Configuring an External Load Balanced UAG DirectAccess Array for an IPv4 Only Network

Configuring an External Load Balanced UAG DirectAccess Array for an IPv4 Only Network

  • Comments 2
  • Likes

The article Configuring external load balancing for a Forefront UAG DirectAccess array at http://technet.microsoft.com/en-us/library/ee690463.aspx describes how you would configure a UAG DirectAccess array when using external load balancers. In the example provided on that page, you will see that both internal and external load balancers are required to complete the solution. However, the requirement for internal and external load balancers only exists when you have an IPv6 capable network.

Another scenario you might want to consider is the IPv4 only network located behind the UAG DirectAccess array. In this scenario, you only need an external load balancer. In the IPv4 only network behind the UAG DirectAccess array scenario, the internal load balancer can be removed.

Figure 1 depicts the topology for external load balancing when a UAG DirectAccess array is positioned in front of an IPv4 only network.

clip_image001

Figure 1

You need to configure your external load balancer to load balance incoming connections for TCP port 443 (to support IP-HTTPS), and UDP port 3544 (to support Teredo. 6to4 will not work in an external load balancing scenario.

You also need to configure UAG to use IPv6 addresses on its internal network interfaces, as external load balancing requires this. Since IPv6 is not deployed on your IPv4 only network, you should use a 6to4 based address space and give an address from that address space to each of the UAG array members internal interfaces, as shown in Figure 1.

Determining the Internal 6to4 Address

Suppose WWXX:YYZZ is the colon hexadecimal representation of w.x.y.z, which is the public IPv4 address you use in the external load balancer, you would use the 2002:WWXX:YYZZ:8000::/49 address space for generating addresses to the UAG machines (e.g. if the array has three servers they can get the following IPv6 addresses 2002:WWXX:YYZZ:8000::1, 2002:WWXX:YYZZ:8000::2, 2002:WWXX:YYZZ:8000::3)

Once you run to UAG wizard you would be prompted to enter the IPv6 prefixes of you organization, you should use:

  • 2002:WWXX:YYZZ:8000::/49 as the organizational prefix
  • 2002:WWXX:YYZZ:8000::/64 as the ISATAP prefix
  • 2002:WWXX:YYZZ:8001::/96 as the NAT64/DNS64 prefix
  • 2002:WWXX:YYZZ:8100::/56 as the IP-HTTPS prefix

You can use the Windows Calculator to perform the conversions if you are not familiar with Hex notation.

For example, for the IPv4 address:

192.0.2.31

W = 192

X= 0

Y= 2

Z= 30

Converting to Hex format WWXX:YYZZ:

192 = C0

0 = 0

2 = 2

31 = 1F

Put them together, and you get:

C000:021F

Which can be used to determine the organization prefix:

2002:WWXX:YYZZ:8000::/49

which is in our example:

2002:C000:021F:8000::/49

To use the Windows calculator:

1. Open the Windows Calculator from the Start menu.

2. Click the View menu, and click Programmer.

3. Select the Dec option and enter the value for W, X, Y or Z
clip_image002

4. Select the Hex option. The display shows the conversion between decimal to Hex notation
clip_image003

Authors:

Ben Bernstein, Senior Program Manager

Tom Shinder, Technical Writer

 

Comments
  • Thanks for this, but I noticed a typo,

    "192.0.2.31

    W = 192

    X= 0

    Y= 2

    Z= 30"

    Should Z=30? or 31? and does it matter which IP on the external LB is used (1st IP or the 2nd Sequential IP)

  • This looks great, but how about 'Manage Out'? Without the HLB on the inside, how do you get the internal clients to load balance across the UAG servers? Do you simply point them all at the one server and forget about load balancing on the internal side? Then of course there is ISATAP - since the UAG will not configure itself as an ISATAP router with HLB where does that go/point to facilitate 'Manage Out'. I feel that this document is great for inbound access but does nothing in describing the full DA solution...

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment