Share via


UAG DirectAccess "The adapter configured as external-facing is connected to a domain"

Forefront UAG supports an enhanced version of DirectAccess that adds several features and capabilities that aren't available with the Windows only version of DirectAccess. After installing UAG on your Windows Server 2008 R2 server, you can then enable DirectAccess using the UAG DirectAccess wizard.

Some administrators have received the message:

"The adapter configured as external-facing is connected to a domain"

After running the DirectAccess wizard. If you receive this message, the DirectAccess wizard will not complete and DirectAccess will not be configured on the UAG DirectAccess server. The reason for this failure is that if the external interface detects that it can reach a domain controller, it will set the Windows Firewall with Advanced Security Profile to "Domain Profile", which will disable the GPO settings required for the DirectAccess server to receive connections from DirectAccess clients (connection security rules, firewall rules, etc).

The cause of this problem isn't well defined right now, but it appears that this is basically only the UAG DirectAccess activation assuming that the external interface it set for the domain profile in Windows Firewall with Advanced security, although NLA no longer recognizes that to be true. It could be that the external interface at one time had connectivity to the domain, but later was reconfigured so that subsequently the external interface no longer could access the domain.

If you do run into this issue, you can fix the problem by using the Registry Editor to navigate to the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\IntranetAuth

Delete all the entries that apply to the external interface - those will be the ones that have the IP addresses assigned to the external interface.

We'll continue to update this wiki entry as more information on this issue becomes available, but believed it was important to get this workaround information to you as soon as we could. If you do run into this issue, please contact CSS so that they are aware of the problem.