How to Configure DirectAccess in Windows Server 2012 to Work with an External Hardware Load Balancer



Summary:  Gregg O’Brien, a Microsoft Premier Field Engineer from Canada, provides insight and walks us through how to configure DirectAccess in Windows Server 2012 to work with an External Hardware Load Balancer.


DirectAccess is quickly becoming a popular solution for providing remote access to users, especially since the release of Windows Server 2012.  

DirectAccess can be installed in a standalone configuration using only one server, or it can be installed using one of two load balancing mechanisms: Integrated Windows Network Load Balancing and External Hardware Load Balancing.  Both of these methods have their benefits, but customers looking for load balancing across large geographies, higher levels of performance, or to leverage an existing investment may choose to go with an external hardware-based load balancer.

The DirectAccess wizard takes care of the configuration of the Integrated Windows Network Load Balancing, but what about when an external hardware load balancer will be used?  Let’s have a look at the steps involved in accomplishing this task.

For the purpose of this article, we will assume that you already have an existing standalone DirectAccess 2012 server that currently works.

To configure your DirectAccess environment for use with the external hardware load balancer, we perform the following steps:

1) Logon to the DirectAccess server that is currently in operation. This will be Node1. Launch the Remote Access console to begin the DirectAccess configuration.

2) From the right-most pane, select “Configure Load Balancing”

Configure Load Balancing

3) Selection the option for “Use an external load balancer” and click “Next”

Use an external load balancer

4) The wizard will ask for a new dedicated IP address for Node 1. The existing dedicated IP address will be used as the virtual IP address of the load balancer to avoid requiring any DNS changes as a result of this process.

Add a dedicated IP address

If you receive the error message “Either the server is configured as an ISATAP router or no IPv6 addresses were detected on the internal adapter on the server. This is not supported in a cluster configured to use an external load balancer. Either deploy IPv6 in the internal network, or deploy an external ISATAP router, and configure IPv6 connectivity between the router and the Remote Access server”, then head over to Microsoft Support to obtain a hotfix that will resolve the issue. Once the hotfix has been applied, run through the steps again.

5) Click “Next” to proceed to the Summary page and then click “Commit” to apply the changes.

6) Upon committing the changes, you will see a warning message regarding ISATAP:

Changes committed

This warning occurs because we may not be able to use ISATAP on the DirectAccess server any longer. In this scenario, there are two options: place an external load balancer that supports ISATAP on the internal network and enable ISATAP on either DirectAccess servers, or disable ISATAP completely which then disables the “manage-out” functionality of DirectAccess.

7) Now head over to Node2 and configure the Roles and Features to add the Remote Access components.

Select server roles.

8) Once the Roles and Features installation is complete, be sure to import the IP-HTTPS certificate used in the initial DirectAccess configuration into the Computer Store of Node2. (A self-signed certificate will not work in this scenario)

9) Now head back to Node1 and open the Remote Access console.

10) Look for the option to “Add or Remove Servers” in the right pane

Add or remove servers

11) Type in the name of Node2 and click “Next”

Add or Remove Servers

12) Now select the Network Adapter and the IP-HTTPS certificate that Node2 will be using:

Network Adapters

13) Click “Commit” and then close to apply the configuration.

14) Once the configuration is complete, you can click on the “Operations Status” link in the console to check the status of the array:

Operations Status link

Once the load balancer can communicate with both nodes, they should turn green with a check mark.

For more information about configuring the external load balancer, be sure to consult with the vendor of the equipment. For example, F5 published a great whitepaper on how to configure F5 load balancers to support DirectAccess.

And with that all completed, we have a single-NIC DirectAccess 2012 deployment with external load balancing!

Comments (34)

  1. Anonymous says:

    Gregg,

    I'm having a very similar issue.  We are using 3rd party load balancing but I was receiving the same error message Jared was receiving.  I followed the steps you had listed below, but that did not seem to help.  I then disabled Load Balancing in the Remote Access Management Console as a single system behind my F5 was previously working.  Now after disabling Load Balancing, I have a DNS error on the Operations Status page and it says the cause is "server responsivness"  Testing DNS resolution from the server, everything appears normal although I don't get a NAT'd IPv6 address as I previously did. Any thoughts here?

    PS C:Windowssystem32> Get-NetDnsTransitionConfiguration

    State : Enabled

    AcceptInterface : {prd-directaccess-internal-int}

    SendInterface : {prd-directaccess-internal-int}

    OnlySendAQuery : True

    LatencyMilliseconds : 300

    AlwaysSynthesize : False

    ExclusionList : {removed}

    PrefixMapping : {removed}

  2. Anonymous says:

    Thanks Gregg!

    Regarding disabling the ISATAP router, I just wanted to confirm that I did not need to disable the ISATAP protocol on the server via policy.  Sounds like that is not needed. In fact, while testing a few things, I enabled Load Balancing via Powershell instead of the GUI, and the warning there is more clear – do not publish in DNS.  

    Regarding the DIPs.  I understand that each server needs a unique IPv4 DIP as shown in your article, but what is tripping me up is that when I run the "Enable Load Balancing" wizard on my single NIC server in a non-IPV6 environment, the GUI asks me fore a new IPv4 AND new IPv6 address to assign to the server, and tells me to put the current IPv4 and IPv6 addresses on the load balancer.  This doesn't really make since, as my network is IPv4 only.  AND the IPv6 address that is currently on the server is ONLY used for the DNS64 server, so is only accessed through the tunnel, which means that the load balancer would never see it anyway.

    In your screen shots above, I only see your server asking you for a new IPv4 address.  

    Powershell seems to let me enable load balancing with only specifying a new IPv4 DIP, so I'm wondering if the GUI is just wrong.

    Thanks again for your insight!

  3. Anonymous says:

    Looks like I answered my own question…

    technet.microsoft.com/…/hh831830.aspx

    see the "Known issues" section.  Looks like there IS a bug in the wizard.

  4. open24hrs says:

    Does this Direct Access setup explained require the external load balancer being in front or behind the DA setup?

  5. Anonymous says:

    Hi GreysonM,

    Not publishing ISATAP in DNS would be fine. The general idea is, we don't want people trying to use any single DA server as their ISATAP router, because if it does in fact go down, then clients may lose connectivity.

    Your second question is a bit tricker. Here is the idea: When we are setting up the load balanced infrastructure with an external load balancing device, what we are really doing is setting up two servers individually, and then configuring the group policy to point to the load balancer interfaces instead of each individual server. So when the wizard asks you for the new IP, really all it's doing is configuring the servers for an individual IP which the load balancer will forward to. This then implies however, that in your case (single NIC scenario), you would have a load balancer internally to load balance traffic from the internal network to the DA servers as well as an external load balancer to load balance the IP-HTTPS traffic. If all the servers in the array had the same address as per your question, then this would imply that we are using some form of Windows Integrated Load Balancing, which is not the objective here. At least not based on what I wrote in this particular article.

    Hopefully that makes it a bit clearer (and not worse) 🙂

    Thanks!

    Gregg

  6. Anonymous says:

    Hi Jared,

    What sort of DNS problems are you having? Clients cannot connect to internal resources or the external interface of the DirectAccess infrastructure itself?

    Gregg

  7. Anonymous says:

    Hi Jared,

    Did disabling duplicate address detection and resetting the DNS64 AcceptInterface parameter to the internal interface on the DirectAccess servers not correct the issue? I tested a few times and it seemed to work. I am curious to know if you are experiencing something different.

    Thanks,

    Gregg

  8. Anonymous says:

    Hi Jared,

    The commands I used were the following:

    To disable Duplicate Address Detection:

    netsh int ipv6 set int <InterfaceID> dadtransmits=0

    To change DNS64 :

    set-netDnsTransitionConfiguration –acceptinterface <interfaceID>

    Upon running the above commands and a quick reboot of each server, connectivity worked as you would expect. I reproduced this on a servers with two interfaces.

    Gregg

  9. Anonymous says:

    Hey everyone,

    Sorry for not replying sooner.

    DC1233, the hotfix that Johan (thanks for posting that Johan) posted should address your issue. Have you tried it?

    Brajesh, you would need to have a load balancer located internally as well and that load balancer will have to be able to load balance ISATAP addresses and/or native IPv6 addresses as well, between the two DirectAccess servers.

    Gregg

  10. Anonymous says:

    Thanks for the great write-up!

    Can you clarify something in step 6?  When you say "disable ISATAP completely", do you mean to just not publish it in DNS, or is there something to actually disable on the Remote Access Server?  

    In other words, if I'm not using Manage Out, and haven't published ISATAP in internal DNS, is there anything I need to do?

    Regards,

    Grey

  11. Anonymous says:

    Did you able to set up manage out connection using external hardware load balancer?  Or any Idea how to do this?

  12. Anonymous says:

    Sorry for the 2nd question…

    Single NIC setup.  When I try to enable load balancing, the wizard asks me to provide a new IPv6 DIP, and instructs me to configure the current static IPv6 address on the server (which is the DNS64 server address) as the VIP on the load balancer.    Given that the load balancer is only going to be forwarding the IP-HTTPS traffic on port 443, this doesn't make sense to me.  Shouldn't all servers in the cluster have the same DNS64 server address?

  13. Anonymous says:

    Okay I think I understand the issue you are describing. I am going to do some investigating and testing. I'll post my findings soon.

  14. Anonymous says:

    Excellent. Thanks for taking the time to provide the details.

    It seems like the issue is reproducible, but not always. Seems to be an issue that only affects some deployments and not others. I am doing some more research and testing and will post the results when I have some more information, but so far it seems like disabling duplicate address detection and resetting the DNS64 AcceptInterface parameter to the internal interface instead of the loopback adapter resolves the issue.

  15. Anonymous says:

    Hi Jarid,

    Can you check a few things out for me please?

    If you look at the interfaces on each node in the array, are any of them duplicates/conflicts between the two nodes?

    My second point I need some clarification on is, does enabling load balancing break DirectAccess on a single server? Or does it stop working only when the second node is introduced?

    Thanks,

    Gregg

  16. Anonymous says:

    Hi, I am quite new to DirectAccess and was looking for some help. I will be deploying DA in an environment and would need an idea about the nos. of IPs that I need to block for my setup. The configuration is a Two NIC configuration behind a Fortigate Firewall and an F5. I will be using 4 DA Servers to begin with since the setup requires to support in thousands. Also, it's all IP-HTTPS Setup with a IPv4 only based Intranet. I have blocked 4 IPs for DA on External interface and 4 IPs on Internal Interface. I will block one more IP on external as well as internal interface for VIP. Beside these, do I need to take care any other issues before I implement? Thanks in advance.

    Internet—->Fortigate Firewall—->F5—>DA Cluster—>F5—-Internal Firewall—>Corporate Network

  17. Anonymous says:

    The following statement is incorrect "disable ISATAP completely which then disables the “manage-out” functionality of DirectAccess."
    ISATAP Manage out can still be carried out using IPv6 from the management servers.

    The initial documentation for Server 2012 DA states "ISATAP in the corporate network is not supported. If you are using ISATAP, you should remove it and use native IPv6."
    F5 have a helpful KB article about manage out using IPv6:
    https://devcentral.f5.com/articles/direct-access-on-windows-2012-r2-manage-out-with-a-hardware-load-balancer

  18. JaredCEG says:

    Hi,

    Do you actually have this working in an environment? I find there are issues with DNS that prevent clients from sucessfully connecting. Would be interested to hear how you've got on with it.

    Thanks.

  19. JaredCEG says:

    Hi Gregg,

    Thanks for getting back to me.

    Windows 8 clients will partially connect over IP-HTTPS. By this I mean that the Remote Client Status will show some information about the client however not the full amount you would expect to see when it connects successfully. That's a bit confusing I realise, but basically when it's working correctly, you'll see the username for the currently logged on user and traffic in both directions. In it's current state however, the username field doesn't have a value and there is no traffic out.

    On the client, the bit that it can't get past is attempting to reach network resources. It logs a message saying 'Windows is unable to resolve DNS names for probes' The DTE connections are successful however and I can also ping the IPv6 address (the 3333:1) that has been set as the DNS server. If you look at the security associations, there is one tunnel established for each of the main and quick modes. This is to one of the DTE's however when working correctly there will be ones to both DTE's.

    Keeping the configuration exactly the same but removing the load balancing option works straightaway.

    There were some hotfixes to install that resolved various issues around external load balancing and DNS but they've been applied and still no luck.

    Have you had to do any additional configuration to things working?

    Thanks,

    Jared

  20. JaredCEG says:

    Ok great. Look forward to hearing what you find out.

    Thanks.

  21. JaredCEG says:

    Sorry, I had posted a reply but I find it sometimes doesn't actually seem to do anything on this site for some reason – they just disappear. I've now posted this 3 times.

    Anyway, I found that when you initially configure load balancing for two nodes the wizard sets the same IPv6 address for each node which results in a conflict. I just manually changed it on one of the nodes and then added that node back to the cluster and then there is no longer a conflict.

    On the other point, yes as soon as you enable load balancing on a single server it breaks the working configuration. I have added the second node (and the same issue persists), but for the most part I've done most of my testing with just the one node using an external load balancer as it doesn't make a huge amount of difference from that point of view whether there is 1 node or 8 or more.

    As soon as you enable load balancing using an external load balancer, DirectAccess no longer works, with the issue I mentioned previously being the result. The hotfix that was to do with DNS64 not working with an external load balancer (which sounds applicable to this scenario as it can't resolve internal IPv4 addresses used for connectivity checks etc.) doesn't seem to make any difference.

    What have you been able to find out on your end?

  22. Windows Dedicated Server says:

    Every business has unique IT requirements, and that’s why we provide a wide portfolio of hosted solutions. IT Monteur offers Managed Dedicated Server with Delightful Support for your business at best price.

  23. JaredCEG says:

    Hi Gregg,

    Just wondering where you were able to get up to with this?

    Thanks,

    Jared

  24. JaredCEG says:

    Hi Gregg,

    Thanks for coming back to me. Sorry, I thought you were confirming something first.

    Have used the following commands to set as suggested – perhaps you could confirm if they are the same ones you are using?

    Set-NetIPInterface –InterfaceAlias (Get-RemoteAccess).InternalInterface –AddressFamily IPv6 –DadTransmits 0

    Set-NetDnsTransitionConfiguration –AcceptInterface (Get-RemoteAccess).InternalInterface

    But I still have the same issue. In the remote access client status page, the 'Total Bytes In' for the client continuously increases but 'Total Bytes Out' never changes from 0 and it never completes the connection process. The logs on the client say there is still an issue with DNS – Windows is unable to resolve DNS names for probes.

    Are you getting complete connectivity after your changes? In these tests, are you using a single interface for the servers or multiple?

    Thanks,

    Jared

  25. JaredCEG says:

    Hi Gregg,

    Thanks for the response.

    I checked my commands with yours and the outcome of both are the same however just to ensure there are no discrepencies I have used yours but still end up with the same problem for clients.

    The only difference in my config I think is that I'm using a single NIC.

    So yesterday I decided I would remove all the config and switch the topology to using two NIC's. I put back the exact same configuration and this time is works. I had wiped and started over again several times with the single NIC configuration so pretty sure it wasn't something with the setup but rather an issue with using a single NIC with an external load balancer.

    Maybe something for Microsoft to look into further. There's obviously an issue as well the AcceptInterface value being incorrect when enabling Load Balancing.

    Anyway, thanks for your help with this. Got there in the end.

    Jared

  26. Johan says:

    Hi,

    I see that there are some complaints here about the fact that the DNS stops working when the load balancer is inplace. you can see that the DA connected clients nolonger can ping the IPv6 DNS64 address nor use it for name resolution while it still works perfect on the DA server it self.

    Had this issue as well and started a supportcase on it, while the case was running a patch was released for it: support.microsoft.com/…/en-us

    I hope that it fixes your problem as well.

    Rgrds

    Johan

  27. Brian says:

    When you configure load balancing with an external LB, it only asks for one IPv4 address for the VIP. Does this mean that Teredo is not available in a load balanced implementation?

  28. Dennis says:

    Thanks for the great explanation. However, should we always have 2 load balancers, one at external interface and the other at internal interface? The client gets the IPv6 address of the internal DNS server from NRPT, and it should use that IPv6 address to reach any DA server in the farm.

    Also, should the 2 load balancers always assign the client to the same DA server?

  29. Oletho says:

    I have the same problem as described by some users in this thread, name resolution stops working while the DA server can be pinged through the tunnel. This only happens when an external loadbalancer is configured.

    But I am using Server 2012 R2 which I would expect not having this issue. Loadbalancer is Kemp in a single-nic setup.

    Same problem in two different environments.

    Anyone?

  30. 22bene says:

    I’m also using external load balancing with single nic setup in a DA cluster and am experiencing the same problems. I cant resolve IPv4 addresses to the internal network, but I can RDP FQDN names and browse internal web sites and file shares.
    Windows 8.1 is in a constant "connecting" state.
    Has anyone found a fix for this? Thanks.

  31. Anonymous says:

    Remote Management is one of the top feature provided by DirectAccess. By default a DirectAccess client

  32. Neil says:

    I have been working on rebuilding my DA environment since I needed to move it to a new external IP address. When I did i moved it to an external LB (Kemp). With this comes the fact that you cant run ISATAP on both servers.

    To clarify, i can run it on one OR the other successfully but i lose resiliency correct? The alternative is to build a separate server to run ISATAP on, but i still have no resiliency there either. Correct?

    The only way this could work in a true LB / failover situation is if the Kemp supports LB’ing ISATAP on the device. Am I correct?

    1. Koen says:

      I have the same question as Neil, can ISATAP be enabled on one of the nodes in a cluster when using an external load balancer?

  33. Hi
    I have a issue when i configured the DA to use HLB i give it dedicated IP for ex 172.x.x.x and the server ip address is 10.x.x.x once i did this the connection to server lost and when login using domain account it give that it can not communicate with domain controller , and after logon locally i found the tcp/ip setting empty and i can not configure it each time i did the settings cleared

    Any Idea