Getting IP-HTTPS error code 0x4BE?

Hello fellow DirectAccess admins!  Sorry for the lack of posts in the past couple of weeks, I’ve been out on holiday and just getting ramped back up today.  For today’s posting, we are going to cover the reason for IP-HTTPS error code 0x4BE.  One of my fellow co-workers filled me in with details on this particular IP-HTTPS error code and wanted to pass this along to the DirectAccess community.

If your client is trying to connect using IP-HTTPS, it can encounter this error code when you used an IP address as the public name for your DirectAccess server.

As reference, you can run the following command on your DirectAccess client to check the state of the IP-HTTPS adapter :

netsh int https show int

You will get an output that will show the current state of the connection. A good connection should show error code 0x0 like below :

Interface IPHTTPSInterface (Group Policy) Parameters
————————————————————
Role : client
URL : https://da.contoso.com:443/IPHTTPS
Last Error Code : 0x0
Interface Status : IPHTTPS interface is active.

On a client that has the error code 0x4BE, you will find that DirectAccess is not working for this particular client. On a Windows 8 machine it will show a status of “Connecting” like so :

Windows 8 DA Connecting

Windows 8 DA Connecting

 

Looking at the IP-HTTPS adapter by running the same netsh command from above, you can clearly see the 0x4BE error along with an interface status of “invalid IPHTTPS URL specified” :

Interface IPHTTPSInterface (Group Policy) Parameters
————————————————————
Role : client
URL : https://20.20.20.20:443/IPHTTPS
Last Error Code : 0x4BE
Interface Status : invalid IPHTTPS URL specified

This occurs if you happened to have entered in an IP address for the DA server instead of using a DNS name on this screen during setup :

IP for IP-HTTPS Server

IP for IP-HTTPS Server

 

Now if you happened to setup your DirectAccess server using the edge network profile and have two public sequential IPv4 addresses on your External facing NIC, then clients can still connect using Teredo or 6to4.  The problem lies when your clients fail to connect using Teredo or 6to4 and then try to fall back to IP-HTTPS.  Having an IPv4 address listed in the URL destination string will not work.  In general, it’s highly recommended to use a public DNS name instead of an IPv4 address in this field.

Until my next posting, please leave your comments/suggestions below!

Tags: , , , , , , , , , , , ,

Categories: Troubleshooting DirectAccess

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: