Troubleshooting Direct Access Teredo connectivity on Forefront UAG 2010

Posted by Ahmed Nabil In | 0 comments»
I encountered a problem on one of my installations for DirectAccess where all the clients were able to connect to DirectAccess using HTTPS only. After several investigations and with the help of senior Microsoft Engineers we noticed that the Teredo IPV6 route is missing on the server. When the server is trying to respond to Teredo requests, it uses the default Route (6to4) instead of the server Teredo Adapter due to the following route entry:

UAG cannot respond to Teredo

To fix this issue you need to manually add the Teredo route as follows:

  1. We need to obtain the Teredo Adapter interface index (IDX) from running the following elevated command on the UAG server “netsh int ipv6 show int
  2. Add the route manually (using the obtained IDX from the earlier step) as follows:

Adding Teredo Route manually to UAG 2010 routing table

Certificate CRL and Delta CRL are not copied automatically to the HTTP Path

Posted by Ahmed Nabil In | 0 comments»
A common problem noted on several implementations of Active Directory Certificate Services is the CRL and Delta CRL copies to the HTTP Path.  By default Microsoft Enterprise CA only publishes CRL automatically to LDAP path defined in the CRL Distribution Point (CDP). Normally CA administrators could define CDP in many locations as LDAP and HTTP (Inetpub Folder). Since it’s only copied to LDAP, the HTTP location gets expired and the user would encounter this error.

HTTP CRL location get expired on daily basis

The certificate will try to retrieve the CRL and Delta CRL from each defined location (LDAP and HTTP) when system check the revocation status of certificate. If it can get the CRL from one and only one of these locations then it will pass the revocation process and function normally even if the CRL is not copied to the HTTP location. However it will give the above Expired Status for CRL and Delta CRL HTTP Location.

To solve this issue you have two options:

  1. Copy them manually from the CERTSRV folder to the Inetpub folder
  2. Create a batch file to copy them automatically and add this batch file to the daily scheduled tasks.

The Batch file should be something like this
Xcopy c:\windows\system32\certsrv\CertEnroll\*.crl  C:\Intetpub\