Share via


Configuring the DCA Software

Applies To: Windows 7, Windows Server 2008 R2

The DirectAccess Connectivity Assistant (DCA) can be configured by using Group Policy settings. The DCA installation file contains two Group Policy template files (.admx and .adml). These files enable you to store DCA settings in a Group Policy object (GPO). We recommend that you apply the settings by using the DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12} or UAG DirectAccess: Client-{3491980e-ef3c-4ed3-b176-a4420a810f12} GPOs that are created when you install DirectAccess on your network. Alternatively, you can create a new GPO and scope the GPO to apply to the security groups that contain all of your client computers that participate in your DirectAccess deployment.

Installing the DCA Group Policy template files

The following procedure explains how to download and store the DCA template files. The downloaded file contains the following files that you can import into the Group Policy Management Console:

  • DirectAccess Connectivity Assistant GP.admx

  • DirectAccess Connectivity Assistant GP.adml

To import the DCA template files into the Group Policy Management Console

  1. Perform these steps on a computer that is running either Windows Server 2008 R2 or Windows 7 and has the Remote Server Administration Tools (RSAT) installed. To download RSAT, see Remote Server Administration Tools (https://go.microsoft.com/fwlink/?linkid=182617)

  2. Copy the DCA Group Policy .admx and .adml template files to the correct folders on your computer:

    1. Copy the DirectAccess Connectivity Assistant GP.admx file to the folder %systemroot%\PolicyDefinitions.

    2. Copy the DirectAccess Connectivity Assistant GP.adml file to the folder **%systemroot%\PolicyDefinititions\**language. For example, for US English, copy the file to %systemroot%\PolicyDefinitions\en-us.

  3. Start the Group Policy Management MMC snap-in.

  4. Expand Computer Configuration, expand Administrative Templates, and then select DirectAccess Connectivity Assistant.

    The settings for DCA appear in the details pane.

Configuring the DCA client settings

This section describes the settings that are available to configure a DCA client.

Important

The two settings that you must configure so that you have complete DCA functionality are the settings DTE and CorporateResources. The others settings are optional, but recommended.

DTE

Type: A collection of IPv6 addresses that each identify a DirectAccess server.

Default: None

Description: Specifies the dynamic tunnel endpoints (DTEs) of the IPsec tunnels that enable DirectAccess. It is through these tunnels that the DCA attempts to access the resources that are specified in the CorporateResources setting. By default, the DCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two DTEs, one for the infrastructure tunnel, and one for the intranet tunnel. You should configure one DTE for each tunnel. Each entry consists of the text PING: followed by the IPv6 address, for example: PING:2002:836b:1::836b:1.

To discover the addresses for your DirectAccess configuration, you can review the IP addresses included in the connection security rules applied by the DirectAccess GPO. In a default DirectAccess configuration, the rules are named DirectAccess Policy-ClientToCorp and DirectAccess Policy-ClientToDnsDc, and the value to include in this setting is the RemoteTunnelEndpoint. To view these addresses, you can use the netsh advfirewall consec show rule name=all type=dynamic command.

Important

If your DirectAccess configuration uses the Full Intranet Access or Selected Server Access models, where IPsec tunnel mode is used to connect to the DirectAccess infrastructure servers, and a separate IPsec tunnel is used to access shared resources that are required by the user, configuring one or more servers in the DTE setting is required.

CorporateResources

Type: A collection of strings that identify network resources to test.

Default: None

Description: Specifies resources that are normally accessible to DirectAccess clients. You must configure this setting to have complete DCA functionality .Each entry is a string that identifies the type of resource and the identification of the resource. Each string in its respective key can be one of the following types:

  • An IPv6 address or DNS name to ping. The syntax is the text PING: followed by a fully qualified domain name (FQDN) that resolves to an IPv6 address, or an IPv6 address, for example: PING:myserver.mydomain.com or PING:2002:836b:1::1.

Note

We recommend that you use FQDNs instead of addresses where possible.

Important

At least one of the resources must use the PING: syntax and name resolution.

  • A Uniform Resource Locator (URL) to query with an HTTP request. The syntax is the word HTTP: followed by a URL that resolves to an IPv6 address of a Web server, for example: HTTP:https://2002:836b:1::1/ or HTTP:https://myserver.mydomain.com/.

  • A Universal Naming Convention (UNC) path to a file that the DCA checks. The DCA does not actually open or read the file; it only confirms that it exists. The syntax is the word FILE: followed by a UNC path that resolves to an IPv6 address file on a share, for example: FILE:\\2002:836b:1::1\myshare\test.txt or FILE:\\myserver\myshare\test.txt.

Important

The administrator must ensure that the file continues to exist, and that the DCA has read permissions to the file.

Important

The URL and UNC paths that you configure should not require any type of user account credentials for authentication or authorization.

Note

One of the CorporateResources values that you create can be the Corporate Website Probe URL, as documented in the DirectAccess Design Guide topic Design Your Intranet for Corporate Connectivity Detection (https://go.microsoft.com/fwlink/?linkid=185900).

The DCA periodically checks its ability to access the specified resources, and it uses the results of those tests to determine and report the operating status of DirectAccess. If a DCA client computer cannot access any of the specified resources, the icon in the notification area changes to red. The list of resources and their success or failure state is listed in the log files that are captured when the user selects Advanced diagnostics.

You should specify a diverse set of resources that ideally have DirectAccess as the only common factor. These resources should be accessible through the intranet tunnel on the internal private network, and not part of the DirectAccess infrastructure. This diversity helps ensure that a failure to access a resource is an unambiguous indication of a problem with DirectAccess rather than a problem with another component. For example, if all of the specified resources are behind a NAT64/DNS64, the failure of DCA to access the test resources might indicate a failure of the NAT64/DNS64 rather than a failure of DirectAccess. Instead, identify one resource behind the NAT64/DNS64, another that is an ISATAP host, and so on.

Corporate Portal Site

Type: String

Default: None

Description: Specifies the URL to an externally accessible Web site to which the DCA can refer users to help troubleshoot DirectAccess issues. The URL appears in DCA pop-up messages and in the Advanced Diagnostics window. We recommend that you maintain a list of current troubleshooting steps for common problems, and provide contact information for users when the Web site does not help the user solve the problem. For examples, see the screen shots in the section Using the DCA Software in this guide.

PortalName

Type: String

Default: “Help Portal”

Description: Specifies the friendly name of the corporate portal Web site. This name appears in the link in the DCA Advanced Diagnostics window. You can customize this to include your organization’s name.

SupportEmail

Type: String

Default: None

Description: Specifies the e-mail address to be used when the user starts Advanced Diagnostics and selects the option to transmit log files to the DirectAccess administrator. When the user clicks Email Logs as an Attachment, the default e-mail client opens a new message with the specified address in the To: field of the message, and attaches the generated log files as a .cab file. The user can review the e-mail and add additional information before clicking Send.

Important

The log files that are sent from the client computer can include files and data from folders that are not normally accessible to standard, non-elevated users. Because the completed log files are made available to the user through a link in the Advanced Diagnostics dialog box and through an attachment in an e-mail, standard users without administrator permissions can read the files.

LocalNamesOn

Type: Enabled or disabled

Default: Disabled

Description: Specifies whether the user sees the menu option Prefer Local DNS Names, and can remove the DirectAccess rules from the Name Resolution Policy Table (NRPT) and instead use local name resolution. If enabled, the user can right-click the DCA icon and then click Prefer Local DNS Names. If this setting is disabled, the menu option does not appear on the DCA menu.

If the user selects Prefer Local DNS Names, DirectAccess stops sending name resolution requests to the internal corporate DNS servers. Instead, the client uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to Internet DNS servers. For more information about local names versus corporate names, see the topic Using the DCA Software in this guide.

Note

The Prefer Local DNS Names setting only has an effect when the user is connecting to the corporate network from the Internet.

AdminScript

Type: String

Default: None

Description: Specifies the path and file name of a script that is provided by the administrator and is run as part of the Advanced Diagnostic log generation process. The output of the script is included in the .cab file that is created as part of the collection of the logs that is initiated when the user opens the Advanced Diagnostics dialog box. The script can be a .cmd file, .bat file, or any other command that can be run at a command prompt and that prints output to the console as text. The script must complete its actions within 45 seconds. Scripts that take longer have their logs truncated.

Warning

This script should be installed on the client computer in a location that cannot be modified by a standard user account. The DCA runs the script with elevated permissions.