# Localized 09/15/2018 04:58 AM (GMT) 303:6.40.10614 RemoteAccessServer.psd1 # Localized 04/15/2013 09:48 PM (GMT) 303:4.80.0411 RemoteAccessServer.psd1 # Only add new (name,value) pairs to the end of this table # Do not remove, insert or re-arrange entries ConvertFrom-StringData @' ###PSLOC start localizing # # helpID = VersionTooLow # RRASInstalled_title=RRAS: The Routing and Remote Access role service must be installed RRASInstalled_problem=The Routing and Remote Access role service is not installed on this computer. RRASInstalled_impact=If the Routing and Remote Access role service is not installed, then the server cannot provide routing or remote access services to remote clients. RRASInstalled_resolution=Use Server Manager to install the Routing and Remote Access role service, which is part of the Network Policy and Access Services server role. RRASInstalled_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. RRASDisabled_title=RRAS: The Routing and Remote Access role service must be enabled RRASDisabled_problem=The Routing and Remote Access role service is disabled on this computer. RRASDisabled_impact=If the Routing and Remote Access role service is not enabled, then the server cannot provide routing or remote access services to remote clients. RRASDisabled_resolution=Use 'Routing and Remote Access' in Server Manager to enable the Routing and Remote Access role service. RRASDisabled_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. RRASStopped_title=RRAS: The Routing and Remote Access service must be running RRASStopped_problem=The Routing and Remote Access service is either stopped or paused. RRASStopped_impact=If the Routing and Remote Access service is in a stopped or paused state, then the server cannot provide routing or remote access services to remote clients. RRASStopped_resolution=Use 'Routing and Remote Access' in Server Manager to start the Routing and Remote Access service. RRASStopped_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. VPNConfigured_title=RRAS: To support remote access connections, IPv4 or IPv6 Remote Access must be enabled on the RRAS server VPNConfigured_problem=Neither 'IPv4 Remote access server' nor 'IPv6 Remote access server' is selected on the Routing and Remote Access Properties page. VPNConfigured_impact=If 'Remote access server' is not selected, then the server cannot support virtual private network (VPN) or dial-up connections. VPNConfigured_resolution=Use 'Routing and Remote Access' in Server Manager to enable 'IPv4 Remote access server', 'IPv6 Remote access server', or both, on the Routing and Remote Access Properties page, as required by your network. VPNConfigured_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. EventLog_title=RRAS: Logging should be enabled on the RRAS server EventLog_problem=Routing and Remote Access logging is disabled on the server. EventLog_impact=If logging is disabled, then no errors or warnings are logged, making it difficult to troubleshoot problems on the RRAS server. EventLog_resolution=Use 'Routing and Remote Access' in Server Manager to enable logging on the RRAS server. EventLog_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. InterfaceEnabled_title=RRAS: At least one network interface should be enabled on the RRAS server InterfaceEnabled_problem=All network interfaces on the Routing and Remote Access server are disabled. InterfaceEnabled_impact=If all network interfaces are disabled, then remote access clients cannot communicate with the RRAS server. InterfaceEnabled_resolution=Enable at least one network interface on the RRAS server. InterfaceEnabled_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. InterfaceDisabled_title=RRAS: The network interface {0} on the RRAS server should be enabled InterfaceDisabled_problem=The interface {0} is disabled. InterfaceDisabled_impact=If a network interface is disabled then clients cannot communicate with the RRAS server through that interface. InterfaceDisabled_resolution=Enable the interface {0} on the RRAS server. InterfaceDisabled_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. InterfaceReachable_title=RRAS: At least one network interface on the RRAS server must be reachable InterfaceReachable_problem=All network interfaces on the Routing and Remote Access server are in an unreachable state. InterfaceReachable_impact=If a network interface is in an unreachable state, then clients cannot communicate with the RRAS server by using that interface. InterfaceReachable_resolution=Review the 'Unreachability Reason' in 'Routing and Remote Access' in Server Manager, and then take corrective steps. InterfaceReachable_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. InterfaceUnReachable_title=RRAS: The network interface {0} on the RRAS server should be reachable InterfaceUnReachable_problem=The interface {0} is in an unreachable state. InterfaceUnReachable_impact=If a network interface is in an unreachable state, then clients cannot communicate with the RRAS server by using that interface. InterfaceUnReachable_resolution=Review the 'Unreachability Reason' in 'Routing and Remote Access' in Server Manager, and then take corrective steps. InterfaceUnReachable_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. IPv4Router_title=RRAS: To use RRAS server as an IPv4 router, IPv4 forwarding must be enabled IPv4Router_problem=IPv4 routing is enabled, but IPv4 forwarding is disabled on the Routing and Remote Access server. IPv4Router_impact=If IPv4 forwarding is disabled on the RRAS server, then it cannot operate as an IPv4 router. IPv4Router_resolution=Use 'Routing and Remote Access' in Server Manager to select 'Enable IPv4 Forwarding' on the Routing and Remote Access Properties page. IPv4Router_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. IPv6Router_title=RRAS: To use RRAS server as an IPv6 router, IPv6 forwarding must be enabled IPv6Router_problem=IPv6 routing is enabled, but IPv6 forwarding is disabled on the Routing and Remote Access server. IPv6Router_impact=If IPv6 forwarding is disabled on the RRAS server, then it cannot operate as an IPv6 router. IPv6Router_resolution=Use 'Routing and Remote Access' in Server Manager to select 'Enable IPv6 Forwarding' on the Routing and Remote Access Properties page. IPv6Router_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. IPv4Routing_title=RRAS: IPv4 routing should be enabled on the RRAS server for routing protocols like DHCP Relay, RIP and IGMP to run IPv4Routing_problem=IPv4 routing is disabled on the Routing and Remote Access server. IPv4Routing_impact=If IPv4 routing is disabled, then IPv4 routing protocols like DHCP Relay, RIP, or IGMP cannot run. IPv4Routing_resolution=Use 'Routing and Remote Access' in Server Manager to enable IPv4 routing if you want to use IPv4 routing protocols. IPv4Routing_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. IPv6Routing_title=RRAS: IPv6 routing should be enabled on the RRAS server for routing protocols like DHCP Relay to run IPv6Routing_problem=IPv6 routing is disabled on the Routing and Remote Access server. IPv6Routing_impact=If IPv6 routing is disabled, then IPv6 routing protocols like DHCP Relay Agent cannot run. IPv6Routing_resolution=Use 'Routing and Remote Access' in Server Manager to enable IPv6 routing if you want to use IPv6 routing protocols. IPv6Routing_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. Ports_title=RRAS: IKEv2, L2TP, and SSTP should have a minimum of 1 port, and PPTP should have a minimum of 2 Ports_problem=The number of ports assigned to IKEv2, L2TP, and SSTP tunnels is zero, and the number of ports assigned to PPTP is one. Ports_impact=If you do not assign a sufficient number of ports to the tunneling protocols, then remote access clients cannot communicate with the RRAS server. Ports_resolution=Use 'Routing and Remote Access' in Server Manager to increase the number of ports assigned to the tunneling protocols. IKEv2, L2TP, and SSTP should have a minimum or 1 port, and PPTP should have a minimum of 2. Ports_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. PortProtocol_title=RRAS: The number of ports available for use by {0} should be greater than 0 PortProtocol_problem=The number of ports assigned to {0} is zero. PortProtocol_impact=If you do not assign any ports for use by {0} tunneling, then remote access clients cannot communicate with the RRAS server by using {0}. PortProtocol_resolution=Use 'Routing and Remote Access' in Server Manager to increase the number of ports assigned to {0}. PortProtocol_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. PortProtocolPPTP_title=RRAS: The number of ports available for use by {0} should be greater than 1 PortProtocolPPTP_problem=The number of ports assigned to {0} is 1. IKEv2Service_title=RRAS: The IKEEXT service is required to support L2TP/IPsec and IKEv2 tunnels IKEv2Service_problem=The IKE and AuthIP IPsec Keying Modules service (IKEEXT) is not running on the Routing and Remote Access server. IKEv2Service_impact=If the IKE and AuthIP IPsec Keying Modules service is not running on the RRAS server, then remote access clients cannot communicate with the RRAS server by using L2TP/IPsec or IKEv2. IKEv2Service_resolution=Start the IKE and AuthIP IPsec Keying Modules service by using the Services MMC snap-in or by entering the command "net start ikeext" at a command prompt running with administrator permissions. IKEv2Service_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. IKEv2CertificateForNAT_Title=RRAS: To use IKEv2 behind a NAT router, the certificate subject name must match the NAT address IKEv2CertificateForNAT_problem=RRAS cannot determine if a certificate valid for IKEv2 is present on the RRAS server. If your server is behind a NAT router, then the subject name of the certificate must match the DNS name or IP address of the external interface of the router. IKEv2CertificateForNAT_impact=If you do not have a correctly configured and accessible IKEv2 certificate, then remote access clients cannot communicate with the RRAS server by using an IKEv2 tunnel. IKEv2CertificateForNAT_resolution=Use the Certificates MMC snap-in to request and configure a certificate for IKEv2 that specifies a subject name matching the DNS name or IP address of the external interface of the NAT router that is between the RRAS server and the remote access clients. IKEv2CertificateForNAT_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. IKEv2Certificate_title=RRAS: To use IKEv2, at least one valid certificate must be present on the RRAS server IKEv2Certificate_problem=A certificate that is usable for IKEv2 is not present on your RRAS server. IKEv2Certificate_impact=If you do not have a correctly configured and accessible IKEv2 certificate, then remote access clients cannot communicate with the RRAS server by using an IKEv2 tunnel. IKEv2Certificate_resolution=Use the Certificates MMC snap-in to request and configure certificates on the RRAS server for IKEv2. IKEv2Certificate_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. IKEv2CertificateIKEINTERMEDIATE_title=RRAS: Only one certificate for IKEv2 should have IP security IKE intermediate in its EKU property IKEv2CertificateIKEINTERMEDIATE_problem=There are one or more valid certificates for IKEv2 and either (a) none of them has IP security IKE intermediate in the EKU property, or (b) there are multiple valid certificates for IKEv2 and more than one has IP security IKE intermediate in the EKU property. IKEv2CertificateIKEINTERMEDIATE_impact=If there are one or more valid certificates, and none or more than one has IP security IKE intermediate in the EKU property, then RRAS does not know which certificate to use, and selects one at random. The selected certificate might not be the one intended for use. IKEv2CertificateIKEINTERMEDIATE_resolution=1) If there are no certificates with IP security IKE intermediate then issue a certificate for IKEv2 with IP security IKE intermediate in the EKU property. 2) If there is more than one certificate with IP security IKE intermediate, then delete all but the 1 certificate that you want to use. IKEv2CertificateIKEINTERMEDIATE_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. SSTPCertificateForNAT_title=RRAS: To use SSTP behind a NAT router, the certificate subject name must match the NAT address SSTPCertificateForNAT_problem=RRAS cannot determine if a certificate valid for SSTP is present on the RRAS server. If your server is behind a NAT router, then the subject name of the certificate must match the DNS name or IP address of the external interface of the router. SSTPCertificateForNAT_impact=If you do not have a correctly configured and accessible SSTP certificate, then remote access clients cannot communicate with the RRAS server by using an SSTP tunnel. SSTPCertificateForNAT_resolution=Use the Certificates MMC snap-in to request and configure a certificate for SSTP that specifies a subject name matching the DNS name or IP address of the external interface of the NAT router that is between the RRAS server and the remote access clients. SSTPCertificateForNAT_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. SSTPCertificate_title=RRAS: To use SSTP, at least one valid certificate must be present on the RRAS server SSTPCertificate_problem=A certificate that is usable for SSTP is not present on your RRAS server. SSTPCertificate_impact=If you do not have a correctly configured and accessible SSTP certificate, then remote access clients cannot communicate with the RRAS server by using an SSTP tunnel. SSTPCertificate_resolution=Use the Certificates MMC snap-in to request and configure certificates on the RRAS server for SSTP. SSTPCertificate_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. SSTPCertificateDefault_title=RRAS: If there are > 1 certificates for SSTP, then the preferred certificate must be specified SSTPCertificateDefault_problem=There are multiple valid certificates for SSTP, and the administrator selected 'Default' instead of specifying the certificate to be used for SSTP. SSTPCertificateDefault_impact=If there is more than one valid certificate for use with SSTP and 'Default' is selected, then RRAS does not know which certificate to use and selects one at random. The selected certificate might not be the one intended for this use. SSTPCertificateDefault_resolution=Use 'Routing and Remote Access' in Server Manager to select a certificate to use for SSTP on the Routing and Remote Access Properties page. SSTPCertificateDefault_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. NATCertificate_title=RRAS: The subject name of the certificate to be used for IKEv2 or SSTP must match the name of the RRAS server or the IP address of the external interface of the RRAS server NATCertificate_problem=The subject name of the following certificates do not match the name of the RRAS server or the IP address of one of the interfaces of the RRAS server: {0}. NATCertificate_impact=If the subject name of a certificate does not match the name or IP address of an interface on the RRAS server then the client cannot connect to the RRAS server if the server uses this certificate. NATCertificate_resolution=Issue a certificate with a subject name that reflects the IP address or name of the RRAS server. NOTE: Ignore this warning if your RRAS server is behind a NAT router. The certificate should contain the address of external interface of the NAT router. NATCertificate_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. Authentication_title=RRAS: Use authentication protocols that are considered more secure than PAP, CHAP, or MS-CHAPv2 Authentication_problem=The RRAS server is configured to accept remote access connections that are not authenticated, or that are authenticated with an authentication protocol that is no longer considered secure. Authentication_impact=PAP and CHAP are no longer considered secure for protecting sensitive data. MS-CHAP v2 is better than PAP or CHAP, but we recommend EAP or computer certificates. Authentication_resolution=Use 'Routing and Remote Access' in Server Manager to select a secure authentication method on the Routing and Remote Access Properties page. Authentication_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. RasAdapter_title=RRAS: If DHCP is used to allocate addresses to remote clients then specify the network adapter to be used to obtain DHCP addresses RasAdapter_problem=The RRAS server is configured to use DHCP to obtain IP addresses for remote access clients, but the network adapter through which a DHCP server can be accessed has not been specified. RasAdapter_impact=RRAS might select an adapter through which DHCP is not available resulting in APIPA addresses. APIPA addresses are not routable. Remote access clients that are assigned an APIPA address cannot communicate beyond the remote access server. RasAdapter_resolution=Use 'Routing and Remote Access' in Server Manager to select an adapter on the Routing and Remote Access Properties page. Select an adapter connected to a network that has an accessible DHCP server. RasAdapter_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. DemandDial_title=RRAS: To use a demand-dial interface, 'LAN and demand-dial routing' must be enabled on the server DemandDial_problem=A demand-dial interface has been configured, but demand-dial routing is not enabled on the RRAS server. DemandDial_impact=If 'LAN and demand-dial routing' is disabled on the RRAS server, then demand-dial connections cannot be established. DemandDial_resolution=Use 'Routing and Remote Access' in Server Manager to enable 'LAN and demand-dial routing' on the RRAS server. DemandDial_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. DemandDialEncrypt_title=RRAS: Demand-dial interface {0} should support data encryption DemandDialEncrypt_problem="No encryption allowed" is selected in the {0} Properties page. DemandDialEncrypt_impact=If you do not enable encryption, all data sent through the demand-dial interface is transmitted in plaintext and subject to inspection by any device on the network. DemandDialEncrypt_resolution=Use 'Routing and Remote Access' in Server Manager to configure the {0} Properties page to enable 'Optional encryption', 'Require encryption', or 'Maximum strength encryption'. DemandDialEncrypt_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. DhcpRelayServersV4_title=RRAS: IPv4 DHCP Relay Agent should be configured with at least one DHCP server DhcpRelayServersV4_problem=IPv4 DHCP Relay Agent is enabled, but is not configured with the IPv4 address of a DHCP server. DhcpRelayServersV4_impact=IPv4 DHCP Relay Agent must be configured with the address of at least one DHCPv4 server. Without a DHCP server, DHCP Relay Agent has nowhere to relay DHCP messages from clients. DhcpRelayServersV4_resolution=Use 'Routing and Remote Access' in Server Manager to configure one or more DHCP server addresses on the IPv4 DHCP Relay Agent Properties page. DhcpRelayServersV4_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. DhcpRelayServersV6_title=RRAS: IPv6 DHCPv6 Relay Agent should be configured with at least one DHCP server DhcpRelayServersV6_problem=IPv6 DHCPv6 Relay Agent is enabled, but is not configured with the IPv6 address of a DHCP server. DhcpRelayServersV6_impact=IPv6 DHCPv6 Relay Agent must be configured with the address of at least one DHCPv6 server. Without a DHCPv6 server, DHCPv6 Relay Agent has nowhere to relay DHCP messages from clients. DhcpRelayServersV6_resolution=Use 'Routing and Remote Access' in Server Manager to configure one or more DHCP server addresses on the IPv6 DHCPv6 Relay Agent Properties page. DhcpRelayServersV6_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. DhcpRelayServersInterfaceV4_title=RRAS: At least one interface in IPv4 DHCP Relay Agent must have 'Relay DHCP packets' enabled DhcpRelayServersInterfaceV4_problem=IPv4 DHCP Relay Agent is enabled and configured, but none of the interfaces assigned to DHCP Relay Agent are configured with 'Relay DHCP packets' enabled. DhcpRelayServersInterfaceV4_impact=If 'Relay DHCP packets' is not enabled on at least one interface assigned to the IPv4 DHCP Relay Agent routing protocol, then DHCP Relay Agent cannot forward DHCP packets from clients to DHCP servers. DhcpRelayServersInterfaceV4_resolution=Use 'Routing and Remote Access' in Server Manager to enable 'Relay DHCP packets' on at least one interface assigned to IPv4 DHCP Relay Agent. DhcpRelayServersInterfaceV4_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. DhcpRelayServersInterfaceV6_title=RRAS: At least one interface in IPv6 DHCPv6 Relay Agent must have 'Relay DHCP packets' enabled DhcpRelayServersInterfaceV6_problem=IPv6 DHCPv6 Relay Agent is enabled and configured, but none of the interfaces assigned to DHCPv6 Relay Agent are configured with 'Relay DHCP packets' enabled. DhcpRelayServersInterfaceV6_impact=If 'Relay DHCP packets' is not enabled on at least one interface assigned to the IPv6 DHCPv6 Relay Agent routing protocol, then DHCPv6 Relay Agent cannot forward DHCP packets from clients to DHCPv6 servers. DhcpRelayServersInterfaceV6_resolution=Use 'Routing and Remote Access' in Server Manager to enable 'Relay DHCP packets' on at least one interface assigned to IPv6 DHCPv6 Relay Agent. DhcpRelayServersInterfaceV6_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. DirectAccessDisabled_title=DirectAccess: DirectAccess must be configured to accept client connections DirectAccessDisabled_problem=The Remote Access role combines DirectAccess and RRAS VPN. The role is installed, but DirectAccess is not configured. DirectAccessDisabled_impact=Until DirectAccess is configured, the server cannot provide access to internal resources for remote client computers connecting over DirectAccess. DirectAccessDisabled_resolution=Set up DirectAccess in the Remote Access Management console. DirectAccessDisabled_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. ExtDefaultGateway_title=DirectAccess: A default gateway must be configured on the external adapter of the Remote Access server ExtDefaultGateway_problem=A default gateway is not configured for the external network adapter {0} on the Remote Access server. ExtDefaultGateway_impact=Client computers cannot connect to internal resources via Remote Access. ExtDefaultGateway_resolution=Configure a default gateway for the external adapter {0}. ExtDefaultGateway_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IntDefaultGateway_title=DirectAccess: A default gateway must be configured on the internal adapter of the Remote Access server IntDefaultGateway_problem=A default gateway is not configured for the internal network adapter {0} on the Remote Access server. IntDefaultGateway_impact=Client computers cannot connect to internal resources via Remote Access. IntDefaultGateway_resolution=Configure a default gateway for the internal adapter {0}. IntDefaultGateway_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. MultipleInternalInterface_title=DirectAccess: The Remote Access server should have only one internal adapter MultipleInternalInterface_problem=More than one internal network adapter is configured on the Remote Access server. MultipleInternalInterface_impact=Clients might not be able to connect to the internal network with DirectAccess or VPN. MultipleInternalInterface_resolution=Disable all internal adapters except one or enable forwarding and route publishing on all internal adapters. MultipleInternalInterface_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. MultipleExternalInterface_title=DirectAccess: The Remote Access server should have only one external adapter MultipleExternalInterface_problem=More than one external network adapter is configured on the Remote Access server. MultipleExternalInterface_impact=Clients might not be able to connect to the internal network with DirectAccess or VPN. MultipleExternalInterface_resolution=Disable all external adapters except one or enable forwarding on all internal adapters. MultipleExternalInterface_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. NativeIPv6OnInternalInterface_title=DirectAccess: In a native IPv6 deployment, ISATAP should not be configured on internal adapter NativeIPv6OnInternalInterface_problem=ISATAP NIC is configured while Remote Access Server is configured to use the native IPv6 internal adapter. NativeIPv6OnInternalInterface_impact=IPv4 only resources are not accessible from outside the corpnet via Remote Access connectivity. NativeIPv6OnInternalInterface_resolution=Do one of the following: 1. Disable the ISATAP NIC. 2. Enable forwarding on ISATAP NIC and add DirectAccess server in PRL. NativeIPv6OnInternalInterface_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice ExternalInterfaceIPv6Checked_title=DirectAccess: IPv6 must be enabled on the external adapter {0} of the Remote Access server ExternalInterfaceIPv6Checked_problem=IPv6 is not enabled on the external network adapter {0}. ExternalInterfaceIPv6Checked_impact=Clients may not be able to connect to Remote Access Server ExternalInterfaceIPv6Checked_resolution=Enable IPv6 on the adapter {0}. ExternalInterfaceIPv6Checked_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. InternalInterfaceIPv6Checked_title=DirectAccess: IPv6 must be enabled on the internal adapter {0} of the Remote Access server InternalInterfaceIPv6Checked_problem=IPv6 is not enabled on the internal network adapter {0}. InternalInterfaceIPv6Checked_impact=Connectivity between the Remote Access server and the internal network will not work as expected. InternalInterfaceIPv6Checked_resolution=Enable IPv6 on the adapter {0}. InternalInterfaceIPv6Checked_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. MgmtServersIPv6Invalid_title=DirectAccess: Remote Access infrastructure server addresses must be valid MgmtServersIPv6Invalid_problem=The IPv6 addresses of the following Remote Access infrastructure servers are not included in the internal network IPv6 prefix : {0}. MgmtServersIPv6Invalid_impact=DirectAccess clients cannot connect to these infrastructure servers. End-to-end communication will not work as expected. MgmtServersIPv6Invalid_resolution=Add the server addresses for {0} to the internal network IPv6 prefix. MgmtServersIPv6Invalid_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. FirewallBlocksToredo_title=DirectAccess: Teredo should not be blocked on the Remote Access server FirewallBlocksToredo_problem=Windows Firewall settings are blocking Teredo (ICMPv4) traffic. FirewallBlocksToredo_impact=Teredo will not work as expected. FirewallBlocksToredo_resolution=Modify Windows Firewall settings to allow Teredo traffic. FirewallBlocksToredo_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. FirewallON_title=DirectAccess: On the Remote Access Server, Windows Firewall state must be on FirewallON_problem=Windows firewall is turned off for the required profiles on the Remote Access Server. FirewallON_impact=Clients may not be able to connect to Remote Access Server FirewallON_resolution=Turn on Windows Firewall for the corresponding profile on the Remote Access server. FirewallON_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice ToredoAvailable_title=DirectAccess: Teredo functionality is available, Teredo can be enabled on the Remote Access Server ToredoAvailable_problem=The two consecutive public IPv4 addresses required for Teredo are available on the server. Teredo can be used, but is not enabled. ToredoAvailable_impact=Teredo functionality is available but not enabled. ToredoAvailable_resolution=Enable Teredo on the Remote Access Server. ToredoAvailable_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. SGDomainCompWithFilter_title=DirectAccess: The DirectAccess client security group should not include desktop Domain Computers SGDomainCompWithFilter_problem=The DirectAccess client security group contains "Domain computers" without "Enable DirectAcces for mobile computers only" checkbox enabled. SGDomainCompWithFilter_impact=If desktop computers do not require remote connectivity to the internal network using DirectAccess, they do not need to be included in a DirectAccess client security group. DirectAccess client settings stored in the client Group Policy object (GPO) is applied to all computers in the security group. SGDomainCompWithFilter_resolution=Limit the security group to mobile computers only from DirectAccess Client Setup. SGDomainCompWithFilter_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. ISATAPResolution_title=DirectAccess: ISATAP should be registered in all domains ISATAPResolution_problem=ISATAP is not registered with DNS servers in all domains in the Active Directory forest. ISATAPResolution_impact=If you are using manage out capabilities from IPv4 servers in your corporate network, communication with DirectAccess clients from these servers might fail. ISATAPResolution_resolution=Register ISATAP addresses for all Remote Access servers with DNS servers in each domain. ISATAPResolution_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. DNS64ReturnsAAAA_title=DirectAccess: DNS64 should be configured to return AAAA queries DNS64ReturnsAAAA_problem=ISATAP is enabled but not configured to return AAAA queries. DNS64ReturnsAAAA_impact=ISATAP communication will not work as expected. DNS64ReturnsAAAA_resolution=Configure DNS64 to return AAAA queries. DNS64ReturnsAAAA_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IPv4OnlyMgmtServers_title=DirectAccess: Remote Access Management servers should support IPv6 IPv4OnlyMgmtServers_problem=IPv6 support is not available for the following infrastructure servers : {0}. IPv4OnlyMgmtServers_impact=Management servers cannot initiate communication with DirectAccess client computers for remote management purposes. For example, to deliver updates. However, clients can initiate communication with management servers. IPv4OnlyMgmtServers_resolution=Ensure that management servers used for remote management of DirectAccess client computers support IPv6. IPv4OnlyMgmtServers_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IPSecCertAboutToExpire_title=DirectAccess: The validity of IPsec certificate should be more than seven days IPSecCertAboutToExpire_problem=The certificate used for IPsec authentication will expire in less than seven days. IPSecCertAboutToExpire_impact=DirectAccess client connectivity will not work as expected without a valid certificate. IPSecCertAboutToExpire_resolution=Install a valid IPsec certificate on the Remote Access server. IPSecCertAboutToExpire_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IPHTTPCertAboutToExpire_title=DirectAccess: The validity of IP-HTTPS certificate should be more than seven days IPHTTPCertAboutToExpire_problem=The IP-HTTPS certificate will expire in less than seven days. IPHTTPCertAboutToExpire_impact=DirectAccess client IP-HTTPS connectivity will not work as expected without a valid certificate. IPHTTPCertAboutToExpire_resolution=Install a valid IP-HTTPS certificate on the Remote Access server. IPHTTPCertAboutToExpire_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. NLSCertAboutToExpire_title=DirectAccess: The validity of network location server certificate should be more than seven days NLSCertAboutToExpire_problem=The network location server certificate will expire in less than seven days. NLSCertAboutToExpire_impact=DirectAccess client connectivity will not work as expected without a valid certificate. NLSCertAboutToExpire_resolution=Install a valid NLS certificate on the Remote Access server. NLSCertAboutToExpire_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. NLSOnHighAvailableServer_title=DirectAccess: The network location server should be highly available NLSOnHighAvailableServer_problem=A single Remote Access server is deployed. Network location server availability is dependent upon the availability on the Remote Access server. NLSOnHighAvailableServer_impact=The network location server is used by DirectAccess clients to determine their location. If the Remote Access server (and thus the network location server) is unavailable, clients located in the internal network will not be able to access internal resources. NLSOnHighAvailableServer_resolution=Remote Access is deployed on a single server only, it is recommended to install the network location server on a separate computer that is highly available to DirectAccess clients. NLSOnHighAvailableServer_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. CloseDCNotUsed_title=DirectAccess: The domain controller configured for an entrypoint should be the one closest to the multisite deployment entrypoint CloseDCNotUsed_problem=The domain controller closest to the entry point is not listed in the server GPO. Either the domain controller listed is not available, or a closer domain controller is now available. CloseDCNotUsed_impact=Routing and system performance will be impacted. CloseDCNotUsed_resolution=Update the server GPO with the closest available domain controller. CloseDCNotUsed_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. ADSiteValid_title=DirectAccess: Active Directory site for an entry point should be valid ADSiteValid_problem=Active Directory site settings for the entry point have been modified and are invalid. ADSiteValid_impact=Remote clients will not be able to connect as expected to internal network using the entry point. ADSiteValid_resolution=Remove and then add the entry point to the multisite deployment again. ADSiteValid_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. ConnectToExceptionMissing_title=DirectAccess:The address used to connect to the Remote Access server must not be a part of the internal network suffix ConnectToExceptionMissing_problem=The public name or IP address used by DirectAccess clients to connect to the Remote Access server is included in the internal network suffix for the NRPT. DirectAccess client will attempt to resolve the external name using an internal DNS server. ConnectToExceptionMissing_impact=Client connectivity will not work as expected. ConnectToExceptionMissing_resolution=Manually add an exemption entry in the NRPT (i.e. with a NULL DNS Address) for the public name/address used by clients to connect to the Remote Access server. ConnectToExceptionMissing_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. EPInInfraTPUpdated_title=DirectAccess: DirectAccess infrastructure server addresses must be up-to-date EPInInfraTPUpdated_problem=The addresses of one or more infrastructure servers such as domain controllers and DNS servers, are not valid. EPInInfraTPUpdated_impact=DirectAccess connectivity will not work as expected. EPInInfraTPUpdated_resolution=Run the “Refresh Management Servers” task in the Remote Access management UI. EPInInfraTPUpdated_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. ExternalInterfaceChanged_title=DirectAccess: The external adapter IP address of the Remote Access server has been modified ExternalInterfaceChanged_problem=Changes to the external adapter IP address of the Remote Access server have not been applied. ExternalInterfaceChanged_impact=Client connectivity will not work as expected. ExternalInterfaceChanged_resolution=Update the IPSec policies with the correct external IP Address for DA Server. ExternalInterfaceChanged_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. InternalInterfaceChanged_title=DirectAccess: The internal adapter IP address of the Remote Access server has been modified InternalInterfaceChanged_problem=Changes to the internal adapter IP address of the Remote Access server have not been applied. InternalInterfaceChanged_impact=Client connectivity will not work as expected. InternalInterfaceChanged_resolution=Update the IPSec policies with the correct internal IP Address for DA Server. InternalInterfaceChanged_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. NCSIProbeNotWorking_title=DirectAccess: The Network Connectivity Status Indicator (NCSI) web probe url and DNS resource probe should be accessible NCSIProbeNotWorking_problem=The Network Connectivity Status Indicator (NCSI) web probe url or DNS resource probe is not accessible. NCSIProbeNotWorking_impact=Client connectivity will not work as expected NCSIProbeNotWorking_resolution=Update the Client GPO with the correct web probe and DNS probe information. NCSIProbeNotWorking_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. NCAResourceNotReachable_title=DirectAccess: NCA resources should be accessible NCAResourceNotReachable_problem=One or more NCA resources are not accessible. NCAResourceNotReachable_impact=Remote clients may not get correct connectivity status over DirectAccess. NCAResourceNotReachable_resolution=Update the NCA resources from the Remote client setup wizard in the Remote Access Management console. NCAResourceNotReachable_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. E2ETraceEnabledLong_title=DirectAccess: Remote Access tracing should not be activated for long periods E2ETraceEnabledLong_problem=Tracing has been active for more than five hours. E2ETraceEnabledLong_impact=Activating tracing for long periods of time will consume disk space and reduce performance. E2ETraceEnabledLong_resolution=Stop tracing from the Remote Access Management console if not required. E2ETraceEnabledLong_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. InBoxAccounting_title=DirectAccess: Remote Access reporting functionality should be available InBoxAccounting_problem=Inbox accounting (Windows Internal Database accounting) is not enabled. InBoxAccounting_impact=Reporting functionality is not available if inbox accounting is not enabled. InBoxAccounting_resolution=Enable inbox accounting. InBoxAccounting_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. RemoteAccessServerHealth_title=DirectAccess: Remote Access Server's operational status should be okay RemoteAccessServerHealth_problem=The following Remote Access components are in a critical or warning state : {0}. RemoteAccessServerHealth_impact=Possible Remote Access Server connectivity problems RemoteAccessServerHealth_resolution=Fix the critical/warning Remote Access Server component(s) and run BPA scan again. RemoteAccessServerHealth_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. WAPNotConfigured_title=Web Application Proxy must be configured before it is used. WAPNotConfigured_problem=Web Application Proxy was installed but not configured for initial use. WAPNotConfigured_impact=If Web Application Proxy is not configured it cannot be used to publish applications. WAPNotConfigured_resolution=Use ‘Remote Access Management’ in Server Manager to start the configuration wizard or use the Install-WebApplicationProxy PowerShell command. WAPNotConfigured_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. WAPCertificateMissing_title=Web Application Proxy: Application '{0}' is configured to use an external certificate that is not present on this server. WAPCertificateMissing_problem=Application '{0}' that is published by Web Application Proxy is using an external certificate that is not present on this server. WAPCertificateMissing_impact=If an application uses a certificate that is not present on this server, Web Application Proxy will not publish the application and users will not have access. WAPCertificateMissing_resolution=Obtain the configured external certificate from another server and copy it to this server with its private key. WAPCertificateMissing_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. WAPCertificateExpired_title=Web Application Proxy: Application '{0}' is using an external certificate that has expired. WAPCertificateExpired_problem=Application '{0}' that is published by Web Application Proxy is using a certificate that has expired. WAPCertificateExpired_impact=If an application is using a certificate that has expired, users will not be able to secure their access to the application and sensitive data will not be encrypted. Some browsers might block access to such sites. WAPCertificateExpired_resolution=Issue a new certificate for this address and publish this application again with the new certificate. WAPCertificateExpired_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. WAPCertificateWillExpire_title=Web Application Proxy: Application '{0}' is using an external certificate that is about to expire. WAPCertificateWillExpire_problem=Application '{0}' that is published by Web Application Proxy is using a certificate that is about to expire. WAPCertificateWillExpire_impact=If an application is using a certificate that has expired, users will not be able to secure their access to the application and sensitive data will not be encrypted. Some browsers might block access to such sites. WAPCertificateWillExpire_resolution=Issue a new certificate for this address and publish this application again with the new certificate. WAPCertificateWillExpire_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. WAPCertificateNoPrivateKey_title=Web Application Proxy: Application '{0}' is using an external certificate that has no private key. WAPCertificateNoPrivateKey_problem=Application '{0}' that is published by Web Application Proxy is using a certificate that has no private key. WAPCertificateNoPrivateKey_impact=If an application is using a certificate that has no private key, users will not be able to secure their access to the application and sensitive data will not be encrypted. Some browsers might block access to such sites. WAPCertificateNoPrivateKey_resolution=Publish this application again with a valid certificate. WAPCertificateNoPrivateKey_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. WAPCertificateInvalidPurpose_title=Web Application Proxy: Application '{0}' is using an external certificate that has an invalid key usage. WAPCertificateInvalidPurpose_problem=Application '{0}' that is published by Web Application Proxy is using a certificate that has an invalid key usage. WAPCertificateInvalidPurpose_impact=If an application is using a certificate that has an invalid key usage, users will not be able to secure their access to the application and sensitive data will not be encrypted. Some browsers might block access to such sites. WAPCertificateInvalidPurpose_resolution=Publish this application again with a valid certificate. WAPCertificateInvalidPurpose_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. WAPCertificateNotBefore_title=Web Application Proxy: Application '{0}' is using an external certificate that is not yet valid. WAPCertificateNotBefore_problem=Application '{0}' that is published by Web Application Proxy is using a certificate that is not yet valid. WAPCertificateNotBefore_impact=If an application is using a certificate that is not yet valid, users will not be able to secure their access to the application and sensitive data will not be encrypted. Some browsers might block access to such sites. WAPCertificateNotBefore_resolution=Publish this application again with a valid certificate. WAPCertificateNotBefore_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. WAPNonDomainJoinedAndIWA_title=Web Application Proxy: Some applications are configured to perform backend authentication using Integrated Windows authentication but the server is not joined to a domain. WAPNonDomainJoinedAndIWA_problem=Web Application Proxy can perform backend authentication using Integrated Windows authentication only when it is running on a server that is joined to a domain. WAPNonDomainJoinedAndIWA_impact=Users will not be able to access this application from the current server. WAPNonDomainJoinedAndIWA_resolution=Join this server to a domain. WAPNonDomainJoinedAndIWA_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. WAPServiceNotAuto_title=Web Application Proxy: The service is not configured to run automatically WAPServiceNotAuto_problem=Web Application Proxy service (appproxysvc) settings were changed and it is not configured to run automatically. WAPServiceNotAuto_impact=After the server restarts, the service will not start and users will not be able to access published applications. WAPServiceNotAuto_resolution=Consider changing the Web Application Proxy service startup type to Automatic. WAPADFSServiceNotAuto_title=Web Application Proxy: The AD FS Proxy service is not configured to run automatically WAPADFSServiceNotAuto_problem=Active Directory Federation Services service (adfssrv) settings were changed and it is not configured to run automatically. WAPADFSServiceNotAuto_impact=After the server restarts, the service will not start and users will not be able to authenticate and will not be able to access published applications. WAPADFSServiceNotAuto_resolution=Consider changing the Active Directory Federation Services service startup type to Automatic. WAPServiceStopped_title=Web Application Proxy service is stopped WAPServiceStopped_problem=Web Application Proxy service (appproxysvc) is stopped. WAPServiceStopped_impact=Users will not be able to access published applications. WAPServiceStopped_resolution=Look for problems in the Windows event log. If no problems are found, restart the server. If this doesn't solve the problem, reinstall Web Application Proxy. WAPADFSServiceStopped_title=Web Application Proxy: The AD FS Proxy service is stopped WAPADFSServiceStopped_problem=Active Directory Federation Services service (adfssrv) is stopped. WAPADFSServiceStopped_impact=Users will not be able to authenticate and will not be able to access published applications. WAPADFSServiceStopped_resolution=Look for problems in the Windows event log. If no problems are found, restart the server. If this doesn't solve the problem, reinstall Web Application Proxy. WAPCantRetrieveConfPermanent_title=Web Application Proxy could not retrieve its configuration WAPCantRetrieveConfPermanent_problem=Web Application Proxy could not retrieve its configuration from AD FS storage. WAPCantRetrieveConfPermanent_impact=Web Application Proxy was unable to retrieve its configuration from AD FS storage and used the latest copy of the configuration; any updates to the configuration were not applied on this server. When the service starts, there is no copy of the configuration and any previously published applications are temporarily unavailable to users. WAPCantRetrieveConfPermanent_resolution=Check connectivity between Web Application Proxy and the AD FS servers. If the problem persists, consider running the Install-WebApplicationProxy cmdlet. WAPCantRetrieveConfTemporary_title=Web Application Proxy was not able to check for configuration updates WAPCantRetrieveConfTemporary_problem=Web Application Proxy was not able to check for configuration updates from AD FS storage. WAPCantRetrieveConfTemporary_impact=Web Application Proxy was temporarily unable to retrieve its configuration from AD FS storage and used the latest copy of the configuration; any updates to the configuration were not applied on this server. When the service starts, there is no copy of the configuration and any previously published applications are temporarily unavailable to users. WAPCantRetrieveConfTemporary_resolution=Check connectivity between Web Application Proxy and the AD FS servers. WAPCantApplyConfCert_title=Web Application Proxy could not publish an application due to certificate problems WAPCantApplyConfCert_problem=Web Application Proxy could not publish an application due to certificate problems. WAPCantApplyConfCert_impact=Users were not able to access the applications. WAPCantApplyConfCert_resolution=In the Windows event log, look for event 12021 for more details about these applications. Consider issuing a new certificate for these applications. WAPCantApplyConfHttpSys_title=Web Application Proxy could not publish an application WAPCantApplyConfHttpSys_problem=Web Application Proxy could not publish an application because it could not configure the HTTP protocol stack (http.sys) for that application. WAPCantApplyConfHttpSys_impact=Users were not able to access the applications. WAPCantApplyConfHttpSys_resolution=In the Windows event log, look for events 12019 and 12020 for more details about these applications. This may occur due to misconfiguration or a conflict with other services on the server. WAPIwaFailed_title=Web Application Proxy: Could not perform Integrated Windows authentication to the backend servers WAPIwaFailed_problem=The backend server rejected the Kerberos ticket that was presented by Web Application Proxy. WAPIwaFailed_impact=The backend server was not able to authenticate users. WAPIwaFailed_resolution=Check the Windows event log for event 12008 to identify the application. Check the Kerberos configuration on the domain controller and backend server for each application. This might also occur if the Web Application Proxy server time is not synchronized with the domain controller or the backend server. WAPUrlTranslationDis_title=Web Application Proxy: The external and backend server URLs are different and URL translation is disabled WAPUrlTranslationDis_problem=The external and backend server URLs are different and URL translation is disabled. WAPUrlTranslationDis_impact=The published application might reject requests from the client. WAPUrlTranslationDis_resolution=Consider changing the application publishing settings. WAPDAWithWAPCluster_title=Web Application Proxy: A cluster of Web Application Proxy servers is deployed and DirectAccess is also installed WAPDAWithWAPCluster_problem=A cluster of Web Application Proxy servers is deployed and DirectAccess is also installed on this server. WAPDAWithWAPCluster_impact=Web Application Proxy does not support this configuration and might not work as expected. WAPDAWithWAPCluster_resolution=Consider uninstalling DirectAccess from this server. WAPServerNotInCluster_title=Web Application Proxy: This server is not included in the ConnectedServersName list WAPServerNotInCluster_problem=This server is not included in the ConnectedServersName list. WAPServerNotInCluster_impact=The Remote Access Management console may not work as expected. WAPServerNotInCluster_resolution=Use the Set-WebApplicationProxyConfiguration cmdlet to add this server to the ConnectedServersName list. WAPPollingIntervalHigh_title=Web Application Proxy: The ConfigurationChangesPollingIntervalSec value is high WAPPollingIntervalHigh_problem=When the ConfigurationChangesPollingIntervalSec value is high, any changes that you make are not propagated in a timely manner, or changes are only partially propagated until the next time the server checks for updates. WAPPollingIntervalHigh_impact=Applications might not be published as expected until the next time the server checks for updates. WAPPollingIntervalHigh_resolution=Consider changing ConfigurationChangesPollingIntervalSec to a lower value using the Set-WebApplicationProxyConfiguration cmdlet. RRAS_ST_ValidSetup_title=RRAS: The Remote Access server role should be configured in Multitenant mode RRAS_ST_ValidSetup_problem=The gateway is configured for Multitenancy, but the Remote Access role is not installed with Multitenancy support RRAS_ST_ValidSetup_impact=The Remote Access gateway cannot act as a multitenant Site-to-Site VPN terminating entity that services multiple customers RRAS_ST_ValidSetup_resolution=Configure the Remote Access role in Multitenant mode RRAS_MT_ValidSetup_title=RRAS: The gateway should be configured with Multitenancy support RRAS_MT_ValidSetup_problem=The gateway is not configured for Multitenancy, but the Remote Access role is installed with Multitenancy support RRAS_MT_ValidSetup_impact=Remote Access gateway cannot be configured until either RRAS is installed in single tenant mode or stack multitenancy is enabled RRAS_MT_ValidSetup_resolution=Configure the host computer with multi-tenancy support OR Configure the Remote Access role in single tenant mode RRAS_MT_CompartmentDeleted_title=RRAS: All enabled Routing Domains should be available RRAS_MT_CompartmentDeleted_problem=Following routing domains are enabled but the corresponding compartment were deleted from stack - {0}. RRAS_MT_CompartmentDeleted_impact=Remote Access components will not work for this Routing Domain and it will provide an inconsistent behavior RRAS_MT_CompartmentDeleted_resolution=Disable the following routing domains by using the Disable-RemoteAccessRoutingDomain PowerShell cmdlet - {0} RRAS_MT_AllCompartmentsEnabled_title=RRAS: All Routing Domains should be enabled RRAS_MT_AllCompartmentsEnabled_problem=The following routing Domains are not in an enabled state - {0} RRAS_MT_AllCompartmentsEnabled_impact=The RRAS server cannot accept Site-to-Site VPN connections for routing domains that are not enabled for RRAS RRAS_MT_AllCompartmentsEnabled_resolution=Enable the following routing domains by using the Enable-RemoteAccessRoutingDomain powerShell cmdlet - {0} RRAS_MT_AllCompartmentsEnabled_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice BGP_DefaultGatewayAdvertised_title=RRAS: The default route (IPv4 or IPv6) should not be advertised to the peers BGP_DefaultGatewayAdvertised_problem=The Border Gateway Protocol (BGP) router is advertising a default route to peers {0} BGP_DefaultGatewayAdvertised_problem_MT=The Border Gateway Protocol (BGP) router is advertising a default route to peers {0} in routing domain {1} BGP_DefaultGatewayAdvertised_impact=Advertising the default route might disrupt remote BGP peers' default routing BGP_DefaultGatewayAdvertised_resolution=Add a Routing policy to drop the default route from advertisement for peers {0} BGP_DefaultGatewayAdvertised_resolution_MT=Add a Routing policy to drop the default route from advertisement for peers {0} in routing domain {1} BGP_DefaultGatewayAdvertised_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. BGP_DefaultGatewayAccepted_title=RRAS: The default route (IPv4 or IPv6) should not be accepted from the peers BGP_DefaultGatewayAccepted_problem=The BGP router is accepting default route advertisements for peers {0} BGP_DefaultGatewayAccepted_problem_MT=The BGP router is accepting default route advertisements for peers {0} in routing domain {1} BGP_DefaultGatewayAccepted_impact=Accepting default gateway advertisements from the remote peers might disrupt the host router’s default routing BGP_DefaultGatewayAccepted_resolution=Add a Routing policy to drop the default route from ingress route updates for BGP peers {0} BGP_DefaultGatewayAccepted_resolution_MT=Add a Routing policy to drop the default route from ingress route updates for BGP peers {0} in routing domain {1} BGP_DefaultGatewayAccepted_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. BGP_PeerIpAssignedToLocalInterface_title=RRAS: The BGP peer IP address should not be assigned to a local network interface BGP_PeerIpAssignedToLocalInterface_problem=The IP addresses of the following BGP peers are assigned to local interfaces - {0} BGP_PeerIpAssignedToLocalInterface_problem_MT=The IP addresses of the following BGP peers in routing domain {1} are assigned to local interfaces - {0} BGP_PeerIpAssignedToLocalInterface_impact=This incorrect configuration might lead to unexpected behavior by the BGP router BGP_PeerIpAssignedToLocalInterface_resolution=Check for the correct IP address of the BGP peer and modify the peer IP address if required, or change the local interface's IP address BGP_PeerIpAssignedToLocalInterface_resolution_MT=Check for the correct IP address of the BGP peer and modify the peer IP address if required, or change the local interface's IP address BGP_PeerIpAssignedToLocalInterface_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice BGP_IPv6EnabledIPv4PeersNoLocalIPv6Address_title=RRAS: A local global IPv6 address must be configured on the BGP Router BGP_IPv6EnabledIPv4PeersNoLocalIPv6Address_problem=IPv6 routing is configured for the BGP router but a local global IPv6 address is not configured BGP_IPv6EnabledIPv4PeersNoLocalIPv6Address_problem_MT=IPv6 routing is configured for the BGP router for routing domain {0}, but a local global IPv6 address is not configured BGP_IPv6EnabledIPv4PeersNoLocalIPv6Address_impact=The BGP router cannot advertise IPv6 routes to the neighbors BGP_IPv6EnabledIPv4PeersNoLocalIPv6Address_resolution=Configure a Local Global IPv6 address for the BGP router BGP_IPv6EnabledIPv4PeersNoLocalIPv6Address_resolution_MT=Configure a Local Global IPv6 address for the BGP router in routing domain {0} BGP_IPv6EnabledIPv4PeersNoLocalIPv6Address_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice BGP_CustomRoutesNotReachable_title=RRAS: The routes being advertised to the peers must be locally resolvable BGP_CustomRoutesNotReachable_problem=The following custom routes configured on the BGP router cannot be locally resolved - {0} BGP_CustomRoutesNotReachable_problem_MT=The following custom routes configured on the BGP router in routing domain {1} cannot be locally resolved - {0} BGP_CustomRoutesNotReachable_impact=Remote peers will get the routes being advertised by the local router, but won’t be able to perform the routing to the destination prefix BGP_CustomRoutesNotReachable_resolution=Remove the unresolvable routes from advertisement BGP_CustomRoutesNotReachable_resolution_MT=Remove the unresolvable routes from advertisement in routing domain {1} BGP_CustomRoutesNotReachable_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. BGP_RoutesWithMultipleNextHops_title=RRAS: Multiple routes with different Next-Hop values and the same Destination prefix are configured BGP_RoutesWithMultipleNextHops_problem=Multiple routes with the same destination {0} and different next-hops are configured on the BGP router BGP_RoutesWithMultipleNextHops_problem_MT=Multiple routes with the same destination {0} and different next-hops are configured on the BGP router in routing domain {1}. BGP_RoutesWithMultipleNextHops_impact=Routing loops might occur because of multiple misconfigured routes with same destination prefix but different Next-Hop values. Connectivity might fail if routing loops occur BGP_RoutesWithMultipleNextHops_resolution=Remove the additional custom routes from the BGP configuration BGP_RoutesWithMultipleNextHops_resolution_MT=Remove the additional custom routes from the BGP configuration in routing domain {1} BGP_RoutesWithMultipleNextHops_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. BGP_HoldTimeSecZero_title=RRAS: The BGP peer's Hold-Timer should not be set to the value '0' BGP_HoldTimeSecZero_problem=The Hold-Timer value is set to the value '0' for BGP peer(s) {0} BGP_HoldTimeSecZero_problem_MT=The Hold-Timer value is set to the value '0' for BGP peer(s) {0} in routing domain {1} BGP_HoldTimeSecZero_impact=This might cause an infinite wait for the peer when one of the peers gets disconnected. When the peer attempts to reconnect, the connection attempt will also be rejected with collisions. BGP_HoldTimeSecZero_resolution=Set the hold timer to a different value (preferably > 20 seconds) for BGP peer(s) {0} BGP_HoldTimeSecZero_resolution_MT=Set the hold timer to a different value (preferably > 20 seconds) for BGP peer(s) {0} in routing domain {1} BGP_HoldTimeSecZero_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. BGP_HoldTimeSecLowValue_title=RRAS: BGP peer's Hold-Timer should not be set to a very low value BGP_HoldTimeSecLowValue_problem=The Hold-Timer is set to very low value for BGP peer(s) {0} BGP_HoldTimeSecLowValue_problem_MT=The Hold-Timer is set to very low value for BGP peer(s) {0} in routing domain {1} BGP_HoldTimeSecLowValue_impact=A low Hold-Timer value might cause peering failure with some third party routers, which do not support very low values BGP_HoldTimeSecLowValue_resolution=Set the hold timer to a different value (preferably > 20 seconds) for BGP peer(s) {0} BGP_HoldTimeSecLowValue_resolution_MT=Set the hold timer to a different value (preferably > 20 seconds) for BGP peer(s) {0} in routing domain {1} BGP_HoldTimeSecLowValue_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. BGP_AllIngressRoutesRejected_title=RRAS: All the ingress route advertisements should not be dropped because of a routing policy BGP_AllIngressRoutesRejected_problem=Routing policy configured for BGP peers {0} is causing all the ingress route advertisements to be dropped BGP_AllIngressRoutesRejected_problem_MT=Routing policy configured for BGP peers {0} in routing domain {1} is causing all the ingress route advertisements to be dropped BGP_AllIngressRoutesRejected_impact=None of the destination prefixes reachable via BGP peers will be available locally BGP_AllIngressRoutesRejected_resolution=Remove or modify the misconfigured BGP routing policy or policies for BGP peers {0} BGP_AllIngressRoutesRejected_resolution_MT=Remove or modify the misconfigured BGP routing policy or policies for BGP peers {0} in routing domain {1} BGP_AllIngressRoutesRejected_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. BGP_AllEgressRoutesRejected_title=RRAS: All the egress route advertisements should not be dropped because of a routing policy BGP_AllEgressRoutesRejected_problem=Routing policy configured for BGP peers {0} is causing all the egress route advertisements to be dropped BGP_AllEgressRoutesRejected_problem_MT=Routing policy configured for BGP peers {0} in routing domain {1} is causing all the egress route advertisements to be dropped BGP_AllEgressRoutesRejected_impact=None of the destination prefixes reachable from the local router will be available to BGP peers BGP_AllEgressRoutesRejected_resolution=Remove or modify the misconfigured BGP routing policy or policies for BGP peers {0} BGP_AllEgressRoutesRejected_resolution_MT=Remove or modify the misconfigured BGP routing policy or policies for BGP peers {0} in routing domain {1} BGP_AllEgressRoutesRejected_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. BGP_ManualModePeers_title=RRAS: BGP peers should not be configured for manual (passive) peering mode BGP_ManualModePeers_problem=The following BGP peers are configured for manual peering mode - {0} BGP_ManualModePeers_problem_MT=The following BGP peers in routing domain {1} are configured for manual peering mode - {0} BGP_ManualModePeers_impact=This mode is meant for troubleshooting purposes. Unless administrator starts manually, the BGP peer will never connect or reconnect BGP_ManualModePeers_resolution=Change the Peering Mode for BGP peers {0} to "Automatic". BGP_ManualModePeers_resolution_MT=Change the Peering Mode for BGP peers {0} in Routing Domain {1} to "Automatic". BGP_ManualModePeers_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. BGP_IPv6PeersWithIPv4CustomRoutes_title=RRAS: For BGP Peering over IPv6 addresses, IPv4 routes should not be configured for advertisement BGP_IPv6PeersWithIPv4CustomRoutes_problem=IPv4 routes are configured for advertisement on the BGP peer(s) {0} while the peering is established on IPv6 addresses BGP_IPv6PeersWithIPv4CustomRoutes_problem_MT=IPv4 routes are configured for advertisement on the BGP peer(s) {0} in routing domain {1} while the peering is established on IPv6 addresses BGP_IPv6PeersWithIPv4CustomRoutes_impact=IPv4 prefixes advertised will not be reachable from the peer routers because of the absence of IPv4 Next-Hop BGP_IPv6PeersWithIPv4CustomRoutes_resolution=Either remove the IPv4 routes from advertisements OR Reconfigure the BGP Peering to be on IPv4 addresses with IPv6 Routing enabled and add the local IPv6 address to be used as the IPv6 Next-Hop BGP_IPv6PeersWithIPv4CustomRoutes_resolution_MT=Either remove the IPv4 routes from advertisements OR Reconfigure the BGP Peering to be on IPv4 addresses with IPv6 Routing enabled and add the local IPv6 address to be used as the IPv6 Next-Hop in routing domain {1} BGP_IPv6PeersWithIPv4CustomRoutes_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. BGP_IdleHoldTimeSecHighValue_title=RRAS: IdleHoldTimer should not be set to a high value (> 10 sec) BGP_IdleHoldTimeSecHighValue_problem=Idle-Hold-Timer is set to a very high value for BGP peers {0} BGP_IdleHoldTimeSecHighValue_problem_MT=Idle-Hold-Timer is set to a very high value for BGP peers {0} in routing domain {1} BGP_IdleHoldTimeSecHighValue_impact=The BGP peer will take a longer time to get connected BGP_IdleHoldTimeSecHighValue_resolution=Update the Idle-Hold-Timer for peers {0} to an appropriate value (preferably <= 10 seconds) BGP_IdleHoldTimeSecHighValue_resolution_MT=Update the Idle-Hold-Timer for peers {0} in routing domain {1} to an appropriate value (preferably <= 10 seconds) BGP_IdleHoldTimeSecHighValue_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice BGP_PeersWithoutMaxPrefixLimit_title=RRAS: Max Prefix policy should be configured for all BGP Peers BGP_PeersWithoutMaxPrefixLimit_problem=Max Prefix policy is not configured for BGP peers {0} BGP_PeersWithoutMaxPrefixLimit_problem_MT=Max Prefix policy is not configured for BGP peers {0} in routing domain {1} BGP_PeersWithoutMaxPrefixLimit_impact=BGP Router will be prone to DoS attcks from these peers. BGP_PeersWithoutMaxPrefixLimit_resolution=Configure the MaxAllowedPrefix for BGP peer {0} BGP_PeersWithoutMaxPrefixLimit_resolution_MT=Configure the MaxAllowedPrefix for BGP peer {0} in routing domain {1} BGP_PeersWithoutMaxPrefixLimit_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. BGP_PrefixCountNearMaxLimit_title=RRAS: The total number of prefixes learned is in proximity of Maximum Allowed Prefixes BGP_PrefixCountNearMaxLimit_problem=The threshold for the maximum allowed prefixes is about to be reached for BGP peers {0} BGP_PrefixCountNearMaxLimit_problem_MT=The threshold for the maximum allowed prefixes is about to be reached for BGP peers {0} in Routing Domain {1} BGP_PrefixCountNearMaxLimit_impact=BGP Peering will be restarted and will purge all of the previously learned routes BGP_PrefixCountNearMaxLimit_resolution=Reset or update the total number of MaxAllowedPrefix for peer(s) {0} BGP_PrefixCountNearMaxLimit_resolution_MT=Reset or update the total number of MaxAllowedPrefix for peer(s) {0} in Routing Domain {1} BGP_PrefixCountNearMaxLimit_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. BGP_VPN_VpnAddressPoolNotInCustomRoutes_title=RRAS: The VPN static address pool should be configured as custom networks on the BGP router BGP_VPN_VpnAddressPoolNotInCustomRoutes_problem=The following addresses in static address pool for VPN are not configured as a custom network on the BGP router - {0} BGP_VPN_VpnAddressPoolNotInCustomRoutes_problem_MT=The following addresses in static address pool for VPN in routing domain {1} are not configured as a custom network on the BGP router - {0} BGP_VPN_VpnAddressPoolNotInCustomRoutes_impact=VPN clients will not be able to communicate with on-premise organization resources via the service provider gateway BGP_VPN_VpnAddressPoolNotInCustomRoutes_resolution=Configure the static pool IP addresses to BGP custom network BGP_VPN_VpnAddressPoolNotInCustomRoutes_resolution_MT=Configure the static pool IP addresses to BGP custom network in routing domain {1} BGP_VPN_VpnAddressPoolNotInCustomRoutes_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. MTVPN_StaticAddressPoolConfigured_title=RRAS: A static pool should be configured for IPv4 address assignment to the VPN client MTVPN_StaticAddressPoolConfigured_problem=A static IPv4 address pool is not configured in routing domain {0} MTVPN_StaticAddressPoolConfigured_impact=VPN remote clients will not be able to access organization resources MTVPN_StaticAddressPoolConfigured_resolution=Configure the IP address pool for assigning static addresses for routing domain {0} MTVPN_StaticAddressPoolIsUnicast_title=RRAS: The static pool IPv4 addresses must be valid unicast IPv4 addresses MTVPN_StaticAddressPoolIsUnicast_problem=The static address pool configured in routing domain {0} does not contain valid unicast IPv4 addresses MTVPN_StaticAddressPoolIsUnicast_impact=VPN remote clients will not be able to access organization resources MTVPN_StaticAddressPoolIsUnicast_resolution=Configure the IP address pool for assigning static addresses in routing domain {0} MTVPN_TenantNameConfigured_title=RRAS: The VPN Tenant Name must be specified MTVPN_TenantNameConfigured_problem=No VPN Tenant Name is configured for routing domain {0} MTVPN_TenantNameConfigured_impact=VPN Clients will not be able to connect to the corresponding tenant's Remote Access server MTVPN_TenantNameConfigured_resolution=Change the Tenant Name for the VPN interface for routing domain {0} MTVPN_TenantNameSubsetOfAnotherRD_title=RRAS: The VPN tenant name for a routing domain must not be a subset of another routing domain's tenant name MTVPN_TenantNameSubsetOfAnotherRD_problem=The tenant name for routing domain {0} is a subset of the tenant name of routing domain(s) {1} MTVPN_TenantNameSubsetOfAnotherRD_impact=VPN Clients will not be able to connect to the remote server MTVPN_TenantNameSubsetOfAnotherRD_resolution=Change the tenant name of routing domain {0} S2S_ServerCertHasNoRootCertificate_title=RRAS: A valid CA certificate for server certificate must be present in the TRCA certificate store S2S_ServerCertHasNoRootCertificate_problem=No valid CA certificate is installed for the Remote Access server certificate S2S_ServerCertHasNoRootCertificate_impact=IKEv2 Machine Certificates authentication for the Site-to-Site VPN interface wouldn’t work without the valid root certificate in the RRAS server’s certificate store S2S_ServerCertHasNoRootCertificate_resolution=Install a valid CA certificate in the Trusted Root Certification Authorities store on the VPN server S2S_ServerCertHasNoRootCertificate_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_ServerRootCertificateAboutToExpire_title=RRAS: The CA certificate for Remote Access server certificate in the TRCA certificate store expires within 7 days S2S_ServerRootCertificateAboutToExpire_problem=The root certificate for the CA that issued the Remote Access Server Certificate is about to expire. S2S_ServerRootCertificateAboutToExpire_impact=IKEv2 Machine Certificates authentication for the Site-to-Site VPN interface's remote destination might not work without the valid CA certificate in the RRAS server’s certificate store S2S_ServerRootCertificateAboutToExpire_resolution=Get a valid CA certificate for the remote server from the CA and install it in the certificate store S2S_ServerRootCertificateAboutToExpire_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_RootCertificateToAcceptAboutToExpire_title=RRAS: The CA certificate for the destination server of Site-to-Site VPN interface expires within 7 days S2S_RootCertificateToAcceptAboutToExpire_problem=The destination's CA certificate is about to expire S2S_RootCertificateToAcceptAboutToExpire_impact=IKEv2 Machine Certificates authentication for the Site-to-Site VPN interface might not work without the valid certificate in the RRAS server’s store S2S_RootCertificateToAcceptAboutToExpire_resolution=Import a valid CA certificate to the RRAS server certificate store at the location Certificates (Local Computer) Trusted Root Certification Authorities S2S_RootCertificateToAcceptAboutToExpire_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_ServerCertificateHasAtleastOnePublicIPInCN_title=RRAS: Server certificate must have a public IP address for Alternate Subject Name S2S_ServerCertificateHasAtleastOnePublicIPInCN_problem=No valid public IP address is configured in the certificate's Subject Name (or Alternate subject name) S2S_ServerCertificateHasAtleastOnePublicIPInCN_impact=A remote client cannot connect to the Remote Access server using the IP address S2S_ServerCertificateHasAtleastOnePublicIPInCN_resolution=Get a valid certificate from the CA with Alternate Subject Name configured with the RRAS server's public IP address and install it in the certificate store S2S_ServerCertificateHasAtleastOnePublicIPInCN_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_IsInboundCAConfigured_title=RRAS: The inbound Certification Authority (CA) should be configured S2S_IsInboundCAConfigured_problem=No inbound Certification Authority is configured S2S_IsInboundCAConfigured_impact=Authentication for Site-to-Site VPN interface may fail. S2S_IsInboundCAConfigured_resolution=Configure an inbound CA. S2S_IsInboundCAConfigured_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_ServerCertificateAboutToExpire_title=RRAS: The server certificate expires within 7 days S2S_ServerCertificateAboutToExpire_problem=The Remote Access server certificate is about to expire S2S_ServerCertificateAboutToExpire_impact=IKEv2 Machine Certificates authentication for the Site-to-Site VPN interface might not work without the valid server certificate in the RRAS server’s certificate store S2S_ServerCertificateAboutToExpire_resolution=Install a valid server certificate for the Remote Access server S2S_ServerCertificateAboutToExpire_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_PSKBasedS2SInterfacesWithSameDestination_title=RRAS: No two Site-to-Site VPN interfaces with PSK based authentication should have the same destination S2S_PSKBasedS2SInterfacesWithSameDestination_problem=The following set of Site-to-Site VPN interfaces have PSK based authentication and have the same destination {0} S2S_PSKBasedS2SInterfacesWithSameDestination_impact=Site-to-Site VPN interfaces won’t be able to connect to the same destination. S2S_PSKBasedS2SInterfacesWithSameDestination_resolution=Change the Site-to-Site VPN interfaces authentication method OR change the Site-to-Site VPN interface destination IP address. S2S_PSKBasedS2SInterfacesWithSameDestination_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_InterfacesWithCertificateAboutToExpire_title=RRAS: The certificate for the Site-to-Site VPN interface {0} expires within 7 days S2S_InterfacesWithCertificateAboutToExpire_problem=The certificate is about to expire for Site-to-Site VPN interface {0} S2S_InterfacesWithCertificateAboutToExpire_problem_MT=The certificate is about to expire for Site-to-Site VPN interface {0} in routing domain {1} S2S_InterfacesWithCertificateAboutToExpire_impact=IKEv2 Machine Certificates authentication for the Site-to-Site VPN interface might not work without the valid certificate in the RRAS server’s certificate store S2S_InterfacesWithCertificateAboutToExpire_resolution=Get a valid CA certificate for Site-to-Site VPN interface {0} from the CA and install it in the certificate store S2S_InterfacesWithCertificateAboutToExpire_resolution_MT=IGet a valid CA certificate for Site-to-Site VPN interface {0} in routing domain {1} from the CA and install it in the certificate store S2S_InterfacesWithCertificateAboutToExpire_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_InterfacesWithoutRootCertificate_title=RRAS: A valid CA certificate for the Site-to-Site VPN interface certificate must be present in the TRCA certificate store S2S_InterfacesWithoutRootCertificate_problem=No valid CA certificate is installed in the certificate store for Site-to-Site VPN interface {0} S2S_InterfacesWithoutRootCertificate_problem_MT=No valid CA certificate is installed in the certificate store for Site-to-Site VPN interface {0} in routing domain {1} S2S_InterfacesWithoutRootCertificate_impact=IKEv2 Machine Certificates authentication for the Site-to-Site VPN interface wouldn’t work without the valid CA certificate in the RRAS server’s certificate store S2S_InterfacesWithoutRootCertificate_resolution=Install a valid CA certificate for the Site-to-Site VPN interface {0} S2S_InterfacesWithoutRootCertificate_resolution_MT=Install a valid CA certificate for the Site-to-Site VPN interface {0} in routing domain {1} S2S_InterfacesWithoutRootCertificate_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_InterfacesWithRootCertificateAboutToExpire_title=RRAS: The CA certificate for the Site-to-Site VPN interface certificate expires within 7 days S2S_InterfacesWithRootCertificateAboutToExpire_problem=The CA certificate is about to expire for Site-to-Site VPN interface {0} S2S_InterfacesWithRootCertificateAboutToExpire_problem_MT=The CA certificate is about to expire for Site-to-Site VPN interface {0} in routing domain {1} S2S_InterfacesWithRootCertificateAboutToExpire_impact=IKEv2 Machine Certificates authentication for Site-to-Site VPN interface might not work without the valid CA certificate in the RRAS server’s certificate store S2S_InterfacesWithRootCertificateAboutToExpire_resolution=Get a valid CA certificate for Site-to-Site VPN interface {0} from the CA and install it in the certificate store S2S_InterfacesWithRootCertificateAboutToExpire_resolution_MT=Get a valid CA certificate for Site-to-Site VPN interface {0} in routing domain {1} from the CA and install it in the certificate store S2S_InterfacesWithRootCertificateAboutToExpire_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_EAPBasedS2SInterfacesWithInValidName_title=RRAS: The Site-to-Site VPN interface name for {0} must match the Username S2S_EAPBasedS2SInterfacesWithInValidName_problem=Site-to-Site VPN interface {0} is configured for EAP authentication and the interface name does not match the EAP username S2S_EAPBasedS2SInterfacesWithInValidName_problem_MT=Site-to-Site VPN interface {0} in routing domain {1} is configured for EAP authentication and the interface name does not match the EAP username S2S_EAPBasedS2SInterfacesWithInValidName_impact=Site-to-Site VPN interfaces won’t be able to establish connection with the remote server S2S_EAPBasedS2SInterfacesWithInValidName_resolution=Either add a new appropriate Site-to-Site VPN interface with the required name, or add the required EAP User with the same name as the interface S2S_EAPBasedS2SInterfacesWithInValidName_resolution_MT=Either add a new appropriate Site-to-Site VPN interface with the required name, or add the required EAP User with the same name as the interface S2S_EAPBasedS2SInterfacesWithInValidName_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_DefaultCapacityParams_title=RRAS: The CapacityKbps parameter should be configured with a value as per the network requirements S2S_DefaultCapacityParams_problem=The Capacity Kbps parameter is set to default value S2S_DefaultCapacityParams_impact=The Remote Access server’s performance and throughput will be impacted S2S_DefaultCapacityParams_resolution=Set the Remote Access server’s CapacityKbps parameter to appropriate value S2S_DefaultCapacityParams_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_PortLimitExceeded_title=RRAS: The number of ports available should not be less than the number of VPN and Site-to-Site VPN interfaces S2S_PortLimitExceeded_problem=The total number of ports (SSTP and IKEv2) is less than the number of Site-to-Site VPN and VPN interfaces configured on the computer. S2S_PortLimitExceeded_impact=VPN clients or Site-to-Site VPN interfaces might not be able to establish a connection if all the ports are consumed S2S_PortLimitExceeded_resolution=Make sure that the number of available ports is equal to or greater than allowed VPN interfaces and the Site-to-Site VPN interfaces configured S2S_PortLimitExceeded_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_DefaultRateLimitingParams_title=RRAS: Rate-limiting (Tx/Rx BandwidthKbps) should be set to a value as per the network requirements S2S_DefaultRateLimitingParams_problem=Rate-Limiting parameters are set to default values for Site-to-Site VPN interfaces {0} S2S_DefaultRateLimitingParams_problem_MT=Rate-Limiting parameters are set to default values for Site-to-Site VPN interfaces {0} in routing domain {1} S2S_DefaultRateLimitingParams_impact=Site-to-Site VPN / VPN interface’s throughput is limited by the default value of the rate-limiting parameter S2S_DefaultRateLimitingParams_resolution=Reset the Site-to-Site VPN or VPN interface’s Quality of Service (QoS) parameters to appropriate values S2S_DefaultRateLimitingParams_resolution_MT=Reset the Site-to-Site VPN or VPN interface’s Quality of Service (QoS) parameters to appropriate values S2S_DefaultRateLimitingParams_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_InterfacesWithInValidRateLimitingParams_title=RRAS: Rate-limiting parameters (Tx/Rx BandwidthKbps) should not have a significant difference in the values S2S_InterfacesWithInValidRateLimitingParams_problem=Rate-Limiting parameter values are too far apart for Site-to-Site VPN interface {0} S2S_InterfacesWithInValidRateLimitingParams_problem_MT=Rate-Limiting parameter values are too far apart for Site-to-Site VPN interface {0} in routing domain {1} S2S_InterfacesWithInValidRateLimitingParams_impact=Site-to-Site VPN performance will be affected S2S_InterfacesWithInValidRateLimitingParams_resolution=Set the Quality of Service (QoS) parameters to appropriate values (where smaller value is greater than or equal to 30 percent of larger value) S2S_InterfacesWithInValidRateLimitingParams_resolution_MT=Set the Quality of Service (QoS) parameters to appropriate values (where smaller value is greater than or equal to 30 percent of larger value) S2S_InterfacesWithInValidRateLimitingParams_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_PSKBasedS2SInterfacesWithInvalidDestination_title=RRAS: For PSK authentication, the destination cannot be configured as a Fully Qualified Domain Name (FQDN) S2S_PSKBasedS2SInterfacesWithInvalidDestination_problem=The destination for Site-to-Site VPN interfaces {0} is configured as a FQDN. S2S_PSKBasedS2SInterfacesWithInvalidDestination_problem_MT=The destination for Site-to-Site VPN interfaces {0} of Routing Domain {1} is configured as a FQDN. S2S_PSKBasedS2SInterfacesWithInvalidDestination_impact=The Site-to-Site VPN interface will not be able to connect to the specified destination S2S_PSKBasedS2SInterfacesWithInvalidDestination_resolution=Change the destination for Site-to-Site VPN interface {0} S2S_PSKBasedS2SInterfacesWithInvalidDestination_resolution_MT=Change the destination for Site-to-Site VPN interface {0} in routing domain {1} S2S_PSKBasedS2SInterfacesWithInvalidDestination_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_InterfacesRequireSourceIpConfiguration_title=RRAS: The Site-to-Site VPN interface should be configured with a Source IP address S2S_InterfacesRequireSourceIpConfiguration_problem=The Site-to-Site VPN server has multiple public IP addresses and a source IP address is not configured for the Site-to-Site VPN interface {0} S2S_InterfacesRequireSourceIpConfiguration_problem_MT=The Site-to-Site VPN server has multiple public IP addresses and a source IP address is not configured for the Site-to-Site VPN interface {0} in routing domain {1} S2S_InterfacesRequireSourceIpConfiguration_impact=Site-to-Site VPN interface may not be able to connect to the specified destination S2S_InterfacesRequireSourceIpConfiguration_resolution=Configure the source IP address for the Site-to-Site VPN interface {0} S2S_InterfacesRequireSourceIpConfiguration_resolution_MT=Configure the source IP address for the Site-to-Site VPN interface {0} in routing domain {1} S2S_InterfacesRequireSourceIpConfiguration_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_InterfacesWithCustomPolicyDiffFromGlobalPolicies_title=RRAS: Custom policies configured for the Site-to-Site VPN interface should be a subset of Site-to-Site VPN server global policies S2S_InterfacesWithCustomPolicyDiffFromGlobalPolicies_problem=Custom policies configured for Site-to-Site VPN interface {0} are not a part of the Routing Domain specific or Global (Server level) set of policies S2S_InterfacesWithCustomPolicyDiffFromGlobalPolicies_problem_MT=Custom policies configured for Site-to-Site VPN interface {0} in routing domain {1} are not a part of the Routing Domain specific or Global (Server level) set of policies S2S_InterfacesWithCustomPolicyDiffFromGlobalPolicies_impact=Interoperability with third party VPN devices might be affected and the negotiated values might be different for incoming and outgoing connections S2S_InterfacesWithCustomPolicyDiffFromGlobalPolicies_resolution=The custom policy is not in the set of policies configured at the routing domain level. Either add the new custom policy at the Routing Domain or Server level set of policies OR Use one of the predefined policies from the Server level. S2S_InterfacesWithCustomPolicyDiffFromGlobalPolicies_resolution_MT=The custom policy is not in the set of policies configured at the routing domain level. Either add the new custom policy at the Routing Domain or Server level set of policies OR Use one of the predefined policies from the Server level. S2S_InterfacesWithCustomPolicyDiffFromGlobalPolicies_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_InterfacesWithoutTriggeringRoute_title=RRAS: A triggering route must be configured on the Site-to-Site VPN interface for the BGP peers S2S_InterfacesWithoutTriggeringRoute_problem=No triggering route is configured on the Site-to-Site VPN interface {0} S2S_InterfacesWithoutTriggeringRoute_problem_MT=No triggering route is configured on the Site-to-Site VPN interface {0} in routing domain {1} S2S_InterfacesWithoutTriggeringRoute_impact=The Site-to-Site VPN interface will not be able to trigger connection to the remote site as demand dial and will have to be manually dialed S2S_InterfacesWithoutTriggeringRoute_resolution=Add a triggering route for Site-to-Site VPN interface {0} S2S_InterfacesWithoutTriggeringRoute_resolution_MT=Add a triggering route for Site-to-Site VPN interface {0} in routing domain {1} S2S_InterfacesWithoutTriggeringRoute_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_InterfacesWithoutHostTriggeringRoute_title=RRAS: The Site-to-Site VPN triggering route should be a specific address (/32 for IPv4 address, /128 for IPv6 address) S2S_InterfacesWithoutHostTriggeringRoute_problem=The Site-to-Site VPN triggering address that is configured for interfaces {0} is a generic address S2S_InterfacesWithoutHostTriggeringRoute_problem_MT=The Site-to-Site VPN triggering address that is configured for interfaces {0} in routing domain {1} is a generic address S2S_InterfacesWithoutHostTriggeringRoute_impact=If the triggering route configured on the Site-to-Site VPN interface is a generic address, the BGP's next-hop resolution corresponding to those generic addresses might fail S2S_InterfacesWithoutHostTriggeringRoute_resolution=Add a specific, non-generic triggering route where Prefix Length is 32 for IPv4 and 128 for IPv6 addresses S2S_InterfacesWithoutHostTriggeringRoute_resolution_MT=Add a specific, non-generic triggering route where Prefix Length is 32 for IPv4 and 128 for IPv6 addresses in routing domain {1} S2S_InterfacesWithoutHostTriggeringRoute_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_FilterBlockBGP_title=RRAS: The Site-to-Site VPN interface's traffic filters should not be blocking BGP traffic S2S_FilterBlockBGP_problem=Traffic filters that are configured for Site-to-Site VPN interface {0} are blocking BGP traffic. S2S_FilterBlockBGP_problem_MT=Traffic filters that are configured for Site-to-Site VPN interface {0} of routing domain {1} are blocking BGP traffic. S2S_FilterBlockBGP_impact=BGP Routing will not work S2S_FilterBlockBGP_resolution=Reset the traffic filters to unblock BGP traffic S2S_FilterBlockBGP_resolution_MT=Reset the traffic filters to unblock BGP traffic S2S_FilterBlockBGP_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_FilterBlockVSID_title=RRAS: The Site-to-Site VPN interface's traffic filters should not be blocking VSID interface traffic S2S_FilterBlockVSID_problem=The traffic filters that are configured for Site-to-Site VPN interface {0} are blocking VSID Interface traffic S2S_FilterBlockVSID_problem_MT=The traffic filters that are configured for Site-to-Site VPN interface {0} of routing domain {1} are blocking VSID Interface traffic S2S_FilterBlockVSID_impact=The remote VPN server and VPN clients will not be able to access hosted organization resources S2S_FilterBlockVSID_resolution=Reset the traffic filters to unblock VSID interface traffic S2S_FilterBlockVSID_resolution_MT=Reset the traffic filters to unblock VSID interface traffic S2S_FilterBlockVSID_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. S2S_FilterBlockVPN_title=RRAS: The Site-to-Site VPN interface's traffic filters should not be blocking VPN client traffic S2S_FilterBlockVPN_problem=The traffic filters that are configured for Site-to-Site VPN interface {0} are blocking VPN client traffic S2S_FilterBlockVPN_problem_MT=The traffic filters that are configured for Site-to-Site VPN interface {0} of routing domain {1} are blocking VPN client traffic S2S_FilterBlockVPN_impact=VPN remote clients will not be able to access hosted organization resources S2S_FilterBlockVPN_resolution=Reset the traffic filters to unblock VPN client traffic S2S_FilterBlockVPN_resolution_MT=Reset the traffic filters to unblock VPN client traffic S2S_FilterBlockVPN_compliant=The RRAS Best Practices Analyzer scan has determined that you are in compliance with this best practice. DownLevel_title=DirectAccess: DirectAccess is not enabled to work with Windows 7 clients DownLevel_problem=The checkbox for enabling DirectAccess for Windows 7 clients is not checked. DownLevel_impact=Windows 7 clients will not be able to connect to the corporate network over DirectAccess. DownLevel_resolution=Add support for Windows 7 clients as follows: 1. In the Remote Access Management console, run the Remote Access Server Setup Wizard. 2. On the Authentication page, check the checkbox to allow support for Windows 7 clients. If you are not already using certificate based authentication, you will need to enable that support. For this, on this page, you will also need to enter a root certificate authority to which the server machine certificate will chain to. 3. Apply the new configuration changes. DownLevel_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. ForceTunnelAndKerProxy_title=DirectAccess: Force tunneling and Kerberos proxy will not work together when both are deployed for DirectAccess ForceTunnelAndKerProxy_problem=Force tunneling and Kerberos proxy cannot be configured together in a DirectAccess deployment. ForceTunnelAndKerProxy_impact=Client connectivity will not work as expected. ForceTunnelAndKerProxy_resolution=You can either reconfigure to split tunneling mode or to certificate based authentication. Configure split tunneling mode as follows: 1. In the Remote Access Management console, run the Remote Clients Setup Wizard. 2. On the Select Groups page, uncheck the checkbox for force tunneling. 3. Apply the new configuration changes. Configure certificate based authentication as follows: 1. In the Remote Access Management console, run the Remote Access Server Setup Wizard. 2. On the Authentication page, check the checkbox to allow support for Windows 7 clients. You will also need to enter a root certificate authority to which the server machine certificate will chain to. 3. Apply the new configuration changes. ForceTunnelAndKerProxy_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. DCInstalled_title=DirectAccess: DirectAccess connectivity will not work if the DirectAccess server is also a Domain Controller DCInstalled_problem=DirectAccess has been configured on a server that is also a domain controller. DCInstalled_impact=Client connectivity will not work. DCInstalled_resolution=You can do either of the following: 1. Remove the Active Directory Domain Services role from the DirectAccess Server 2. Move the Remote Access role to a different server DCInstalled_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IsNetAdapterBindingOrderCorrect_title=DirectAccess: The internal network adapter on the Remote Access server should be accessed first IsNetAdapterBindingOrderCorrect_problem=The external network adapter is listed before the internal network adapter in the connection order. IsNetAdapterBindingOrderCorrect_impact=Remote Access will check the external adapter before the internal adapter. This might cause a delay when applying configuration changes. IsNetAdapterBindingOrderCorrect_resolution=Modify the connection order as follows: 1. Click Start, and type ncpa.cpl. 2. In Network Connections, press the Alt key to open the hidden menu. 3. In the menu, click Advanced, and then click Advanced Settings. 4. In the Connections list, move the internal adapter above the external adapter. Then click OK. IsNetAdapterBindingOrderCorrect_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IsSanAndSubjectName_title=DirectAccess: A certificate that could be used for DirectAccess has a SAN, but no subject name IsSanAndSubjectName_problem=One or more certificates are incompatible with DirectAccess. IsSanAndSubjectName_impact=You will not be able to use these certificates for DirectAccess configuration. IsSanAndSubjectName_resolution=To find and remove non compatible certificates, do the following: 1. Type certmgr.msc at an elevated command prompt 2. Go to Personal -> Certificates. 3. For each certificate, click on Details and check if the Subject field is empty. 4. Remove the certificate from the store. IsSanAndSubjectName_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IPHTTPSHasPrivateKey_title=DirectAccess: IP-HTTPS certificate {0} on the Remote Access server should have a valid private key. IPHTTPSHasPrivateKey_problem=The IP-PHTTPS certificate {0} is located on the server, but a private key for the certificate cannot be found. IPHTTPSHasPrivateKey_impact=DirectAccess client computers cannot connect over IP-HTTPS as expected. IPHTTPSHasPrivateKey_resolution=Do the following: 1. Obtain an IP-HTTPS certificate with a private key. 2. Ensure that the certificate is in the Personal store of the computer account. IPHTTPSHasPrivateKey_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IsDAPolicyPresent_title=DirectAccess: The DirectAccess server did not receive the DirectAccess server GPO IsDAPolicyPresent_problem=DirectAccess policies have not been configured on the DirectAccess server. IsDAPolicyPresent_impact=Client connectivity will not work as expected. IsDAPolicyPresent_resolution=To ensure that DirectAccess server is receiving the DirectAccess policies, do the following: 1. Execute gpupdate /force from an elevated command prompt 2. If policies have still not been received, check the GPO in GPMC to ensure that the GPO is accessible to the DirectAccess server IsDAPolicyPresent_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IsDomainComputersInDA_title=DirectAccess: The DirectAccess client security group should not include desktop computers IsDomainComputersInDA_problem=The DirectAccess client security group contains non-mobile desktop computers. IsDomainComputersInDA_impact=If desktop computers do not require remote connectivity to the corporate network using DirectAccess, they do not need to be included in a DirectAccess client security group. DirectAccess client settings stored in the client Group Policy object (GPO) are applied to all computers in the security group. IsDomainComputersInDA_resolution=To limit the security group to mobile computers only, do the following: 1. In the Remote Access Management console, run the Remote Clients Setup Wizard. 2. On the Select Groups page, select Enable DirectAccess for mobile computers only. Then click OK. 3. Apply the new configuration changes. IsDomainComputersInDA_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IsSupportEmailConfigured_title=DirectAccess: An email address should be configured for NCA IsSupportEmailConfigured_problem=The support email address for DirectAccess clients has not been configured. IsSupportEmailConfigured_impact=If there are any connectivity issues, DirectAccess clients will not be able to send logs to the administrator. IsSupportEmailConfigured_resolution=Configure the helpdesk email address as follows: 1. In the Remote Access Management console, run the Remote Clients Setup Wizard. 2. On the Network Connectivity Assistant page, enter an email address for the text field Helpdesk email address. Then click Finish. 3. Apply the new configuration changes. IsSupportEmailConfigured_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IsDefaultGWConfigProper_title=DirectAccess: The default gateway should be configured on the Internet interface and not on the internal interface IsDefaultGWConfigProper_problem=Either a default gateway is not configured on the external interface, or a default gateway is configured on the internal interface. IsDefaultGWConfigProper_impact=If a default gateway is not configured on the external interface, clients on the corporate network will not be able to send packets back to the Internet. If you have specific routes configured on the external interface to reach the Internet, ignore this warning. If a default gateway is configured on the internal interface, DirectAccess communication will fail. IsDefaultGWConfigProper_resolution=Configure a default gateway on the external interface. Remove the default gateway from the internal interface. The default gateway can be changed in the IPv4/IPv6 properties page of the physical interface. IsDefaultGWConfigProper_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IsInvalidNrptExpPresent_title=DirectAccess: NRPT exemptions have been configured in force tunneling deployments IsInvalidNrptExpPresent_problem=Corporate namespace exemptions have been configured in a deployment where all traffic goes through the DirectAccess tunnels. IsInvalidNrptExpPresent_impact=These exemptions will not be functional since all traffic will go through the DirectAccess tunnels. IsInvalidNrptExpPresent_resolution=Remove the NRPT exemptions as follows: 1. In the Remote Access Management console, run the Infrastructure Server Setup Wizard. 2. On the DNS page of the wizard, delete the namespace entries with no corresponding DNS servers 3. Apply the new configuration changes. IsInvalidNrptExpPresent_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IsDNS64AcptIfaceConfigValid_title=DirectAccess: AcceptInterface for DNS64 must use the same IP address as the one used for DNS64 IsDNS64AcptIfaceConfigValid_problem=The IP address on the interface where DNS64 is listening is not correct. IsDNS64AcptIfaceConfigValid_impact=Client connectivity will not work as expected. IsDNS64AcptIfaceConfigValid_resolution=Configure the correct address as follows: 1. From an elevated Powershell prompt, execute "Set-NetDnsTransitionConfiguration –State Disabled". 2. Restart the Remote Access Management Service by executing Restart-Service ramgmtsvc. After the service has been restarted, the address will be reconfigured on the interface. IsDNS64AcptIfaceConfigValid_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IsDNSAddrConfigValid_title=DirectAccess: The DNS address used for name resolution of internal network resources should be correct IsDNSAddrConfigValid_problem=The DNS server used to resolve internal namespace queries is not configured as the NAT64/DNS64 address of the DirectAccess server. IsDNSAddrConfigValid_impact=Client connectivity will not work as expected. IsDNSAddrConfigValid_resolution=Add the default entry for a name suffix as follows: 1. In the Remote Access Management console, run the Infrastructure Server Setup Wizard. 2. On the DNS page of the wizard, double-click the entry containing the relevant network suffix. 3. Remove the IP addresses for the network suffix. Once all the IP addresses are removed, the Detect button is enabled. Click on the button to populate the default IP addresses. 4. Apply the new configuration changes. IsDNSAddrConfigValid_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IsIpHttpsCdpReachable_title=DirectAccess: The IP-HTTPS CRL distribution point should be accessible from the DirectAccess server IsIpHttpsCdpReachable_problem=DirectAccess clients may not be able to access the CRL distribution point (CDP) of the online issuing authority. IsIpHttpsCdpReachable_impact=If the CDP is not reachable, DirectAccess clients will not be able to get the updated CRLs and hence connectivity to the DirectAccess server will fail. IsIpHttpsCdpReachable_resolution=Ensure that the CRL distribution point is hosted on an Internet-facing and publically accessible Web or file server that provides high availability and, depending on the number of DirectAccess clients, high capacity. IsIpHttpsCdpReachable_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IsNlsCdpReachable_title=DirectAccess: An NLS CRL distribution point should be accessible from the DirectAccess server IsNlsCdpReachable_problem=DirectAccess clients will not be able to access the CRL distribution point (CDP) of the online issuing authority for network location determination. IsNlsCdpReachable_impact=If the CDP is not reachable, DirectAccess clients will not be able to get the updated CRLs .When they come inside the corporate network, they will not be qualified as inside and will not be able to access corporate network resources. IsNlsCdpReachable_resolution=Ensure that the CRL distribution point is hosted on an intranet Web or file server that provides high availability and, depending on the number of DirectAccess clients, high capacity. IsNlsCdpReachable_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IsNonPingProbesConfigured_title=DirectAccess: Ensure that probes other than ping probes are configured in the NCA IsNonPingProbesConfigured_problem=Only ping (ICMP) probes have been configured for checking corporate connectivity on the client. IsNonPingProbesConfigured_impact=Since ICMP is exempted from IPsec, successfull ping queries do not guarantee that clients have full connectivity to the corporate network. IsNonPingProbesConfigured_resolution=To ensure that remote clients can properly determine if they have full corporate connectivity over DirectAccess, configure an HTTP probe. You can configure an HTTP probe as follows: 1. In the Remote Access Management console, run the Remote Clients Setup Wizard. 2. On the Network Connectivity Assistant page, enter an HTTP resource to validate connectivity to the internal network. Then click Finish. 3. Apply the new configuration changes. IsNonPingProbesConfigured_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. IsIsatapDnsRecordsProper_title=DirectAccess: If NLB/ELB is deployed and ISATAP is also deployed in the corporate network, ensure that all the internal DIPs and VIPs are registered in DNS for the ISATAP entry. IsIsatapDnsRecordsProper_problem=ISATAP is deployed in the corporate network and the ISATAP DNS record does not have all the internal dedicated IP addresses and Virtual IPaddresses of the cluster. IsIsatapDnsRecordsProper_impact=DirectAccess clients will not be able to communicate with corporate network resources. IsIsatapDnsRecordsProper_resolution=Ensure that all the internal dedicated IPaddresses of the remote access servers and the internal virtual IPaddresses of the load balancer are registered in DNS for ISATAP. The internal virtual IP address can be determined by executing the cmdlet Get-RemoteAccessLoadBalancer. The internal dedicated IPaddresses are the actual addresses configured on the internal interface of the DirectAccess servers. IsIsatapDnsRecordsProper_compliant=The Remote Access Best Practices Analyzer scan has determined that you are in compliance with this best practice. '@