How can I tell if DirectAccess thinks I am internal or external to the LAN ?

On By Philip FlintIn Uncategorized

DirectAcces allows you to connect to your LAN transparently from the internet. It does this through UAG when you do not have a full IPv6 deployment.

DirectAccess checks whether or not it has access to your server identified as your network locator service, typically through the URL https://nls.domain.com. This is excluded from the NRPT table for external clients and the name is not published or made available over the internet. So, if you can connect to to this site then you must be internal, right ? That’s pretty much correct, unless you are not using IIS for your NLS web site. DirectAccess relies not only on a 200 response from the web server (connectivity) but also upon the receipt of a properly formatted page. Just opening the page in Internet Explorer may not indicate any issue with the page itself as IE may mask the issues to present the page.

The way to know whether or not the NRPT table is in use (and hence whether DirectAccess believes itself to be internal or external to the LAN) is to run the command

netsh namespace show effectivepolicy

From an administrative command prompt. If the workstation or laptop believes itself to be on the LAN then no table will be created and the output of the command will be similar to the below.

However, running the same command when the machine is internal will produce output similar to the below.

 

This indicates that the NRPT table is being created and, above, you can see two entries (one for the NLS server and one for the UAG device) which should not be passed to the internal network.

If you deploy DirectAccess and internal clients which are subject to the DirectAccess GPO begin to have difficulty connecting to resources while on the LAN it may be that they cannot correctly connect with the Network Location Server and therefore build their NRPT table and attempt to pass all traffic through the public interface of the UAG device. If this cannot be contacted then communications from the client will fail. If it can be contacted and large numbers of end points are affected, performance may suffer as multiple internal clients route through the external interface.

If you want to set the policy that could be applied to a client once it leaves the LAN, simply enter the command

netsh namespace show policy

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.