How to Configure DirectAccess in Windows Server 2012 to Work with an External Hardware Load Balancer

How to Configure DirectAccess in Windows Server 2012 to Work with an External Hardware Load Balancer

  • Comments 32
  • Likes

Summary:  Gregg O’Brien, a Microsoft Premier Field Engineer from Canada, provides insight and walks us through how to configure DirectAccess in Windows Server 2012 to work with an External Hardware Load Balancer.

DirectAccess is quickly becoming a popular solution for providing remote access to users, especially since the release of Windows Server 2012.  

DirectAccess can be installed in a standalone configuration using only one server, or it can be installed using one of two load balancing mechanisms: Integrated Windows Network Load Balancing and External Hardware Load Balancing.  Both of these methods have their benefits, but customers looking for load balancing across large geographies, higher levels of performance, or to leverage an existing investment may choose to go with an external hardware-based load balancer.

The DirectAccess wizard takes care of the configuration of the Integrated Windows Network Load Balancing, but what about when an external hardware load balancer will be used?  Let’s have a look at the steps involved in accomplishing this task.

For the purpose of this article, we will assume that you already have an existing standalone DirectAccess 2012 server that currently works.

To configure your DirectAccess environment for use with the external hardware load balancer, we perform the following steps:

1) Logon to the DirectAccess server that is currently in operation. This will be Node1. Launch the Remote Access console to begin the DirectAccess configuration.

2) From the right-most pane, select “Configure Load Balancing”

Configure Load Balancing

3) Selection the option for “Use an external load balancer” and click “Next”

Use an external load balancer

4) The wizard will ask for a new dedicated IP address for Node 1. The existing dedicated IP address will be used as the virtual IP address of the load balancer to avoid requiring any DNS changes as a result of this process.

Add a dedicated IP address

If you receive the error message “Either the server is configured as an ISATAP router or no IPv6 addresses were detected on the internal adapter on the server. This is not supported in a cluster configured to use an external load balancer. Either deploy IPv6 in the internal network, or deploy an external ISATAP router, and configure IPv6 connectivity between the router and the Remote Access server”, then head over to Microsoft Support to obtain a hotfix that will resolve the issue. Once the hotfix has been applied, run through the steps again.

5) Click “Next” to proceed to the Summary page and then click “Commit” to apply the changes.

6) Upon committing the changes, you will see a warning message regarding ISATAP:

Changes committed

This warning occurs because we may not be able to use ISATAP on the DirectAccess server any longer. In this scenario, there are two options: place an external load balancer that supports ISATAP on the internal network and enable ISATAP on either DirectAccess servers, or disable ISATAP completely which then disables the “manage-out” functionality of DirectAccess.

7) Now head over to Node2 and configure the Roles and Features to add the Remote Access components.

Select server roles.

8) Once the Roles and Features installation is complete, be sure to import the IP-HTTPS certificate used in the initial DirectAccess configuration into the Computer Store of Node2. (A self-signed certificate will not work in this scenario)

9) Now head back to Node1 and open the Remote Access console.

10) Look for the option to “Add or Remove Servers” in the right pane

Add or remove servers

11) Type in the name of Node2 and click “Next”

Add or Remove Servers

12) Now select the Network Adapter and the IP-HTTPS certificate that Node2 will be using:

Network Adapters

13) Click “Commit” and then close to apply the configuration.

14) Once the configuration is complete, you can click on the “Operations Status” link in the console to check the status of the array:

Operations Status link

Once the load balancer can communicate with both nodes, they should turn green with a check mark.

For more information about configuring the external load balancer, be sure to consult with the vendor of the equipment. For example, F5 published a great whitepaper on how to configure F5 load balancers to support DirectAccess.

And with that all completed, we have a single-NIC DirectAccess 2012 deployment with external load balancing!

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hi,

    Do you actually have this working in an environment? I find there are issues with DNS that prevent clients from sucessfully connecting. Would be interested to hear how you've got on with it.


  • Hi Jared,

    What sort of DNS problems are you having? Clients cannot connect to internal resources or the external interface of the DirectAccess infrastructure itself?


  • Hi Gregg,

    Thanks for getting back to me.

    Windows 8 clients will partially connect over IP-HTTPS. By this I mean that the Remote Client Status will show some information about the client however not the full amount you would expect to see when it connects successfully. That's a bit confusing I realise, but basically when it's working correctly, you'll see the username for the currently logged on user and traffic in both directions. In it's current state however, the username field doesn't have a value and there is no traffic out.

    On the client, the bit that it can't get past is attempting to reach network resources. It logs a message saying 'Windows is unable to resolve DNS names for probes' The DTE connections are successful however and I can also ping the IPv6 address (the 3333:1) that has been set as the DNS server. If you look at the security associations, there is one tunnel established for each of the main and quick modes. This is to one of the DTE's however when working correctly there will be ones to both DTE's.

    Keeping the configuration exactly the same but removing the load balancing option works straightaway.

    There were some hotfixes to install that resolved various issues around external load balancing and DNS but they've been applied and still no luck.

    Have you had to do any additional configuration to things working?



  • Okay I think I understand the issue you are describing. I am going to do some investigating and testing. I'll post my findings soon.

  • Ok great. Look forward to hearing what you find out.


  • Hi Jarid,

    Can you check a few things out for me please?

    If you look at the interfaces on each node in the array, are any of them duplicates/conflicts between the two nodes?

    My second point I need some clarification on is, does enabling load balancing break DirectAccess on a single server? Or does it stop working only when the second node is introduced?



  • Sorry, I had posted a reply but I find it sometimes doesn't actually seem to do anything on this site for some reason - they just disappear. I've now posted this 3 times.

    Anyway, I found that when you initially configure load balancing for two nodes the wizard sets the same IPv6 address for each node which results in a conflict. I just manually changed it on one of the nodes and then added that node back to the cluster and then there is no longer a conflict.

    On the other point, yes as soon as you enable load balancing on a single server it breaks the working configuration. I have added the second node (and the same issue persists), but for the most part I've done most of my testing with just the one node using an external load balancer as it doesn't make a huge amount of difference from that point of view whether there is 1 node or 8 or more.

    As soon as you enable load balancing using an external load balancer, DirectAccess no longer works, with the issue I mentioned previously being the result. The hotfix that was to do with DNS64 not working with an external load balancer (which sounds applicable to this scenario as it can't resolve internal IPv4 addresses used for connectivity checks etc.) doesn't seem to make any difference.

    What have you been able to find out on your end?

  • Excellent. Thanks for taking the time to provide the details.

    It seems like the issue is reproducible, but not always. Seems to be an issue that only affects some deployments and not others. I am doing some more research and testing and will post the results when I have some more information, but so far it seems like disabling duplicate address detection and resetting the DNS64 AcceptInterface parameter to the internal interface instead of the loopback adapter resolves the issue.

  • Every business has unique IT requirements, and that’s why we provide a wide portfolio of hosted solutions. IT Monteur offers Managed Dedicated Server with Delightful Support for your business at best price.

  • Hi Gregg,

    Just wondering where you were able to get up to with this?



  • Hi Jared,

    Did disabling duplicate address detection and resetting the DNS64 AcceptInterface parameter to the internal interface on the DirectAccess servers not correct the issue? I tested a few times and it seemed to work. I am curious to know if you are experiencing something different.



  • Hi Gregg,

    Thanks for coming back to me. Sorry, I thought you were confirming something first.

    Have used the following commands to set as suggested - perhaps you could confirm if they are the same ones you are using?

    Set-NetIPInterface –InterfaceAlias (Get-RemoteAccess).InternalInterface –AddressFamily IPv6 –DadTransmits 0

    Set-NetDnsTransitionConfiguration –AcceptInterface (Get-RemoteAccess).InternalInterface

    But I still have the same issue. In the remote access client status page, the 'Total Bytes In' for the client continuously increases but 'Total Bytes Out' never changes from 0 and it never completes the connection process. The logs on the client say there is still an issue with DNS - Windows is unable to resolve DNS names for probes.

    Are you getting complete connectivity after your changes? In these tests, are you using a single interface for the servers or multiple?



  • Hi Jared,

    The commands I used were the following:

    To disable Duplicate Address Detection:

    netsh int ipv6 set int <InterfaceID> dadtransmits=0

    To change DNS64 :

    set-netDnsTransitionConfiguration –acceptinterface <interfaceID>

    Upon running the above commands and a quick reboot of each server, connectivity worked as you would expect. I reproduced this on a servers with two interfaces.


  • Hi Gregg,

    Thanks for the response.

    I checked my commands with yours and the outcome of both are the same however just to ensure there are no discrepencies I have used yours but still end up with the same problem for clients.

    The only difference in my config I think is that I'm using a single NIC.

    So yesterday I decided I would remove all the config and switch the topology to using two NIC's. I put back the exact same configuration and this time is works. I had wiped and started over again several times with the single NIC configuration so pretty sure it wasn't something with the setup but rather an issue with using a single NIC with an external load balancer.

    Maybe something for Microsoft to look into further. There's obviously an issue as well the AcceptInterface value being incorrect when enabling Load Balancing.

    Anyway, thanks for your help with this. Got there in the end.


  • Gregg,

    I'm having a very similar issue.  We are using 3rd party load balancing but I was receiving the same error message Jared was receiving.  I followed the steps you had listed below, but that did not seem to help.  I then disabled Load Balancing in the Remote Access Management Console as a single system behind my F5 was previously working.  Now after disabling Load Balancing, I have a DNS error on the Operations Status page and it says the cause is "server responsivness"  Testing DNS resolution from the server, everything appears normal although I don't get a NAT'd IPv6 address as I previously did. Any thoughts here?

    PS C:\Windows\system32> Get-NetDnsTransitionConfiguration

    State : Enabled

    AcceptInterface : {prd-directaccess-internal-int}

    SendInterface : {prd-directaccess-internal-int}

    OnlySendAQuery : True

    LatencyMilliseconds : 300

    AlwaysSynthesize : False

    ExclusionList : {removed}

    PrefixMapping : {removed}