Deploying, Managing, and Using the Microsoft DirectAccess Connectivity Assistant

The Microsoft DirectAccess Connectivity Assistant (DCA) supports a DirectAccess client computer that is running Windows® 7 by clearly indicating the state of DirectAccess connectivity to corporate network resources. It provides easy access to troubleshooting information and makes it simple to create and send log files to support personnel.

Without the DCA, when a user's Internet connection (for example, http://www.bing.com) appears to be available, but corporate network resources are not accessible, there is no way that the user can verify if the problem is caused by DirectAccess not working correctly. This can result in user frustration and increased Help Desk support calls. The DCA clearly indicates the operational status of DirectAccess by using an icon in the notification area and informational messages. This helps the user identify the problem area and helps direct troubleshooting efforts.

If DirectAccess is not working correctly, the DCA clearly indicates the status by changing the icon in the notification area and by sending informational messages that provide more detail about the failure. The DCA provides the user with easy access to an extranet URL. For example, this URL might point to a Web site that hosts support information for the organization's user community. The user can easily send diagnostic log files to the DirectAccess support staff. The log files can contain the default information. The administrator can include a script in the DCA configuration that creates additional diagnostic information that is included in the log files sent to the support team.

This guide includes the following topics:

  • Configuring the DCA software   Learn to set up the DCA so that it operates the way your organization requires.
  • Deploying the DCA software   Learn how to deploy the installation program to the client computers that are running DirectAccess.
  • Using the DCA software   Help your users understand how to use the DCA to improve their DirectAccess experience, and to help troubleshoot DirectAccess connectivity issues that might occur.

Target audience

This document is intended for information technology (IT) administrators and support staff who deploy, manage, and support DirectAccess on their corporate networks. The Using the DCA software section is a User's Guide for the DirectAccess users to whom you deploy the DCA.

Configuring the DCA Software

The DirectAccess Connectivity Assistant (DCA) can be configured by using Group Policy settings. The DCA installation file contains two Group Policy template files (.admx and .adml). These files enable you to store DCA settings in a Group Policy object (GPO). We recommend that you apply the settings by using the DirectAccess Policy GPO that is created when you install DirectAccess on your network. Alternatively, you can create a new GPO and scope the GPO to apply to all of your client computers that participate in your DirectAccess deployment.

Installing the DCA Group Policy template files

The following procedure explains how to download and store the DCA template files. The downloaded file contains the following files that you can import into the Group Policy Editor:

  • DirectAccess Connectivity Assistant GP.admx
  • DirectAccess Connectivity Assistant GP.adml

To import the DCA template files into the Group Policy Editor

  1. Perform these steps on a computer that is running Windows Server 2008 R2 or Windows 7 and has the Remote Server Administration Tools (RSAT) installed. To download RSAT, see Remote Server Administration Tools
  2. Copy the DCA Group Policy .admx and .adml template files to the correct folders on your computer:
    1. Copy the DirectAccess Connectivity Assistant GP.admx file to the folder %systemroot%\PolicyDefinitions.
    2. Copy the DirectAccess Connectivity Assistant GP.adml file to the folder %systemroot%\PolicyDefinititions\language. For example, for US English, copy the file to %systemroot%\PolicyDefinitions\en-us.
  3. Start the Group Policy Management MMC snap-in.
  4. Expand Computer Configuration, expand Administrative Templates, and then select DirectAccess Connectivity Assistant.

The settings for DCA appear in the details pane.

Configuring the DCA client settings

This section describes the settings that are available to configure a DCA client.

Important: The two settings that you must configure so that you have complete DCA functionality are the settings DTE and CorporateResources. The others settings are optional, but recommended.

DTE

Type: A collection of IPv6 addresses that each identify a DirectAccess server.

Default: None

Description: Specifies the dynamic tunnel endpoints (DTEs) of the IPsec tunnels that enable DirectAccess. It is through these tunnels that the DCA attempts to access the resources that are specified in the CorporateResources setting. By default, the DCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two DTEs, one for the infrastructure tunnel, and one for the user tunnel. You should configure one DTE for each tunnel. Each entry consists of the text PING: followed by the IPv6 address, for example: PING:2001:3039::0001.

Important: If your DirectAccess configuration uses the Full Intranet Access or Selected Server Access models, where IPsec tunnel mode is used to connect to the DirectAccess infrastructure servers, and a separate IPsec transport mode tunnel is used to access shared resources that are required by the user, configuring one or more servers in the DTE setting is required.

CorporateResources

Type: A collection of keys that identify network resources to test.

Default: None

Description: Specifies resources that are normally accessible to DirectAccess clients. You must configure this setting to have complete DCA functionality .Each entry is a string that identifies the type of resource and the identification of the resource. Each string in its respective key can be one of the following types:

  • An IPv6 address or DNS name to ping. The syntax is the text PING: followed by a fully qualified domain name (FQDN) that resolves to an IPv6 address, or an IPv6 address, for example: PING:myserver.mydomain.com or PING:2001:3039::0001.

We recommend that you use FQDNs instead of addresses where possible.

Important: At least one of the resources must use the PING: syntax and name resolution.

  • A Uniform Resource Locator (URL) to query with an HTTP request. The syntax is the word HTTP: followed by a URL that resolves to an IPv6 address of a Web server, for example: HTTP:http://2001:3039::0001/ or HTTP:http://myserver.mydomain.com/.
  • A Universal Naming Convention (UNC) path to a file that the DCA checks. The DCA does not actually open or read the file; it only confirms that it exists. The syntax is the word FILE: followed by a UNC path that resolves to an IPv6 address file on a share, for example: FILE:\\2001:3039::0001\myshare\test.txt or FILE:\\myserver\myshare\test.txt.

Important: The administrator must ensure that the file continues to exist, and that the DCA has read permissions to the file.

The DCA periodically checks its ability to access the specified resources, and it uses the results of those tests to determine and report the operating status of DirectAccess. If a DCA client computer cannot access any of the specified resources, the icon in the notification area changes to red. The list of resources and their success or failure state is listed in the log files that are captured when the user selects Advanced diagnostics.

You should specify a diverse set of resources that ideally have DirectAccess as the only common factor. These resources should be accessible through the Intranet tunnel on the internal private network, and not part of the DirectAccess infrastructure. This diversity helps ensure that a failure to access a resource is an unambiguous indication of a problem with DirectAccess rather than a problem with another component. For example, if all of the specified resources are behind a network address translating application layer gateway (NAT-ALG), the failure of DCA to access the test resources might indicate a failure of the NAT-ALG rather than a failure of DirectAccess. Instead, identify one resource behind the NAT-ALG, another behind an ISATAP gateway, and so on.

Corporate Portal Site

Type: String

Default: None

Description: Specifies the URL to an externally accessible Web site to which the DCA can refer users to help troubleshoot DirectAccess issues. The URL appears in DCA pop-up messages and in the Advanced Diagnostics window. We recommend that you maintain a list of current troubleshooting steps for common problems, and provide contact information for users when the Web site does not help the user solve the problem. For examples, see the screen shots in the section Using the DCA Software in this guide.

PortalName

Type: String

Default: "Help Portal"

Description: Specifies the friendly name of the corporate portal Web site. This name appears in the link on the DCA Advanced Diagnostics dialog box. You can customize this to include your organization's name.

SupportEmail

Type: String

Default: None

Description: Specifies the e-mail address to be used when the user starts Advanced Diagnostics and selects the option to transmit log files to the DirectAccess administrator. When the user clicks Email Logs as an Attachment, the default e-mail client opens a new message with the specified address in the To: field of the message, and attaches the generated log files as a .cab file. The user can review the e-mail and add additional information before clicking Send.

The log files that are sent from the client computer can include files and data from folders that are not normally accessible to standard, non-elevated users. Because the completed log files are made available to the user through a link in the Advanced Diagnostics dialog box and through an attachment in an e-mail, standard users without administrator permissions can read the files.

LocalNamesOn

Type: Enabled or disabled

Default: Disabled

Description: Specifies whether the user sees the menu option "Use Local Names", and can disable corporate resolution of flat host names and instead use local name resolution. If enabled, the user can right-click the DCA icon and then click Prefer Local Names. If this setting is disabled, the menu option does not appear on the DCA menu.

If the user selects Prefer Local Names, DirectAccess stops sending name resolution requests to the internal corporate DNS servers. Instead, the client uses whatever local name resolution is available to the client computer in its current network configuration. For more information about local names versus corporate names, see the topic Using the DCA Software in this guide.

The Prefer Local Names setting only has an effect when the user is connecting to the corporate network from the Internet. If the user is connected directly to the corporate network, the Prefer Local Names setting does nothing.

AdminScript

Type: String

Default: None

Description: Specifies the path and file name of a script that is provided by the administrator and is run as part of the Advanced Diagnostic log generation process. The output of the script is included in the .cab file that is created as part of the collection of the logs that is initiated when the user opens the Advanced Diagnostics dialog box. The script can be a .cmd file, .bat file, or any other command that can be run at a command prompt and that prints output to the console as text. The script must complete its actions within 45 seconds. Scripts that take longer have their logs truncated.

This script should be installed on the client computer in a location that cannot be modified by a standard user account. The DCA runs the script with elevated permissions.

Deploying the DCA Software

The installation program for the DirectAccess Connectivity Assistant (DCA) is an .msi file that can be run on any computer that is capable of participating in a DirectAccess-enabled network. To deploy the installation program to your DirectAccess client computers, you have several options:

    Copy the .msi file to a network share or Web site to which your users have read access permissions. Then send your DirectAccess users an e-mail message that contains a link to the file.

    Use a software distribution system such as Microsoft System Center Configuration Manager to automatically deploy and run the installation file on all computers that meet the specified criteria. For more information, see System Center Configuration Manager.

    Use Group Policy in Active Directory® to automatically deploy and run the installation file on all computers to which the Group Policy object (GPO) applies. When you install DirectAccess, the Setup Wizard creates a GPO named DirectAccess Policy, which applies only to members of a group or set of groups that you specify. You can include the DCA software installation setting as part of this GPO. This is the option described in this topic.

To modify the DirectAccess Policy GPO to deploy the DCA software, follow the steps in the following procedure.

To configure a GPO to deploy the DCA software

  1. Copy the DCA .msi installer program to a network shared resource to which your DirectAccess client computers have read access permissions.
  2. On a computer that is running Windows Server 2008 R2 or Windows 7 and has the Remote Server Administration Tools (RSAT) installed, start the Group Policy Management MMC snap-in. To download RSAT, see Remote Server Administration Tools in the Microsoft Download Center.
  3. In the navigation tree, right-click the GPO that you want to configure, and then click Edit. The Group Policy Management Editor appears.
  4. In the navigation tree, expand Computer Configuration, expand Policies, expand Software Settings, right-click Software installation, click New, and then click Package.
  5. In the Open dialog box, browse to the network shared resource where you copied the DCA installation file. Select the file DirectAccess installation .msi file, and then click Open. If the path you specify is not a network shared resource, a warning message appears telling you that network users might not be able to access the file to run it. The file itself is not distributed by using Group Policy; only the command to run it. The file itself must be on a network shared resource to which the DirectAccess client computers have read access permissions.
  6. In the Deploy Software dialog box, select Assigned, and then click OK. Because it is assigned to the computer instead of to a user, the software package is installed as soon as the Windows Installer engine determines that it is safe to do so. The new package appears in the details pane.

The next time Group Policy refreshes on the client computers to which the GPO applies, the settings contained in the GPO are enforced and the software is installed. To manually force a refresh of Group Policy on a client computer, run the following command at a command prompt with Administrator permissions:

gpupdate /force

Using the DCA Software

The information in this section is a User's Guide that you can provide to the users to whom you deploy the DirectAccess Connectivity Assistant (DCA). This information will help them understand how to use the DCA to improve their DirectAccess experience and help them troubleshoot DirectAccess connectivity issues that might occur.

The DirectAccess Connectivity Assistant notification area icon

After the DirectAccess Connectivity Assistant (DCA) program is installed on your computer, it appears as an icon in the notification area of your user interface. The icon provides information about the current status of your corporate connectivity. If you are unable to access corporate resources, check the icon to see if the DCA reports any issues with your DirectAccess connection to the corporate network. If you hover your mouse pointer over the DCA icon, a text message with the current state of the DirectAccess connection appears.

Left-clicking the DCA notification area icon

If you left-click the DCA icon, a pop-up window appears with additional information about the current state of your DirectAccess connection. The information in the window includes steps that you must take to attempt to restore connectivity.

The status represents one of three states, and you can receive details about each by left-clicking the icon:

If the DCA determines that DirectAccess is working as expected with no issues, the icon appears with no warning or error symbols. The pop-up message that appears if you hover over the icon or left-click the icon states Corporate Connectivity is working correctly.

If the DCA determines that the DCA software components are working correctly, but that some aspect of DirectAccess is not working as expected, the icon includes a warning symbol consisting of an exclamation mark in a yellow triangle. The pop-up message that appears if you hover over the icon or left-click the icon states Corporate Connectivity requires user action. This state indicates that DirectAccess is operational, but it requires some action from you to access all resources. This message can appear when there is no Internet connectivity, because you must take action to connect to the Internet.

If the DCA determines that there is Internet access, but no DirectAccess connectivity to your corporate intranet, an icon appears with an error symbol consisting of an X in a red circle. The pop-up message that appears if you hover over the icon or left-click the icon states Corporate Connectivity is not working correctly. This state indicates that no DirectAccess connectivity is available. This type of problem typically cannot be fixed by any action performed by a local user.

Another common pop-up message from DCA that can occur when you resume a DirectAccess-enabled laptop from sleep or hibernation, is a request for you to supply your smartcard (or other supported credentials) to reestablish connectivity to corporate resources. Until you do so, the DCS icon shows the yellow warning state. The pop-up message looks similar to the following diagram:

If your network uses Network Access Protection (NAP) to enforce security requirements on client computers, such as antivirus software, or the latest security updates for the software installed on your computer, then NAP can block your computer from connecting to corporate resources until the problem is resolved. The DCA pop-up dialog box contains information appropriate to the current connectivity state, and includes links to resources that can help you resolve the problem. The dialog box typically contains a link to a corporate Web page that contains information from your DirectAccess administrators. For example, if the DCA indicates NAP as the cause of connectivity loss, it can direct you to the NAP client software that you can use to remediate the lack of compliance with your organization's security requirements.

When the DCA status is red, indicating no DirectAccess connectivity at all, the pop-up dialog box can include possible reasons for the error.

The messages that DCA can display are listed in the following table:

Message displayed by DCA

Description

This Windows Edition does not support DirectAccess. Please contact your administrator.

DirectAccess is supported on Windows 7 Ultimate and Enterprise editions, and Windows Server 2008 R2 only. The DCA runs on Windows 7 only.

The corporate network reports that your computer is not compliant with health requirements.

Corporate Network Access Protection (NAP) servers are reporting that the client computer is missing a health certificate. To receive the certificate, you must fix the health problem reported by NAP.

Windows needs your smart card credentials. Please enter your credentials, or lock this computer and then unlock it by using your smart card.

Your administrator can choose to enforce the use of smart cards to access corporate resources with DirectAccess. This message appears the first time your computer attempts to access a corporate resource when smart card credentials are not available. This typically happens after the computer wakes up from sleep or hibernation.

Local names are currently preferred. Prefer corporate names to restore DirectAccess connectivity.

DCA is set to prefer local names. To access corporate resources, you must disable the Prefer local names option. This can be done by selecting the option in the DCA menu, or by restarting the computer.

Windows is not configured for DirectAccess. Please contact your administrator if this problem persists.

The computer is not configured to use DirectAccess. This can be verified in the default logs generated by the Advanced Diagnostics window.

Internet Connectivity is not available. Please connect your computer to the Internet, or start network diagnostics.

Windows cannot connect to the Internet.

Windows cannot contact the DirectAccess server. Please contact your administrator if this problem persists.

The DCA cannot contact the DirectAccess server. The DCA tests its ability to access administrator configured servers to determine this state. The status of connectivity to the test servers can be verified in the default logs generated by the Advanced Diagnostics window.

Windows is unable to resolve corporate network names.  Please contact your administrator if this problem persists.

Windows cannot resolve names for resources on the corporate network.

Windows is unable to contact some corporate content resources. Please contact your administrator if this problem persists

The DCA cannot access one or more of the test resources on the corporate network. The status of Corporate Resource connectivity can be verified in the default logs generated by the Advanced Diagnostics window.

Windows has lost basic connectivity with corporate resources. Please contact your administrator if this problem persists.

The DCA cannot access one or more of the test resources on the corporate network. The status of Corporate Resource connectivity can be verified in the default logs generated by the Advanced Diagnostics window.

Microsoft DirectAccess Connectivity Assistant is not properly configured. Please contact your administrator if this problem persists.

The DCA is missing necessary configuration information. Your administrator must configure certain settings for DCA to operate correctly. The current configuration can be viewed in the default logs generated by the Advanced Diagnostics window.

DCA settings are stored in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\DirectAccessConnectivityAssistant

Right-clicking the DCA notification area icon

When you right-click the DCA notification area icon, a menu appears that enables you to interact with the DCA. The menu consists of the following options:

  • Advanced Diagnostics
  • Prefer Local Names
Advanced diagnostics

Selecting this option from the DCA right-click menu displays the Advanced Diagnostics dialog box. The dialog box has detailed information about any current issues that are detected by the DCA. Advanced local users might be able to use the additional detail to solve or work around the issue. If test resources that have been specified by your administrator cannot be accessed, the name of that resource is included in the text of the error message.

As soon as the Advanced Diagnostics dialog box appears, the DCA immediately begins gathering log file information about the DCA and the DirectAccess client. After those logs are gathered and compressed into a .cab file, you can e-mail them to your DirectAccess administrators. You can examine the log files by clicking the link below Advanced log files after they are generated. The log files are plain text, although they are not intended for end users to read or understand. Instead, send them to your DirectAccess administrator by clicking E-mail logs to open a new e-mail message. The log files are in a .cab file that is already attached to the message, and the e-mail is addressed to your DirectAccess administration team. Add any additional information to describe the problem you are experiencing in the body of the e-mail, and then click Send to transmit the e-mail to your DirectAccess administrators. The administrators can use the information that is included in the log to determine the source of the connectivity problems.

Prefer Local Names

When you are on a remote network that is using DirectAccess, all of the name queries from your computer that resolve friendly names to IP addresses are sent through the DirectAccess tunnel to your corporate DNS name server. This enables short names such as http://hrweb or \\public to be accessible to you in your remote location. However, this has the effect of making resources on your local resources no longer available by their short name.

For example, if you are at a customer site with a DirectAccess-enabled laptop, and you want to check a Web site on the customer's network named http://thissite, by default it will not work because the name resolution request is sent through DirectAccess to your corporate DNS servers. If your corporate network has a server with that name, then your request resolves to the server on your corporate network instead of the server on the customer's network. If your corporate network does not have a server by that name, an error message is returned. The local customer site is not accessible by name. Until you install DCA, your options to work around this problem are as follows:

  • Look up the IP address of the thissite computer, and use it instead of the friendly name. This may be difficult, and it is complicated by the fact that IP addresses for many computers can change dynamically.
  • Add an entry for thissite in the file %windir%\system32\drivers\etc\hosts. This file is checked before DNS. This change is permanent as long as the entry exists in the file, and any other computer on other networks with the same name are not accessible by name. This option might work well for a small number of computers, such as a Windows Home Server on your home network, but likely is not a practical solution for business computers.

With DCA installed, you have a better option that is less complicated for a user and easy to turn on and off. By selecting the Prefer local names option, you disable DirectAccess name resolution and use whatever local name resolution is available to your client computers. This enables you to access computers like your Windows Home Server by name, but it prevents you from accessing any corporate resources by name.

To return to the default DirectAccess behavior, right-click the DCA notification area icon. Click Prefer corporate names. The warning icon changes back to the icon that represents a normal DirectAccess operation.

  • This option is available only if it has been enabled by your DirectAccess administrator, and only when the computer is connected to a network that is outside of the internal corporate network.
  • This option only has an effect when you are connecting to the corporate network from the Internet. If you are connected directly to the corporate network, this option does nothing.
  • When you select this option, the DCA notification area icon changes to the version with the yellow warning icon to remind you to reenable the use of corporate names when you are done accessing the local resources.
  • If you disconnect and reconnect from the network and DirectAccess service (for example, if you restart your computer or resume it from suspend or hibernate), this option automatically reverts back to Prefer corporate names being enabled when the DirectAccess connection is resumed. To continue using local names, you must right-click the DCA notification area icon, and then click Prefer local names.