Now for the moment you’ve all been waiting for – the answers to UAG SP1 DirectAccess Contest 1–Round 2/Quiz 1 and Contest 2 Round 1/Quiz 1!
Here you go:
Answer to Question 1: When the DirectAccess client connects to the UAG DirectAccess server, it establishes two IPsec tunnels – the infrastructure tunnel and the intranet tunnel. All traffic destined to the intranet travels through these two IPsec tunnels with the exception of what type of traffic?
A. ICMPv6 B. ICMPv4 C. DCOM D. SIP (Session Initiation Protocol)
The answer to Question 1 is A.
From http://social.technet.microsoft.com/wiki/contents/articles/directaccess-forcing-encryption-for-icmpv6-traffic.aspx (DirectAccess: Forcing Encryption for ICMPv6 Traffic on the TechNet wiki):
“…By default, the DirectAccess Setup Wizard creates Group Policy objects for DirectAccess clients and servers for settings that allow the following behaviors: Internet Control Message Protocol (ICMP) traffic, for both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6), is exempted from Internet Protocol security (IPsec) protection Teredo discovery traffic does not travel within the IPsec tunnels between DirectAccess clients and servers on the intranet…”
“…By default, the DirectAccess Setup Wizard creates Group Policy objects for DirectAccess clients and servers for settings that allow the following behaviors:
The trick here is in the question: “All traffic destined to the intranet travels….” The DirectAccess client only understands IPv6 and therefore does not send any ICMPv4 traffic to the intranet – only ICMPv6 traffic can be sent from the DirectAccess client to the intranet. Therefore, B cannot be true because ICMPv4 is never destined for the intranet. DCOM and SIP traffic are treated like any other non-ICMP traffic and both protocols are always sent through an IPsec tunnel when destined for the intranet.
Question 2: A DirectAccess client is connecting from behind a home NAT device to a UAG DirectAccess server. The user calls the Help Desk and says that he isn’t able to connect to anything on the intranet. You tell the user to open a command prompt and ping the name of a domain controller and the ping succeeds. Then you tell the user to ping the name of a file server and that ping succeeds. Next, you tell the user to ping the name of a web server and that ping succeeds. Then you tell the user to use the net use command to connect to a share on the file server and that fails. Next you tell the user to connect to a share on the domain controller and that attempt is successful. Finally, you tell the user to connect to the web server and that connection attempt fails.
What is the most likely reason for this user’s failure to connect to the resources he needs?
A. The Internet Service Provider is blocking IP Protocol 41 B. Kerberos authentication is failing C. NTLMv2 authentication is failing D. The DirectAccess client doesn’t trust the UAG server’s computer certificate
The answer to Question 2 is B.
Let’s look at what’s happening here:
When we look at this analysis, it becomes clear that the answer is B – that Kerberos authentication is failing. A is not correct because IP Protocol 41 is used by 6to4 – if the client were using 6to4, then even the pings would fail as the IPv6 transition technology would have failed; in addition, the client is connecting from behind a home NAT device, so 6to4 would not be used – IP-HTTPS or Teredo would be used in a NAT scenario. We know that NTLMv2 is not failing, because the infrastructure tunnel is working. And we know that the DirectAccess client trusts the UAG server’s computer certificate, since the client was able to establish the infrastructure tunnel.
========================================================== Question 3: Which of the following are new features included with UAG DirectAccess Service Pack 1?
A. Wizard based configuration of the DirectAccess Connectivity Assistant (DCA) B. Wizard based configuration of “manage only” DirectAccess client connectivity C. Support for Smart Card Authentication D. Support for One Time Password (OTP) Authentication
The answer to question 3 is A, B and D.
Support for Smart Card authentication was available in pre-SP1 UAG DirectAccess.
For more information on what’s new and improved with DirectAccess in UAG SP1, check out UAG 2010 SP1: The New and Improved DirectAccess Features http://blogs.technet.com/b/edgeaccessblog/archive/2010/10/27/uag-sp1-da-overview.aspx
This quiz was a pretty tough one that required you to have a pretty good understanding of the IPv6 transition technologies and authentication for DirectAccess IPsec tunnels. In the next quiz we’ll go more into IPv6 related questions to test some of your IPv6 chops.
The next quiz will be posted late in the day on Thursday, January 13, 2011.
See you then!
Tom Shinder email@example.com Principal Knowledge Engineer, Microsoft DAIP iX/Forefront iX UAG Direct Access/Anywhere Access Group (AAG) The “Edge Man” blog (DA all the time): http://blogs.technet.com/tomshinder/default.aspx Follow me on Twitter: http://twitter.com/tshinder Facebook: http://www.facebook.com/tshinder
Visit the TechNet forums to discuss all your UAG DirectAccess issues http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/threads Stay up-to-date with “just in time” UAG DirectAccess information on the TechNet wiki http://social.technet.microsoft.com/wiki/tags/DirectAccess/default.aspx