DirectAccess clients unable to connect with error 0x4BE

Symptoms


DirectAccess clients may not be able to connect to the DirectAccess server by using IP-HTTPS. When you run the netsh interface http show interface command, the output is as follows:
URL: https://xx.xx.xx.xx:443/IPHTTPS
Error: 0x4BE
Interface Status: Invalid IPHTTPS URL specified

The error 0x4BE translates to: 
An HTTPS URL can and should only be a name. For a DirectAccess scenario, since the URL is public facing, the name should be an FQDN.
Example: Da.contoso.com

Cause

When you configure DirectAccess by using the quick deployment wizard in Windows Server 2012 or Windows Server 2012 R2, you may encounter this error if you enter the IP address instead of the name in step 2 of the wizard. 

Resolution

You need to enter the name instead of the IP address, as seen in the following screen shot:


 

The field in this screen shot states Type the public name or IPv4 address used by clients to connect to the Remote Access Server.

You should enter the fullyqualified domain name (FQDN) here. Enter a name thatis publicly resolvable. This name will be used by clients to connect to the Remote Access Server. 

More Information

DirectAccess connectivity methods

DirectAccess clients use multiple methods to connect to the DirectAccess server, which enables access to internal resources. Clients have the option to use either Teredo, 6to4, or IP-HTTPS to connect to DirectAccess. This also depends on how the DirectAccess server is configured.

When the DirectAccess client has a public IPv4 address, it will try to connect by using the 6to4 interface. However, some ISPs give the illusion of a public IP Address. What they provide to end-users is a pseudo public IP address. What this means is that the IP address received by the DirectAccess client (a data card or SIM connection) might be an IP from the public address space, but in reality is behind one or more NATs.

When the client is behind a NAT device, it will try to use Teredo. Many businesses such as hotels, airports, and coffee shops do not allow Teredo traffic to traverse their firewall. In such scenarios, the client will fail over to IP-HTTPS. IP-HTTPS is built over an SSL (TLS) TCP 443-based connection. SSL outbound traffic will most likely be allowed on all networks.

Having this in mind, IP-HTTPS was built to provide a backup connection that is reliable and always reachable. A DirectAccess client will make use of this when other methods (such as Teredo or 6to4) fail.

More information about transition technologies can be found at IPv6 transition technologies.

Properties

Article ID: 2980627 - Last Review: 11 Jul 2014 - Revision: 1

Feedback