Friday, 1 April 2011

UAG DirectAccess: Useful NETSH Commands

During UAG DirectAccess deployments, I will use several netsh commands as part of the initial deployment testing from a DirectAccess client. In the event of problems, this will often include include the use of additional advanced netsh commands which are more troubleshooting focused. After seeing these commands, many customers often ask for a list of the most useful ones that they can learn to assess and troubleshoot problems at the DirectAccess client. Consequently, I thought this might be something useful to document in a short blog post. The netsh tool is immensely powerful, but hopefully the following commands provide a good starting point to assess, understand and troubleshoot the DirectAccess client.

DirectAccess Client: Settings and Status

Useful Command: netsh dns show state

Description: This is probably the first and most useful command you will run, as it provides essential information on the current DirectAccess status and general configuration state.

Useful Command: netsh namespace show policy

Description: This command is used to display the Name Resolution Policy Table (NRPT) that has been defined within Group Policy.

Useful Command: netsh namespace show effectivepolicy

Description: This command is similar to the previous command but outputs the actual NRPT entries that are currently active on the DirectAccess client.

DirectAccess Client: Common Transition Technology Interfaces

Useful Command: netsh interface teredo show state

Description: This command shows the current status of the Teredo interface, if used at that time.

Useful Command: netsh interface httpstunnel show interfaces

Description: This command shows the current status of the IP-HTTPS interface, if used at that time.

DirectAccess Client: Windows Firewall Settings and Status

Useful Command: netsh advfirewall monitor show firewall

Description: This command is used to show the current status and configuration state of the local Windows Firewall.

Useful Command: netsh advfirewall show currentprofile

Description: This command is used to show the current Windows Firewall profile that is in use.

Useful Command: netsh advfirewall monitor show mmsa

Description: This command is used to show the current status of the Windows Firewall main mode security associations that are present when the DirectAccess infrastructure and intranet IPsec tunnels are active.

Useful Command: netsh advfirewall monitor show consec

Description: This command is used to show the current status of the Windows Firewall connection security rules which are used to define the DirectAccess infrastructure and intranet IPsec tunnels.

Please Note: The commands above have been shown in their verbose form for clarity, however many of the netsh parameter can actually be abbreviated for brevity. For example the ‘interface’ parameter is often actually entered as simply ‘int’.

To see these commands in action for both intranet and Internet scenarios, along with their respective outputs, I recommend you test drive the UAG DirectAccess Troubleshooting Test Lab Guide (TLG) available here.

No comments:

Post a Comment