Friday, 8 January 2010

How to Temporarily Disable DirectAccess Functionality on a DirectAccess Client

A surprising, but increasingly common question that comes up when talking to customers about Forefront UAG DirectAccess is:

Can we temporarily disable DirectAccess when using low bandwidth or expensive mobile Internet data tariffs and don’t need corporate network access?

Although this question seems a little strange and counter production when talking about a technology that is designed to specifically be ‘always on’, it is actually very valid for the given scenarios.

The best way I have found to temporarily disable DirectAccess is to stop the IP Helper service on the DirectAccess client.

This can be done using the Computer Management snap-in or using the following command line:

net stop “IP Helper”

to regain full DirectAccess functionality it can be restored by starting the service in Computer Management or using the command line:

net start “IP Helper”

The IP Helper service is used to provide tunnel connectivity using IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS. If this service is stopped, the computer will not have the enhanced connectivity benefits that these technologies offer.

Please Note: This method will not work if you have DirectAccess clients using native IPv6. However, this scenario is unlikely for most DirectAccess clients as a majority will be using 6to4/Teredo transition technologies or IP-HTTPS.

Simple, but handy at times…

17 comments:

  1. With DirectAccess, the (new) best way to disable it temporarily is to install the DirectAccess Connectivity Assistant on your Win7 client and then use the right-click menu to "prefer local names".

    ReplyDelete
  2. If only DCA was available back then Pat ;)

    ReplyDelete
  3. hi, what about when nls is not reachable? my da-clients will think there are external. is it possible to access my internal ressources with stopping iphlpsvc?
    greets, Jens Mander...

    ReplyDelete
  4. This is a great article from Tom to cover that scenario: http://blogs.technet.com/b/tomshinder/archive/2010/04/06/when-good-network-location-servers-go-bad-preparing-against-nls-failure.aspx

    Cheers

    JJ

    ReplyDelete
  5. hi jj,
    yes - i found this article 5 minutes later on my rss. ;-)
    thx 4 ur help!

    ReplyDelete
  6. Here's a batch file to let user toggle the iphelper service kind of VPN on/off for dummies

    @echo off
    NET START | FIND "IP Helper" > NUL
    IF ERRORLEVEL 1 (
    NET START iphlpsvc
    echo service start @ %date% %time% >> C:\iphelper_log.txt
    ) ELSE (
    NET STOP iphlpsvc
    echo service stop @ %date% %time% >> C:\iphelper_log.txt
    )

    ReplyDelete
  7. Thanks!

    The DCA is worth a look too...

    ReplyDelete
  8. Hi,
    I am using win 7 OS and installed Direct Access but icon doesn't appear. Unable to find iphelper in services.msc. Please help me to fix this issue.

    ReplyDelete
  9. You are not supposed to stop IP helper service. This is not right

    ReplyDelete
  10. An alternative to stopping the "ip helper" service is to change the registry EnableDAForAllNetworks value. Which seems to be the same thing the DirectAccess Connectivity Assistant (DCA) is doing. More details in my post at http://whpwtfdidn.blogspot.com/2014/08/directaccess-client-enabledisable-from.html

    ReplyDelete
  11. I should probably delete this post, as I now know it is *not* supported to stop the IP Helper service as it is used by other components, not just DirectAccess. With the advent of Win8/8.1 you now have the 'Disconnect' option in the VAN interface which can be used to disengage the NRPT entries used by DA. Although this doesn't disconnect IPsec tunnel, it does return name resolution to the default state such that all names, including corporate DNS queries will be sent to the default DNS server configured on the DA client NIC. With recent release of http://support.microsoft.com/kb/2953212 you can now use the Disconnect option even when the IPsec tunnels have not connected.

    ReplyDelete
    Replies
    1. Is there a way to disable DA completely? If I enable Use local DNS resolution via the DCA I can still ping and RDP onto internal servers. Some of my test users have complained about DA whilst using their laptops on a Virgin train with complimentary Wi-Fi.

      Delete
    2. No, even in Win8 the UI "Disconnect" option is only actually disabling the NRPT - the tunnels are still active. Stopping IPHelper would bring the tunnels down, but this approach isn't recommended/supported. It is designed to be an 'always on' technology and hence difficult to truly put it into offline mode in an easy way.

      Delete
    3. Thanks Jason, I have been looking at this and thought about toggling the NIC adapter state before enabling or disabling the NRPT. This crude batch file I wrote appears to work.

      Disable
      @ECHO ON

      NET USE * /DELETE /YES

      wmic path win32_networkadapter where 'NetConnectionID like "Wireless Network Connection" ' call disable
      wmic path win32_networkadapter where 'NetConnectionID like "Local Area Connection" ' call disable

      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /f /v "EnableDAForAllNetworks" /t REG_DWORD /d "00000002"

      net stop DcaSvc

      taskkill /F /FI "IMAGENAME eq DcaTray.exe" /T

      wmic path win32_networkadapter where 'NetConnectionID like "Wireless Network Connection" ' call enable
      wmic path win32_networkadapter where 'NetConnectionID like "Local Area Connection" ' call enable

      Enable
      @ECHO ON

      wmic path win32_networkadapter where 'NetConnectionID like "Wireless Network Connection" ' call disable
      wmic path win32_networkadapter where 'NetConnectionID like "Local Area Connection" ' call disable

      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /f /v "EnableDAForAllNetworks" /t REG_DWORD /d

      "00000000"

      wmic path win32_networkadapter where 'NetConnectionID like "Wireless Network Connection" ' call enable
      wmic path win32_networkadapter where 'NetConnectionID like "Local Area Connection" ' call enable

      net start DcaSvc

      "C:\Program Files (x86)\DirectAccess Connectivity Assistant\DcaTray.exe"

      When using the disable batch file, ping returns 127.0.53.53 and I am unable rdp etc.

      Delete
    4. Ouch, that's ugly! ;) ....however, if it works for you then great!

      Delete