UAG DirectAccess "The adapter configured as external-facing is connected to a domain"

Forefront UAG supports an enhanced version of DirectAccess that adds several features and capabilities that aren’t available with the Windows only version of DirectAccess. After installing UAG on your Windows Server 2008 R2 server, you can then enable DirectAccess using the UAG DirectAccess wizard.

Some administrators have received the message:

"The adapter configured as external-facing is connected to a domain"

after running the DirectAccess wizard. If you receive this message, the DirectAccess wizard will not complete and DirectAccess will not be configured on the UAG DirectAccess server. The reason for this failure is that if the external interface detects that it can reach a domain controller, it will set the Windows Firewall with Advanced Security Profile to "Domain Profile", which will disable the GPO settings required for the DirectAccess server to receive connections from DirectAccess clients (connection security rules, firewall rules, etc).

The cause of this problem isn’t well defined right now, but it appears that the problem is related to the UAG DirectAccess activation assuming that the external interface it set for the domain profile in Windows Firewall with Advanced security, although NLA (Network Location Awareness) no longer recognizes that to be true. It could be that the external interface at one time had connectivity to the domain, but later was reconfigured so that subsequently the external interface no longer could access the domain.

If you do run into this issue, you can fix the problem by using the Registry Editor to navigate to the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\IntranetAuth


Delete all the entries that apply to the external interface – those will be the ones that have the IP addresses assigned to the external interface. From the figure above, those would be:


I’ll continue to follow up on this issue and update the blog with new information as it comes in. But until  then, you have a workaround that will allow you to activate your UAG DirectAccess configuration.

Comments (5)

  1. Anonymous says:

    Do you have any information on how to fix this same problem with server 2012 essentials? I have been racking my head for a week now. Could use some help with this. I have tried what you have but that did not fix my problem.

    Thank you

    Mark R Bracking

  2. Anonymous says:

    Having had a chance to work with Server Essentails. What type of deployment are you working on? The simplified behind a NAT? Thanks! -Tom

  3. Juha-Pekka Posti says:

    Hi! Is this fix still valid? Anything new regarding UAG Sp1? Brgrds, Juha-Pekka Posti

  4. Jan Simon says:

    Its still valid, had it today with a all barand new installation on 2008 R2 SP1, UAG SP1 😉


    Jan Simon

  5. Tracy says:

    Deleting the entries do not help because the entries are created new after the Network is established