The Microsoft DirectAccess Connectivity Assistant (DCA) supports a DirectAccess client computer that is running Windows® 7 by clearly indicating the state of DirectAccess connectivity to corporate network resources. It provides easy access to troubleshooting information and makes it simple to create and send log files to support personnel.
Without the DCA, when a user's Internet connection (for example, http://www.bing.com) appears to be available, but corporate network resources are not accessible, there is no way that the user can verify if the problem is caused by DirectAccess not working correctly. This can result in user frustration and increased Help Desk support calls. The DCA clearly indicates the operational status of DirectAccess by using an icon in the notification area and informational messages. This helps the user identify the problem area and helps direct troubleshooting efforts.
If DirectAccess is not working correctly, the DCA clearly indicates the status by changing the icon in the notification area and by sending informational messages that provide more detail about the failure. The DCA provides the user with easy access to an extranet URL. For example, this URL might point to a Web site that hosts support information for the organization's user community. The user can easily send diagnostic log files to the DirectAccess support staff. The log files can contain the default information. The administrator can include a script in the DCA configuration that creates additional diagnostic information that is included in the log files sent to the support team.
This guide includes the following topics:
This document is intended for information technology (IT) administrators and support staff who deploy, manage, and support DirectAccess on their corporate networks. The Using the DCA software section is a User's Guide for the DirectAccess users to whom you deploy the DCA.
The DirectAccess Connectivity Assistant (DCA) can be configured by using Group Policy settings. The DCA installation file contains two Group Policy template files (.admx and .adml). These files enable you to store DCA settings in a Group Policy object (GPO). We recommend that you apply the settings by using the DirectAccess Policy GPO that is created when you install DirectAccess on your network. Alternatively, you can create a new GPO and scope the GPO to apply to all of your client computers that participate in your DirectAccess deployment.
The following procedure explains how to download and store the DCA template files. The downloaded file contains the following files that you can import into the Group Policy Editor:
To import the DCA template files into the Group Policy Editor
The settings for DCA appear in the details pane.
This section describes the settings that are available to configure a DCA client.
Important: The two settings that you must configure so that you have complete DCA functionality are the settings DTE and CorporateResources. The others settings are optional, but recommended.
Type: A collection of IPv6 addresses that each identify a DirectAccess server.
Description: Specifies the dynamic tunnel endpoints (DTEs) of the IPsec tunnels that enable DirectAccess. It is through these tunnels that the DCA attempts to access the resources that are specified in the CorporateResources setting. By default, the DCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two DTEs, one for the infrastructure tunnel, and one for the user tunnel. You should configure one DTE for each tunnel. Each entry consists of the text PING: followed by the IPv6 address, for example: PING:2001:3039::0001.
Important: If your DirectAccess configuration uses the Full Intranet Access or Selected Server Access models, where IPsec tunnel mode is used to connect to the DirectAccess infrastructure servers, and a separate IPsec transport mode tunnel is used to access shared resources that are required by the user, configuring one or more servers in the DTE setting is required.
Type: A collection of keys that identify network resources to test.
Description: Specifies resources that are normally accessible to DirectAccess clients. You must configure this setting to have complete DCA functionality .Each entry is a string that identifies the type of resource and the identification of the resource. Each string in its respective key can be one of the following types:
We recommend that you use FQDNs instead of addresses where possible.
Important: At least one of the resources must use the PING: syntax and name resolution.
Important: The administrator must ensure that the file continues to exist, and that the DCA has read permissions to the file.
The DCA periodically checks its ability to access the specified resources, and it uses the results of those tests to determine and report the operating status of DirectAccess. If a DCA client computer cannot access any of the specified resources, the icon in the notification area changes to red. The list of resources and their success or failure state is listed in the log files that are captured when the user selects Advanced diagnostics.
You should specify a diverse set of resources that ideally have DirectAccess as the only common factor. These resources should be accessible through the Intranet tunnel on the internal private network, and not part of the DirectAccess infrastructure. This diversity helps ensure that a failure to access a resource is an unambiguous indication of a problem with DirectAccess rather than a problem with another component. For example, if all of the specified resources are behind a network address translating application layer gateway (NAT-ALG), the failure of DCA to access the test resources might indicate a failure of the NAT-ALG rather than a failure of DirectAccess. Instead, identify one resource behind the NAT-ALG, another behind an ISATAP gateway, and so on.
Description: Specifies the URL to an externally accessible Web site to which the DCA can refer users to help troubleshoot DirectAccess issues. The URL appears in DCA pop-up messages and in the Advanced Diagnostics window. We recommend that you maintain a list of current troubleshooting steps for common problems, and provide contact information for users when the Web site does not help the user solve the problem. For examples, see the screen shots in the section Using the DCA Software in this guide.
Default: "Help Portal"
Description: Specifies the friendly name of the corporate portal Web site. This name appears in the link on the DCA Advanced Diagnostics dialog box. You can customize this to include your organization's name.
Description: Specifies the e-mail address to be used when the user starts Advanced Diagnostics and selects the option to transmit log files to the DirectAccess administrator. When the user clicks Email Logs as an Attachment, the default e-mail client opens a new message with the specified address in the To: field of the message, and attaches the generated log files as a .cab file. The user can review the e-mail and add additional information before clicking Send.
The log files that are sent from the client computer can include files and data from folders that are not normally accessible to standard, non-elevated users. Because the completed log files are made available to the user through a link in the Advanced Diagnostics dialog box and through an attachment in an e-mail, standard users without administrator permissions can read the files.
Type: Enabled or disabled
Description: Specifies whether the user sees the menu option "Use Local Names", and can disable corporate resolution of flat host names and instead use local name resolution. If enabled, the user can right-click the DCA icon and then click Prefer Local Names. If this setting is disabled, the menu option does not appear on the DCA menu.
If the user selects Prefer Local Names, DirectAccess stops sending name resolution requests to the internal corporate DNS servers. Instead, the client uses whatever local name resolution is available to the client computer in its current network configuration. For more information about local names versus corporate names, see the topic Using the DCA Software in this guide.
The Prefer Local Names setting only has an effect when the user is connecting to the corporate network from the Internet. If the user is connected directly to the corporate network, the Prefer Local Names setting does nothing.
Description: Specifies the path and file name of a script that is provided by the administrator and is run as part of the Advanced Diagnostic log generation process. The output of the script is included in the .cab file that is created as part of the collection of the logs that is initiated when the user opens the Advanced Diagnostics dialog box. The script can be a .cmd file, .bat file, or any other command that can be run at a command prompt and that prints output to the console as text. The script must complete its actions within 45 seconds. Scripts that take longer have their logs truncated.
This script should be installed on the client computer in a location that cannot be modified by a standard user account. The DCA runs the script with elevated permissions.
The installation program for the DirectAccess Connectivity Assistant (DCA) is an .msi file that can be run on any computer that is capable of participating in a DirectAccess-enabled network. To deploy the installation program to your DirectAccess client computers, you have several options:
Copy the .msi file to a network share or Web site to which your users have read access permissions. Then send your DirectAccess users an e-mail message that contains a link to the file.
Use a software distribution system such as Microsoft System Center Configuration Manager to automatically deploy and run the installation file on all computers that meet the specified criteria. For more information, see System Center Configuration Manager.
Use Group Policy in Active Directory® to automatically deploy and run the installation file on all computers to which the Group Policy object (GPO) applies. When you install DirectAccess, the Setup Wizard creates a GPO named DirectAccess Policy, which applies only to members of a group or set of groups that you specify. You can include the DCA software installation setting as part of this GPO. This is the option described in this topic.
To modify the DirectAccess Policy GPO to deploy the DCA software, follow the steps in the following procedure.
To configure a GPO to deploy the DCA software
The next time Group Policy refreshes on the client computers to which the GPO applies, the settings contained in the GPO are enforced and the software is installed. To manually force a refresh of Group Policy on a client computer, run the following command at a command prompt with Administrator permissions:
The information in this section is a User's Guide that you can provide to the users to whom you deploy the DirectAccess Connectivity Assistant (DCA). This information will help them understand how to use the DCA to improve their DirectAccess experience and help them troubleshoot DirectAccess connectivity issues that might occur.
After the DirectAccess Connectivity Assistant (DCA) program is installed on your computer, it appears as an icon in the notification area of your user interface. The icon provides information about the current status of your corporate connectivity. If you are unable to access corporate resources, check the icon to see if the DCA reports any issues with your DirectAccess connection to the corporate network. If you hover your mouse pointer over the DCA icon, a text message with the current state of the DirectAccess connection appears.
If you left-click the DCA icon, a pop-up window appears with additional information about the current state of your DirectAccess connection. The information in the window includes steps that you must take to attempt to restore connectivity.
The status represents one of three states, and you can receive details about each by left-clicking the icon:
If the DCA determines that DirectAccess is working as expected with no issues, the icon appears with no warning or error symbols. The pop-up message that appears if you hover over the icon or left-click the icon states Corporate Connectivity is working correctly.
If the DCA determines that the DCA software components are working correctly, but that some aspect of DirectAccess is not working as expected, the icon includes a warning symbol consisting of an exclamation mark in a yellow triangle. The pop-up message that appears if you hover over the icon or left-click the icon states Corporate Connectivity requires user action. This state indicates that DirectAccess is operational, but it requires some action from you to access all resources. This message can appear when there is no Internet connectivity, because you must take action to connect to the Internet.
If the DCA determines that there is Internet access, but no DirectAccess connectivity to your corporate intranet, an icon appears with an error symbol consisting of an X in a red circle. The pop-up message that appears if you hover over the icon or left-click the icon states Corporate Connectivity is not working correctly. This state indicates that no DirectAccess connectivity is available. This type of problem typically cannot be fixed by any action performed by a local user.
Another common pop-up message from DCA that can occur when you resume a DirectAccess-enabled laptop from sleep or hibernation, is a request for you to supply your smartcard (or other supported credentials) to reestablish connectivity to corporate resources. Until you do so, the DCS icon shows the yellow warning state. The pop-up message looks similar to the following diagram:
If your network uses Network Access Protection (NAP) to enforce security requirements on client computers, such as antivirus software, or the latest security updates for the software installed on your computer, then NAP can block your computer from connecting to corporate resources until the problem is resolved. The DCA pop-up dialog box contains information appropriate to the current connectivity state, and includes links to resources that can help you resolve the problem. The dialog box typically contains a link to a corporate Web page that contains information from your DirectAccess administrators. For example, if the DCA indicates NAP as the cause of connectivity loss, it can direct you to the NAP client software that you can use to remediate the lack of compliance with your organization's security requirements.
When the DCA status is red, indicating no DirectAccess connectivity at all, the pop-up dialog box can include possible reasons for the error.
The messages that DCA can display are listed in the following table:
Message displayed by DCA
This Windows Edition does not support DirectAccess. Please contact your administrator.
DirectAccess is supported on Windows 7 Ultimate and Enterprise editions, and Windows Server 2008 R2 only. The DCA runs on Windows 7 only.
The corporate network reports that your computer is not compliant with health requirements.
Corporate Network Access Protection (NAP) servers are reporting that the client computer is missing a health certificate. To receive the certificate, you must fix the health problem reported by NAP.
Windows needs your smart card credentials. Please enter your credentials, or lock this computer and then unlock it by using your smart card.
Your administrator can choose to enforce the use of smart cards to access corporate resources with DirectAccess. This message appears the first time your computer attempts to access a corporate resource when smart card credentials are not available. This typically happens after the computer wakes up from sleep or hibernation.
Local names are currently preferred. Prefer corporate names to restore DirectAccess connectivity.
DCA is set to prefer local names. To access corporate resources, you must disable the Prefer local names option. This can be done by selecting the option in the DCA menu, or by restarting the computer.
Windows is not configured for DirectAccess. Please contact your administrator if this problem persists.
The computer is not configured to use DirectAccess. This can be verified in the default logs generated by the Advanced Diagnostics window.
Internet Connectivity is not available. Please connect your computer to the Internet, or start network diagnostics.
Windows cannot connect to the Internet.
Windows cannot contact the DirectAccess server. Please contact your administrator if this problem persists.
The DCA cannot contact the DirectAccess server. The DCA tests its ability to access administrator configured servers to determine this state. The status of connectivity to the test servers can be verified in the default logs generated by the Advanced Diagnostics window.
Windows is unable to resolve corporate network names. Please contact your administrator if this problem persists.
Windows cannot resolve names for resources on the corporate network.
Windows is unable to contact some corporate content resources. Please contact your administrator if this problem persists
The DCA cannot access one or more of the test resources on the corporate network. The status of Corporate Resource connectivity can be verified in the default logs generated by the Advanced Diagnostics window.
Windows has lost basic connectivity with corporate resources. Please contact your administrator if this problem persists.
The DCA cannot access one or more of the test resources on the corporate network. The status of Corporate Resource connectivity can be verified in the default logs generated by the Advanced Diagnostics window.
Microsoft DirectAccess Connectivity Assistant is not properly configured. Please contact your administrator if this problem persists.
The DCA is missing necessary configuration information. Your administrator must configure certain settings for DCA to operate correctly. The current configuration can be viewed in the default logs generated by the Advanced Diagnostics window.
DCA settings are stored in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\DirectAccessConnectivityAssistant
When you right-click the DCA notification area icon, a menu appears that enables you to interact with the DCA. The menu consists of the following options:
Selecting this option from the DCA right-click menu displays the Advanced Diagnostics dialog box. The dialog box has detailed information about any current issues that are detected by the DCA. Advanced local users might be able to use the additional detail to solve or work around the issue. If test resources that have been specified by your administrator cannot be accessed, the name of that resource is included in the text of the error message.
As soon as the Advanced Diagnostics dialog box appears, the DCA immediately begins gathering log file information about the DCA and the DirectAccess client. After those logs are gathered and compressed into a .cab file, you can e-mail them to your DirectAccess administrators. You can examine the log files by clicking the link below Advanced log files after they are generated. The log files are plain text, although they are not intended for end users to read or understand. Instead, send them to your DirectAccess administrator by clicking E-mail logs to open a new e-mail message. The log files are in a .cab file that is already attached to the message, and the e-mail is addressed to your DirectAccess administration team. Add any additional information to describe the problem you are experiencing in the body of the e-mail, and then click Send to transmit the e-mail to your DirectAccess administrators. The administrators can use the information that is included in the log to determine the source of the connectivity problems.
When you are on a remote network that is using DirectAccess, all of the name queries from your computer that resolve friendly names to IP addresses are sent through the DirectAccess tunnel to your corporate DNS name server. This enables short names such as http://hrweb or \\public to be accessible to you in your remote location. However, this has the effect of making resources on your local resources no longer available by their short name.
For example, if you are at a customer site with a DirectAccess-enabled laptop, and you want to check a Web site on the customer's network named http://thissite, by default it will not work because the name resolution request is sent through DirectAccess to your corporate DNS servers. If your corporate network has a server with that name, then your request resolves to the server on your corporate network instead of the server on the customer's network. If your corporate network does not have a server by that name, an error message is returned. The local customer site is not accessible by name. Until you install DCA, your options to work around this problem are as follows:
With DCA installed, you have a better option that is less complicated for a user and easy to turn on and off. By selecting the Prefer local names option, you disable DirectAccess name resolution and use whatever local name resolution is available to your client computers. This enables you to access computers like your Windows Home Server by name, but it prevents you from accessing any corporate resources by name.
To return to the default DirectAccess behavior, right-click the DCA notification area icon. Click Prefer corporate names. The warning icon changes back to the icon that represents a normal DirectAccess operation.