How to Configure DirectAccess in Windows Server 2012 to Work with an External Hardware Load Balancer

How to Configure DirectAccess in Windows Server 2012 to Work with an External Hardware Load Balancer

  • Comments 31
  • Likes

Summary:  Gregg O’Brien, a Microsoft Premier Field Engineer from Canada, provides insight and walks us through how to configure DirectAccess in Windows Server 2012 to work with an External Hardware Load Balancer.


DirectAccess is quickly becoming a popular solution for providing remote access to users, especially since the release of Windows Server 2012.  

DirectAccess can be installed in a standalone configuration using only one server, or it can be installed using one of two load balancing mechanisms: Integrated Windows Network Load Balancing and External Hardware Load Balancing.  Both of these methods have their benefits, but customers looking for load balancing across large geographies, higher levels of performance, or to leverage an existing investment may choose to go with an external hardware-based load balancer.

The DirectAccess wizard takes care of the configuration of the Integrated Windows Network Load Balancing, but what about when an external hardware load balancer will be used?  Let’s have a look at the steps involved in accomplishing this task.

For the purpose of this article, we will assume that you already have an existing standalone DirectAccess 2012 server that currently works.

To configure your DirectAccess environment for use with the external hardware load balancer, we perform the following steps:

1) Logon to the DirectAccess server that is currently in operation. This will be Node1. Launch the Remote Access console to begin the DirectAccess configuration.

2) From the right-most pane, select “Configure Load Balancing”


Configure Load Balancing

3) Selection the option for “Use an external load balancer” and click “Next”


Use an external load balancer


4) The wizard will ask for a new dedicated IP address for Node 1. The existing dedicated IP address will be used as the virtual IP address of the load balancer to avoid requiring any DNS changes as a result of this process.


Add a dedicated IP address

If you receive the error message “Either the server is configured as an ISATAP router or no IPv6 addresses were detected on the internal adapter on the server. This is not supported in a cluster configured to use an external load balancer. Either deploy IPv6 in the internal network, or deploy an external ISATAP router, and configure IPv6 connectivity between the router and the Remote Access server”, then head over to Microsoft Support to obtain a hotfix that will resolve the issue. Once the hotfix has been applied, run through the steps again.

5) Click “Next” to proceed to the Summary page and then click “Commit” to apply the changes.

6) Upon committing the changes, you will see a warning message regarding ISATAP:


Changes committed

This warning occurs because we may not be able to use ISATAP on the DirectAccess server any longer. In this scenario, there are two options: place an external load balancer that supports ISATAP on the internal network and enable ISATAP on either DirectAccess servers, or disable ISATAP completely which then disables the “manage-out” functionality of DirectAccess.

7) Now head over to Node2 and configure the Roles and Features to add the Remote Access components.


Select server roles.

8) Once the Roles and Features installation is complete, be sure to import the IP-HTTPS certificate used in the initial DirectAccess configuration into the Computer Store of Node2. (A self-signed certificate will not work in this scenario)

9) Now head back to Node1 and open the Remote Access console.

10) Look for the option to “Add or Remove Servers” in the right pane


Add or remove servers

11) Type in the name of Node2 and click “Next”

Add or Remove Servers

12) Now select the Network Adapter and the IP-HTTPS certificate that Node2 will be using:


Network Adapters

13) Click “Commit” and then close to apply the configuration.

14) Once the configuration is complete, you can click on the “Operations Status” link in the console to check the status of the array:


Operations Status link

Once the load balancer can communicate with both nodes, they should turn green with a check mark.

For more information about configuring the external load balancer, be sure to consult with the vendor of the equipment. For example, F5 published a great whitepaper on how to configure F5 load balancers to support DirectAccess.

And with that all completed, we have a single-NIC DirectAccess 2012 deployment with external load balancing!

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hi,

    I see that there are some complaints here about the fact that the DNS stops working when the load balancer is inplace. you can see that the DA connected clients nolonger can ping the IPv6 DNS64 address nor use it for name resolution while it still works perfect on the DA server it self.

    Had this issue as well and started a supportcase on it, while the case was running a patch was released for it: support.microsoft.com/.../en-us

    I hope that it fixes your problem as well.

    Rgrds

    Johan

  • Did you able to set up manage out connection using external hardware load balancer?  Or any Idea how to do this?

  • Hey everyone,

    Sorry for not replying sooner.

    DC1233, the hotfix that Johan (thanks for posting that Johan) posted should address your issue. Have you tried it?

    Brajesh, you would need to have a load balancer located internally as well and that load balancer will have to be able to load balance ISATAP addresses and/or native IPv6 addresses as well, between the two DirectAccess servers.

    Gregg

  • Thanks for the great write-up!

    Can you clarify something in step 6?  When you say "disable ISATAP completely", do you mean to just not publish it in DNS, or is there something to actually disable on the Remote Access Server?  

    In other words, if I'm not using Manage Out, and haven't published ISATAP in internal DNS, is there anything I need to do?

    Regards,

    Grey

  • Sorry for the 2nd question...

    Single NIC setup.  When I try to enable load balancing, the wizard asks me to provide a new IPv6 DIP, and instructs me to configure the current static IPv6 address on the server (which is the DNS64 server address) as the VIP on the load balancer.    Given that the load balancer is only going to be forwarding the IP-HTTPS traffic on port 443, this doesn't make sense to me.  Shouldn't all servers in the cluster have the same DNS64 server address?

  • Hi GreysonM,

    Not publishing ISATAP in DNS would be fine. The general idea is, we don't want people trying to use any single DA server as their ISATAP router, because if it does in fact go down, then clients may lose connectivity.

    Your second question is a bit tricker. Here is the idea: When we are setting up the load balanced infrastructure with an external load balancing device, what we are really doing is setting up two servers individually, and then configuring the group policy to point to the load balancer interfaces instead of each individual server. So when the wizard asks you for the new IP, really all it's doing is configuring the servers for an individual IP which the load balancer will forward to. This then implies however, that in your case (single NIC scenario), you would have a load balancer internally to load balance traffic from the internal network to the DA servers as well as an external load balancer to load balance the IP-HTTPS traffic. If all the servers in the array had the same address as per your question, then this would imply that we are using some form of Windows Integrated Load Balancing, which is not the objective here. At least not based on what I wrote in this particular article.

    Hopefully that makes it a bit clearer (and not worse) :)

    Thanks!

    Gregg

  • Thanks Gregg!

    Regarding disabling the ISATAP router, I just wanted to confirm that I did not need to disable the ISATAP protocol on the server via policy.  Sounds like that is not needed. In fact, while testing a few things, I enabled Load Balancing via Powershell instead of the GUI, and the warning there is more clear - do not publish in DNS.  

    Regarding the DIPs.  I understand that each server needs a unique IPv4 DIP as shown in your article, but what is tripping me up is that when I run the "Enable Load Balancing" wizard on my single NIC server in a non-IPV6 environment, the GUI asks me fore a new IPv4 AND new IPv6 address to assign to the server, and tells me to put the current IPv4 and IPv6 addresses on the load balancer.  This doesn't really make since, as my network is IPv4 only.  AND the IPv6 address that is currently on the server is ONLY used for the DNS64 server, so is only accessed through the tunnel, which means that the load balancer would never see it anyway.

    In your screen shots above, I only see your server asking you for a new IPv4 address.  

    Powershell seems to let me enable load balancing with only specifying a new IPv4 DIP, so I'm wondering if the GUI is just wrong.

    Thanks again for your insight!

  • Looks like I answered my own question...

    technet.microsoft.com/.../hh831830.aspx

    see the "Known issues" section.  Looks like there IS a bug in the wizard.

  • When you configure load balancing with an external LB, it only asks for one IPv4 address for the VIP. Does this mean that Teredo is not available in a load balanced implementation?

  • Hi, I am quite new to DirectAccess and was looking for some help. I will be deploying DA in an environment and would need an idea about the nos. of IPs that I need to block for my setup. The configuration is a Two NIC configuration behind a Fortigate Firewall and an F5. I will be using 4 DA Servers to begin with since the setup requires to support in thousands. Also, it's all IP-HTTPS Setup with a IPv4 only based Intranet. I have blocked 4 IPs for DA on External interface and 4 IPs on Internal Interface. I will block one more IP on external as well as internal interface for VIP. Beside these, do I need to take care any other issues before I implement? Thanks in advance.

    Internet---->Fortigate Firewall---->F5--->DA Cluster--->F5----Internal Firewall--->Corporate Network

  • Thanks for the great explanation. However, should we always have 2 load balancers, one at external interface and the other at internal interface? The client gets the IPv6 address of the internal DNS server from NRPT, and it should use that IPv6 address to reach any DA server in the farm.

    Also, should the 2 load balancers always assign the client to the same DA server?

  • I have the same problem as described by some users in this thread, name resolution stops working while the DA server can be pinged through the tunnel. This only happens when an external loadbalancer is configured.

    But I am using Server 2012 R2 which I would expect not having this issue. Loadbalancer is Kemp in a single-nic setup.

    Same problem in two different environments.

    Anyone?

  • Does this Direct Access setup explained require the external load balancer being in front or behind the DA setup?

  • I'm also using external load balancing with single nic setup in a DA cluster and am experiencing the same problems. I cant resolve IPv4 addresses to the internal network, but I can RDP FQDN names and browse internal web sites and file shares.
    Windows 8.1 is in a constant "connecting" state.
    Has anyone found a fix for this? Thanks.

  • I have been working on rebuilding my DA environment since I needed to move it to a new external IP address. When I did i moved it to an external LB (Kemp). With this comes the fact that you cant run ISATAP on both servers.

    To clarify, i can run it on one OR the other successfully but i lose resiliency correct? The alternative is to build a separate server to run ISATAP on, but i still have no resiliency there either. Correct?

    The only way this could work in a true LB / failover situation is if the Kemp supports LB'ing ISATAP on the device. Am I correct?