DirectAccess Manage Out fails for any non-ICMP traffic in Forefront Unified Access Gateway 2010

Article ID: 2663354 - View products that this article applies to.
Expand all | Collapse all

Symptoms

DirectAccess Manage Out does not work for any non-ICMP traffic in Microsoft Forefront Unified Access Gateway 2010.  Outbound connections to external DirectAccess client machines fail for any traffic except for ICMP.  If IPsec auditing is enabled you may see the following error when attempting to access the DirectAccess client:

4984 "An IPSec extended mode negotiation failed"

Cause

This issue can be caused by custom security policies regarding the local security rights for DirectAccess Manage-Out server and clients (e.g. modifying the setting "Access this computer from the network").

Manage-out connections require the ability of the source computer account and user account to authenticate IPsec connections to the remote DirectAccess client. Even though the IPsec tunnel is established from the DirectAccess server to client, the authentication occurs based on the internal source machine/account (impersonation).

The security policy for “Access this computer from network” controls the ability to authenticate and access system services on remote computers. This source machine/account must have this right granted for the remote resources for the DirectAccess Manage-Out capability to function. If the DirectAccess server machine account and the machine account of the internal source server used in impersonation do not have permissions to access the DirectAccess client machine from the network then IPsec authentication failures will occur.

Changes had been made to the local security policy which altered the default permissions for this access right. Everyone and Users groups were removed from the local security setting “Access this computer from network”.

Resolution

Reset the Local Security Setting for "Access this computer from the network" to the default configuration.  By default this includes the following groups:  Administrators, Backup Operators, Everyone, Users.  The default setting is the only configuration which has been tested and verified for DirectAccess Manage Out connectivity.

More Information


823659 - Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments : http://support.microsoft.com/default.aspx?scid=kb;EN-US;823659
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2663354 - Last Review: May 14, 2012 - Revision: 4.0
APPLIES TO
  • Microsoft Forefront Unified Access Gateway 2010
  • Microsoft Forefront Unified Access Gateway 2010 Service Pack 1
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Service Pack 1
Keywords: 
KB2663354

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com