to run the command

netsh namespace show effectivepolicy

From an administrative command prompt. If the workstation or laptop believes itself to be on the LAN then no table will be created and the output of the command will be similar to the below.

However, running the same command when the machine is internal will produce output similar to the below.

 

This indicates that the NRPT table is being created and, above, you can see two entries (one for the NLS server and one for the UAG device) which should not be passed to the internal network.

If you deploy DirectAccess and internal clients which are subject to the DirectAccess GPO begin to have difficulty connecting to resources while on the LAN it may be that they cannot correctly connect with the Network Location Server and therefore build their NRPT table and attempt to pass all traffic through the public interface of the UAG device. If this cannot be contacted then communications from the client will fail. If it can be contacted and large numbers of end points are affected, performance may suffer as multiple internal clients route through the external interface.

If you want to set the policy that could be applied to a client once it leaves the LAN, simply enter the command

netsh namespace show policy

 

 

How does my computer know that it is connected to the internet ?

Saturday, July 7th, 2012

The answer is surprisingly simple for Windows computers. It attempts to connect to

http://www.msftncsi.com/ncsi.txt

If it receives a HTTP 200 (if it receives the text “Microsoft NCSI” in the file) then you are on the internet – if it does not receive this text then you receive the warning symbol on the network item in the system notification area.

So, if you don’t have internet connectivity but need your computer to think you have for some reason (because a piece of sofwtare requires it for a lab or some toher reason) then yuo can simply create your own version of the abve site and file using your internal servers and DNS and fool your computers into thinking that they are indeed internet connected.