UAG DirectAccess "The adapter configured as external-facing is connected to a domain"

  • Article

Forefront UAG supports an enhanced version of DirectAccess that adds several features and capabilities that aren't available with the Windows only version of DirectAccess. After installing UAG on your Windows Server 2008 R2 server, you can then enable DirectAccess using the UAG DirectAccess wizard.

Some administrators have received the message:

"The adapter configured as external-facing is connected to a domain"

after running the DirectAccess wizard. If you receive this message, the DirectAccess wizard will not complete and DirectAccess will not be configured on the UAG DirectAccess server. The reason for this failure is that if the external interface detects that it can reach a domain controller, it will set the Windows Firewall with Advanced Security Profile to "Domain Profile", which will disable the GPO settings required for the DirectAccess server to receive connections from DirectAccess clients (connection security rules, firewall rules, etc).

The cause of this problem isn't well defined right now, but it appears that the problem is related to the UAG DirectAccess activation assuming that the external interface it set for the domain profile in Windows Firewall with Advanced security, although NLA (Network Location Awareness) no longer recognizes that to be true. It could be that the external interface at one time had connectivity to the domain, but later was reconfigured so that subsequently the external interface no longer could access the domain.

If you do run into this issue, you can fix the problem by using the Registry Editor to navigate to the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\IntranetAuth

image

Delete all the entries that apply to the external interface - those will be the ones that have the IP addresses assigned to the external interface. From the figure above, those would be:

image

I’ll continue to follow up on this issue and update the blog with new information as it comes in. But until  then, you have a workaround that will allow you to activate your UAG DirectAccess configuration.