Enabling Easy Connect Remote Assistance in a domain environment

Back in the days of Windows XP, those using Remote Assistance regularly tended to prefer establishing Remote Assistance sessions using the built-in Windows Messenger client.  These days, Easy Connect (added in Windows 7/Server 2008 R2) tends to be the preferred method.

But one major problem with using Easy Connect is within a domain joined computer, it informs you that Easy Connect is not available and does little to tell you why.

Easy Connect is not available

As the rather uninformative documentation will inform you, Easy Connect makes use of Microsoft’s “Peer Name Resolution Protocol” (PNRP).  You can read more about the inner workings of PNRP, but the key is its use of IPv6 to function.  As most of us do not have IPv6 support from our service providers, Windows makes use of Microsoft’s Teredo technology to tunnel you to IPv6 addresses.

So it is Teredo, which Windows automatically turns off in a domain environment that needs to be configured for Easy Connect to work.

Checking Teredo’s present status

You can check if Teredo is enabled by using netsh on the command line:
netsh int teredo show state

Teredo not working on a domain

By default, Teredo is set in the “client” type.  In a domain (managed) environment, you will receive “client is in a managed network” under the Error category when showing the Teredo state.

Enabling Teredo in a domain for Easy Connect

To enable Teredo in a managed domain environment, you’ll need to set the client type to “enterpriseclient”.  To do this, depending on your scenario, you can use the netsh command on a single computer or the domain’s group policies to enable multiple machines.

Using netsh

Open an elevated command prompt and type:
netsh int teredo set state type=enterpriseclient

Setting netsh to enable Teredo in a domain environment

Note that this is a per-machine change, so anyone logging into the computer will get Teredo access.

Using group policy

In Group Policy Management (or related tool), Edit the GPO which affects the machines (ie. Default Domain Policy), navigate to Computer Configuration, Policies, Administrative Templates, Network, TCPIP Settings, IPv6 Transition Technologies and set the Teredo State setting to Enterprise Client.

Group Policy Management Editor

 Teredo State

As soon as the machines get this policy change (or use gpupdate /force on the clients), the setting will immediately work without a Windows restart.

Verifying Teredo is operational

You can again do the netsh int teredo show state command again to check that Teredo is now enabled and operational.  If you used Group Policy to enable the setting, you’ll see (Group Policy) tagged after the Type field:

Teredo Enabled on a domain machine

You can also test Teredo by pinging an IPv6 resource like Google:
ping 2607:f8b0:4001:c01::67

Pinging Google IPv6

Checking Easy Connect

To verify Easy Connect is now working, launch Remote Assistance (msra.exe), choose Invite someone you trust to help you, choose the Use Easy Connect option and after its network check, you should receive an invitation code.

Working Remote Assistance

A word about Windows Server 2008 R2

There may be instances where you wish to use Easy Connect on a computer using Windows Server 2008 R2.  To enable this, you’ll need to go into the Server Manager and install both the Peer Name Resolution Protocol and Remote Assistance.  After this is complete, you can enable Teredo as above.

Add PNRP and Remote Assistance

Final notes

If the Peer Name Resolution Protocol service is set to Disabled or not installed, the Easy Connect option will be grayed out in the Remote Assistance window.  The service can be set to Manual (which is the default) as it will be automatically started by Remote Assistance when you go to use it.

Since Teredo can be easily toggled on a whim using netsh, those who prefer not to have Teredo enabled full-time can very easily write a script to automatically enable it prior to starting a remote session and then disable it afterwards.

A small disclaimer: be aware that there are many networking issues which can prevent Easy Connect (more specifically PNRP or Teredo) from working properly, especially problems involving routers, virtualization software or VPNs.  Additionally, some or all of the public Teredo tunneling servers may not be available to you. This article does not address any of those difficulties and the Teredo state setting solely enables Teredo to work when Windows believes it is in a domain environment. 

Posted on February 7, 2012, in Uncategorized. Bookmark the permalink. 25 Comments.

  1. Thank you so much for this guide! I’ve been trying to configure this in a domain environment for some time without success but it now works!

    Many thanks.

    • Glad it was helpful to you QC🙂

      • Hi Jonathan.

        I’m again having problems. The above fix (netsh int teredo set state type=enterpriseclient) no longer works. I’m on the same machine that I used previously and haven’t made any signifcant changes to my network.

        I went through the rest of the steps above and enabled Peer Name Resolution and Remote Assistance on my SBS 2008 server. I also configured the group policy setting as per your instructions but still no success.

        I’ve recently installed Win8 on a 100GB partition on the machine in question but highly doubt that this is what’s causing the problem as I’m using the Win7 partition to try and connect.

        Any ideas?

        Many thanks.

        • As I’m sure you’re aware, changing the client type is just an on/off switch (well registry key) for the Teredo client to turn on in a domain environment. So, this is a networking problem.

          I don’t claim to be the definitive Teredo guru or anything, but I have been dealing with it since the glory days of threedegrees, so I’ll try to help. But to start troubleshooting this here or elsewhere, you’ll need to paste the output of:
          netsh int teredo show state

          as that tells you what the status of the Teredo client is. It would also be helpful to know if this affects all machines or if Teredo/Easy Connect is still working on other machines (even VMs on the same PC with bridged network adapters).

          Normally I’d pass on Win8 being the culprit but interestingly a friend of mine had a network problem this past week after installing Win8 on a separate partition — the NIC refused to work on the Win7 side but worked just fine in 8. Even using System Restore on the 7 side didn’t help. I suggested he cold boot (that is, unplug the PC for ~30 seconds and start up again) as my guess would be the NIC somehow got in a state the Win7 driver couldn’t handle. Anyway, he actually ended up removing the 8 partition completely and cold booting, and the problem was resolved. As I assuming the network is still working besides Easy Connection here, I doubt it’s really the problem here, but worth noting nonetheless.

  2. I still can’t get it to work. The only differences I see are my NAT is symmetric and NAT Special Behaviour PortPreserving: No . I can’t ping the Google IP either. I’m using 2 Win7 pc’s in my domain trying to make this work. My windows firewalls are turned off for the domain profile and it shouldn’t be using my external firewall for anything. Any ideas ?

    • Greetings TJ. Although Teredo attempts to work through symmetric NATs, the support is limited. The domain shouldn’t have anything to do with the issue now (I know you know this, but just stating for anyone reading).

      If you can adjust your NAT, that would probably be the next step. A lot of routers have the ability to modify how the NAT works; my DIR-625 places it in the Advanced Firewall Settings as endpoint filtering but your mileage may vary.

  3. I have a Windows 2008 Web Server R2 and there is no ‘Peer Name Resolution Protocol’ in the add feature list.

    • I’ll look into that at some point, but it doesn’t surprise me given the functionality that isn’t available in that SKU. No PNRP = No Easy Connect though.

      However, I’m guessing the files required aren’t protected by licensing, so you could probably just copy over the files from another SKU (and manually install the service).

  4. This is completely helpful, thank you so much!

  5. Super, many thanks for this post

  6. Really this is completely helpful for me,thanks a lot!

  7. Thanks for hte helpful article. I do have a question though. Can this be set via group Policy from a Windows 2003 server? Or is this a 2008 server and above setting? if it won’t work for 2003 server – Is it possible to script this and deploy it as a startup or login script to avoid making these changes manually on each PC?

    Sincerely
    Brian

    • Greetings Brian. Yes, using any of the newer group policy settings on a 2003-based infrastructure is supported but will require a little work. The easiest way to go about doing this is to use a 2008 R2 version of adprep on the server to extend the AD schema if you haven’t already done so, then use a Windows 7 client machine with the Remote Server Administration Tools (RSAT) installed and set the policy there.

      I admit to not having done this recently, but there’s plenty of info out there on both extending your AD schema and using 2008 GPOs on 2003. I couldn’t find a definitive article right away, so I’ll leave the searching to you with your own scenario/needs but I don’t think you’ll have too much trouble.

      • Thanks for your reply Jonathan. I downloaded the RSAT but am not seeing the “Network” folder to change the Teredo State. Is there another way to get this available, or is this another windows 2003 domain Group Policy limitation?

        Brian

        • Well the idea is the ADMX will import from that local machine so it should show up, as shown here when I tested this myself. You may want to double-check that you’re looking in the right place however again, I don’t claim to be the guru on this topic.

          You can of course, import the admx yourself. You can download the templates and under the Instructions on that page, you’ll see at least one link that should help you understand more of how this works. As I bothered to look it up, the Teredo settings are found in tcpip.admx.

          I realized I missed answering part of your earlier question. Yes you could just do the netsh command in a startup script (logon script will need more work as netsh needs admin privileges).

          • thanks Jonathan. I was able to download the templates but needed to create a central store on the Sysvol on the Domain controller too for all the ADMX files. I can see all the templates now and will now try and test and see if this works now. thanks again for your help- I’ll keep you posted.

            Brian

            • Ah yes, and I do believe that’s all you’ll need to do. One great thing is that now you can deploy any of the new GPOs for Win7. Fun stuff😀

            • I was able to get this to work properly after we made some firewall adjustments for the Teredo protocol. Again thanks for posting this. It was very helpful!

              Brian

  8. Dharmesh Chauhan

    This Grate Grate Tutorial

  9. When I run netsh int teredo show state, I don’t have the last four options. No NAT, Nat Special, Local Mapping, External NAT. Anyone have any ideas?

    • Greetings Aaron. Could you post the full output of what it does say? There are different states teredo can be in that I don’t mention here so that may be what you’re seeing.

  10. First this is the BEST information on this subject I have found yet. Thanks! It allowed me to get over the initial hump preventing me from using Easy Connect on my Windows 8 Pro system on a home (workgroup) network. By default it seems to block Teredo for client (state: offline), but your fix to switch to enterpriseclient worked perfectly! BTW, my wife’s stock (Samsung) with Windows 8 (not Pro) has Teredo working by default.

    My second problem (as per your final disclaimer) proved true in my case. I had disabled upnp on my router (see http://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/ for what appears to be a sound analysis), and that it required for Easy Connect to work. I’m sure your posting will help others as much as it helped me.

    • Greetings Walter. Glad it was helpful. I’ve also encountered a number of machines (including my own) which required “enterpriseclient” to work, despite not being in a domain environment. I’m not sure which criteria they use for the detection of being in a managed network, but it seems to be a frequently failing. I think the article is an reasonable analysis, but I would add that the benefits of UPnP (in a residential scenario) tend to outweigh any of these small risks.

      Thanks for the feedback and sharing your experience🙂

  11. I was getting “client is in a managed network” in the output of “netsh interface teredo show state”, but I am only on a home network with a static IP address set on my PC. The clue for me was in the disclaimer. I have VMware Workstation installed.

    I disabled “VMware Network Adapter VMnet1” and “VMware Network Adapter VMnet8” and after a few moments the State field in the output of “netsh interface teredo show state” changed to “dormant”. I tried Remote Assistance and Easy Connect, and it failed again. I waited a few moments and checked the output of “netsh interface teredo show state” again and this time it the State was “qualified” and had the other required information to show that it is working. I tried Remote Assistance again, selecting “Help someone who has invited you” and “Use Easy Connect”, and after “Checking network capabilities” it prompted for the password. Hooray!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: