The Microsoft DirectAccess Connectivity Assistant (DCA) helps organizations reduce the cost of supporting DirectAccess users and significantly improve their connectivity experience. DCA informs mobile users of their connectivity status at all times; provides tools to help them reconnect on their own if problems arise; and creates diagnostics to help mobile users provide IT staff with key information if necessary—all to help customers operate with more efficiency, and at a lower cost. The DCA also informs mobile users when they need to enter credentials when smart card or One Time Password (OTP) two-factor authentication is deployed in your organization.

DCA configuration settings should be configured and applied in the Forefront UAG DirectAccess Configuration Wizard, and then the client-side DCA should be installed on the client computers. When the Forefront UAG DirectAccess configuration is applied at the end of the Forefront UAG DirectAccess Configuration Wizard, the DCA settings are added to the Client GPO, and the DirectAccess clients receive them when they connect.

Configuring the DCA comprises of the following:

  1. Choosing to configure the DCA

  2. Configuring connectivity verifiers

  3. Configuring troubleshooting

  4. Configuring logging and diagnostics

  5. Installing and Deploying the DCA client-side software

Choosing to configure the DCA

To configure the DCA

  1. Under Step 1, under Optional Settings, click Client Connectivity Assistant. The Client Connectivity page appears.

  2. To configure the DCA, click Yes, configure application settings. To allow users to resolve single label names on the local subnet, rather than resolving them on the intranet Select Allow users to use local name resolution, and then click Next. The Connectivity verification page appears.

    Note:
    When Allow users to use local name resolution is selected:
    • Users can configure the client-side DCA to use local name resolution for single label names, and re-configure the client-side DCA to use Forefront UAG DirectAccess name resolution.

    • The DirectAccess client has an option to Prefer Local Names in the client-side DCA.

    Note:
    The following should also be noted:
    • When force tunneling is configured, you cannot configure the Allow users to use local name resolution option. This option is disabled because when force tunneling is configured all traffic including name resolution must go through the Forefront UAG DirectAccess server.

  3. If you do not wish to configure the DCA, click No, and then click Finish to finish the DirectAccess client section of the Forefront UAG DirectAccess Configuration Wizard.

Configuring connectivity verifiers

Connectivity verifiers include validation checks the DCA uses to provide information about the connectivity status of the DirectAccess client. The DCA periodically checks the specified resources and determines and reports on the operating state of DirectAccess connectivity. If a DCA client computer cannot access any of the resources; the icon in the notification area reflects this by changing to red. The list of resources and their success or failure state is listed in the log files that are captured when the user selects Advanced diagnostics.

Note:
  • If you are using the managed only deployment model, ensure that the connectivity verifiers are for computers included as management servers. If a connectivity verifier to a computer that is not a management server is configured, the DCA attempts to connect to the resource and fails causing the DCA icon to display a false Red connectivity state.Management servers are configured in the Management Servers page of the Forefront UAG DirectAccess Configuration Wizard.

  • At least one connectivity verifier method using HTTP, HTTPS or File must be configured.

  • It is recommended that you specify a diverse set of resources. This diversity helps ensure that a failure to access a resource is an unambiguous indication of a problem with DirectAccess rather than a problem with another component. For example, if all of the specified resources are behind a network address translating application layer gateway (NAT64), the failure of DCA to access the test resources might indicate a failure of the NAT64 rather than a failure of DirectAccess. Instead, identify one resource behind the NAT64, another behind an ISATAP gateway, and so on.

  • It is recommended that you use a fully qualified domain name (FQDN) when configuring a connectivity verifier.

  • The network location server’s FQDN must not be used as a connectivity verifier.

To configure connectivity verifiers

  1. On the Connectivity Verification page of the Forefront UAG DirectAccess Configuration Wizard, click Add. The Connectivity Verifier Details dialog box opens.

  2. From the drop down, select a Connectivity method, enter the verifier details, click Validate Connectivity to validate that the connectivity verifier is valid and reachable, and then click OK.

    Refer to the following table for more information on verification methods and verifier details.

    Verification method Verifier details Example

    HTTP or HTTPS

    A URL that is queried with an HTTP or an HTTPS request.

    https://myserver.contoso.com; http://2001:db8::19;

    File

    A path to a file that the DCA checks.

    \\myserver\myshare\test.txt

  3. To add more connectivity verifiers repeat step 2.

  4. Click Next, the Troubleshooting Portal page appears.

Configuring troubleshooting

You should specify a troubleshooting portal as an externally accessible Web site to which the DCA can refer users to, to assist in troubleshoot DirectAccess issues.

To configure troubleshooting

  1. On the Troubleshooting page, specify the portal that DirectAccess clients are referred to for troubleshooting information, as follows:

    • Forefront UAG portal—If you have portals configured in Forefront UAG, you can select one of the available configured portals presented in the drop down box to server as the Forefront UAG DirectAccess troubleshooting portal.

    • This portal (FQDN)—Enter the Fully Qualified Domain Name of a portal

    • In Friendly name for URL link, enter a friendly link name of the corporate portal Web site. The friendly name appears on the Advanced Diagnostics dialog box in the DCA.

      Note:
      When you select a Forefront UAG portal, the portal name is used as the friendly name for the URL link. This can be edited by the administrator.
    • Click Next, the Client Diagnostic Logging page appears.

Configuring logging and diagnostics

The DCA client gathers information about the DCA and the DirectAccess client, and generates log files. These log files are compressed into a .cab file and can be sent by email to a Forefront UAG DirectAccess administrator. The Forefront UAG DirectAccess administrator can also provide an additional script that is run as part of the advanced diagnostic log generation process.

To configure logging and diagnostics

  1. On the Logging and Diagnostics page, in Send client log files to, enter the default Email address the users will send client log files to.

    Note:
    This is the default Email address that will be added to the DCA Diagnostics Logs Email. A user can enter an alternate address if required.
  2. In Specify the path and name of the diagnostics script, if you have an additional script that you wish to use in addition to the default DCA script, enter the path on the DirectAccess client computer and filename of the script, and click Finish.

    This script should be installed on the client computer in a location that cannot be modified by a standard user account. The DCA runs the script with elevated permissions.

    Note:
    • The script can be a .cmd file, .bat file, or any other command file that can be run at a command prompt, and that prints output to the console as text.

    • The client-side DCA creates the following outputs:

      • DcaDefaultLog.html—This is the default advanced log file.

      • <filename>.txt—This is the log file output when the IT administrator deploys an additional diagnostics script on the DirectAccess client, where <filename> is the name the administrator gives to the output file.

      • DCA.cab—Is a compressed output of both the above files.

      If an additional diagnostics script has been configured in the Forefront UAG DirectAccess Configuration Wizard, yet the script has not been deployed on the DirectAccess client computer you may encounter problems opening the DCA.cab file. As an alternative, the log files can be manually sent as separate entities to support personnel.

    • The script must complete its actions within 45 seconds. Scripts that take longer have their logs truncated.

    Dynamic tunnel endpoints (DTEs) are automatically included as part of the DCA configuration.

Installing and Deploying the DCA client-side software

The DirectAccess Connectivity Assistant (DCA) is installed by running the Microsoft_DirectAccess_Connectivity_Assistant.msi file that can be run on any computer capable of participating in a DirectAccess-enabled network.

To deploy the installation program to your DirectAccess client computers, you can use your corporate software distribution tool, or one of the following deployment options:

  • Copy the Microsoft_DirectAccess_Connectivity_Assistant.msi file to a network share or Web site to which your users have read access permissions. Then send your DirectAccess users an e-mail message that contains a link to the file.

  • Use a software distribution system such as Microsoft System Center Configuration Manager to automatically deploy and run the installation file on all computers that meet the specified criteria. For more information, see System Center Configuration Manager (http://go.microsoft.com/fwlink/?linkid=110412).

  • Use Group Policy in Active Directory to automatically deploy and run the installation file on all computers to which the Group Policy object (GPO) applies. When you apply the Forefront UAG DirectAccess Configuration Wizard script, the wizard creates a UAG DirectAccess client GPO, which applies only to members of security group or OUs that you specify in the Client Domains page of the Forefront UAG DirectAccess Configuration Wizard. You can include the DCA software installation setting as part of this GPO.

To install the Microsoft DCA

  1. Locate the DirectAccess_Connectivity_Assistant.msi Windows Installer Package on the UAG CD at: \Microsoft Forefront Unified Access Gateway\common\bin\da\dca\Microsoft_DirectAccess_Connectivity_Assistant.msi.

  2. Send your DirectAccess users an e-mail message that contains a link to Microsoft_DirectAccess_Connectivity_Assistant.msi.

  3. Run DirectAccess_Connectivity_Assistant.msi on the DirectAccess client.

    Note:
    • Upgrades from DCA 1.0, DCA 1.5 Beta, and DCA 1.5 RC to DCA 1.5 RTM are supported.

    • When performing an upgrade or uninstall of the DCA, the DCA stops the current DCA application process and service before continuing with the setup. However, when a computer has multiple users and where each user has a DCA instance running, you must reboot the computer to complete the upgrade or uninstall.

    • You must uninstall DCA 1.5 if you want to reinstall DCA 1.0.

    Note:
    When force tunneling is configured, the DCA icon displays a yellow status indicating that Internet connectivity is not available. This is the expected DCA icon status when force tunneling is configured. If your client computer is using IP-HTTPS you should have full access to the Internet and intranet. Only when you cannot access Internet sites should the yellow state be investigated further.

To configure a GPO to deploy the DCA software

  1. Copy the Microsoft_DirectAccess_Connectivity_Assistant.msi installer program to a network shared resource to which your DirectAccess client computers have read access permissions.

  2. On a computer that is running Windows Server 2008 R2 or Windows 7 and has the Remote Server Administration Tools (RSAT) installed, start the Group Policy Management MMC snap-in. To download RSAT, see Remote Server Administration Tools (http://go.microsoft.com/fwlink/?LinkID=182617) in the Microsoft Download Center.

  3. In the navigation tree, right-click the GPO that you want to configure, and then click Edit. The Group Policy Management Editor appears.

  4. In the navigation tree, expand Computer Configuration, expand Policies, expand Software Settings, right-click Software installation, click New, and then click Package.

  5. In the Open dialog box, browse to the network shared resource where you copied the DCA installation file. Select the Microsoft_DirectAccess_Connectivity_Assistant.msi file, and then click Open.

    Note:
    If the path you specify is not a network shared resource, a warning message appears telling you that network users might not be able to access the file to run it. The file itself is not distributed by using Group Policy; only the command to run it. The file itself must be on a network shared resource to which the DirectAccess client computers have read access permissions.
  6. In the Deploy Software dialog box, select Assigned, and then click OK. Because it is assigned to the computer instead of to a user, the software package is installed as soon as the Windows Installer engine determines that it is safe to do so.The new package appears in the details pane.

The next time Group Policy refreshes on the client computers to which the GPO applies, the settings contained in the GPO are enforced and the software is installed. To manually force a refresh of Group Policy on a client computer, run the following command at a command prompt with Administrator permissions: gpupdate /force. Once the DCA client software has been installed, you must restart the client computer.

If you encounter problems when installing or uninstalling the DCA on the DirectAccess client computer, you can turn on MSI logging to troubleshoot the setup process.

To generate log files when running the DirectAccess_Connectivity_Assistant.msi file

  1. Open a command prompt.

  2. Generate log files as follows:

    • When installing, at the command prompt, type “Msiexec /i <full path to DirectAccess_Connectivity_Assistant.msi file> /Lvoicewarm <filename.log>”.

    • When uninstalling, at the command prompt type “Msiexec /x <full path to DirectAccess_Connectivity_Assistant.msi file> /Lvoicewarm <filename.log>”, or “Msiexec /x {productGUID} /Lvoicewarm <filename.log>”.