Problem using forced tunneling mode in DirectAccess

I’m currently investigating an issue where Microsoft DirectAccess clients are unable to successfully apply group policy while in forced tunneling mode. The clients we’re using are Windows 7 Enterprise and we are running Windows Server 2012 on the server side.
In split tunneling mode there are no problems.

The issue occurs while we run gpupdate on the client when outside of the corporate network. The user part works without an error but the computer part of group policy will render an error message saying computer policy could not update.

We are also experiencing problems with Outlook connectivity to Exchange while in forced tunneling mode.

I am currently working on this case together with a Microsoft support engineer. I’ll keep you updated on how it evolves. Leave a comment if you want more details.

Update

Microsoft has now responded with a solution/workaround regarding the computer group policy (gpupdate problem) part. The proposed solution consists of the following.

  1. Make sure you allow your clients to use local name resolution for forced tunneling mode.

  2. Then select “Use local name resolution for any kind of DNS name resolution error (least restrictive).

  3. After you set these options and run gpupdate, the client will be able to update computer settings through gpupdate over Direct Access in forced tunneling mode.

Outlook problem

The error with Outook over Direct Access in forced tunneling mode can either display an error message saying that “Your network adapter does not have a default gateway.” or it can simply show a “Disconnected from Exchange” status message in Outlook.

The workaround to this error is by applying the following registry settings:

Outlook 2007

  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following subkey:
    HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\RPC
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type DefConnectOpts, and then press ENTER.
  5. Right-click DefConnectOpts, and then click Modify.
  6. In the Value data box, type 0, and then click OK.
  7. Exit Registry Editor.

Outlook 2010

  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following subkey:
    HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\RPC
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type DefConnectOpts, and then press ENTER.
  5. Right-click DefConnectOpts, and then click Modify.
  6. In the Value data box, type 0, and then click OK.
  7. Exit Registry Editor.

It’s all described pretty poorly in this KB-article: http://support.microsoft.com/kb/913843

Comments
  1. Posted by CJ

    Hi,

    did you get the ticket resolved? Could you email me the case number as we are about to open a call with MSFT too. . .

    • Posted by Martin Wahlberg

      Hi CJ.

      Actually Microsoft wanted me to provide them with our workaround. So no solution from MS on this case. I got fed up sending event logs and stuck with the workaround. Our incident nr is 112100242503952.

Add Your Comment