How to Configure DirectAccess in Windows Server 2012 to Work with an External Hardware Load Balancer

---

Summary: Gregg O’Brien , a Microsoft Premier Field Engineer from Canada, provides insight and walks us through how to configure DirectAccess in Windows Server 2012 to work with an External Hardware Load Balancer.

---

DirectAccess is quickly becoming a popular solution for providing remote access to users, especially since the release of Windows Server 2012.  

DirectAccess can be installed in a standalone configuration using only one server, or it can be installed using one of two load balancing mechanisms: Integrated Windows Network Load Balancing and External Hardware Load Balancing.  Both of these methods have their benefits, but customers looking for load balancing across large geographies, higher levels of performance, or to leverage an existing investment may choose to go with an external hardware-based load balancer.

The DirectAccess wizard takes care of the configuration of the Integrated Windows Network Load Balancing, but what about when an external hardware load balancer will be used?  Let’s have a look at the steps involved in accomplishing this task.

For the purpose of this article, we will assume that you already have an existing standalone DirectAccess 2012 server that currently works.

To configure your DirectAccess environment for use with the external hardware load balancer, we perform the following steps:

1) Logon to the DirectAccess server that is currently in operation. This will be Node1. Launch the Remote Access console to begin the DirectAccess configuration.

2) From the right-most pane, select “Configure Load Balancing”

3) Selection the option for “Use an external load balancer” and click “Next”

4) The wizard will ask for a new dedicated IP address for Node 1. The existing dedicated IP address will be used as the virtual IP address of the load balancer to avoid requiring any DNS changes as a result of this process.

If you receive the error message “Either the server is configured as an ISATAP router or no IPv6 addresses were detected on the internal adapter on the server. This is not supported in a cluster configured to use an external load balancer. Either deploy IPv6 in the internal network, or deploy an external ISATAP router, and configure IPv6 connectivity between the router and the Remote Access server”, then head over to Microsoft Support to obtain a hotfix that will resolve the issue. Once the hotfix has been applied, run through the steps again.

5) Click “Next” to proceed to the Summary page and then click “Commit” to apply the changes.

6) Upon committing the changes, you will see a warning message regarding ISATAP:

This warning occurs because we may not be able to use ISATAP on the DirectAccess server any longer. In this scenario, there are two options: place an external load balancer that supports ISATAP on the internal network and enable ISATAP on either DirectAccess servers, or disable ISATAP completely which then disables the “manage-out” functionality of DirectAccess.

7) Now head over to Node2 and configure the Roles and Features to add the Remote Access components.

8) Once the Roles and Features installation is complete, be sure to import the IP-HTTPS certificate used in the initial DirectAccess configuration into the Computer Store of Node2. (A self-signed certificate will not work in this scenario)

9) Now head back to Node1 and open the Remote Access console.

10) Look for the option to “Add or Remove Servers” in the right pane

11) Type in the name of Node2 and click “Next”

12) Now select the Network Adapter and the IP-HTTPS certificate that Node2 will be using:

13) Click “Commit” and then close to apply the configuration.

14) Once the configuration is complete, you can click on the “Operations Status” link in the console to check the status of the array:

Once the load balancer can communicate with both nodes, they should turn green with a check mark.

For more information about configuring the external load balancer, be sure to consult with the vendor of the equipment. For example, F5 published a great whitepaper on how to configure F5 load balancers to support DirectAccess.

And with that all completed, we have a single-NIC DirectAccess 2012 deployment with external load balancing!

Comments

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Looks like I answered my own question... technet.microsoft.com/.../hh831830.aspx see the "Known issues" section.  Looks like there IS a bug in the wizard.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Hi Jared, Did disabling duplicate address detection and resetting the DNS64 AcceptInterface parameter to the internal interface on the DirectAccess servers not correct the issue? I tested a few times and it seemed to work. I am curious to know if you are experiencing something different. Thanks, Gregg

• Anonymous
  January 01, 2003
  Hi Jared, The commands I used were the following: To disable Duplicate Address Detection: netsh int ipv6 set int <InterfaceID> dadtransmits=0 To change DNS64 : set-netDnsTransitionConfiguration –acceptinterface <interfaceID> Upon running the above commands and a quick reboot of each server, connectivity worked as you would expect. I reproduced this on a servers with two interfaces. Gregg

• Anonymous
  January 01, 2003
  Hey everyone, Sorry for not replying sooner. DC1233, the hotfix that Johan (thanks for posting that Johan) posted should address your issue. Have you tried it? Brajesh, you would need to have a load balancer located internally as well and that load balancer will have to be able to load balance ISATAP addresses and/or native IPv6 addresses as well, between the two DirectAccess servers. Gregg

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Did you able to set up manage out connection using external hardware load balancer?  Or any Idea how to do this?

• Anonymous
  January 01, 2003
  Sorry for the 2nd question... Single NIC setup.  When I try to enable load balancing, the wizard asks me to provide a new IPv6 DIP, and instructs me to configure the current static IPv6 address on the server (which is the DNS64 server address) as the VIP on the load balancer.    Given that the load balancer is only going to be forwarding the IP-HTTPS traffic on port 443, this doesn't make sense to me.  Shouldn't all servers in the cluster have the same DNS64 server address?

• Anonymous
  January 01, 2003
  Okay I think I understand the issue you are describing. I am going to do some investigating and testing. I'll post my findings soon.

• Anonymous
  January 01, 2003
  Excellent. Thanks for taking the time to provide the details. It seems like the issue is reproducible, but not always. Seems to be an issue that only affects some deployments and not others. I am doing some more research and testing and will post the results when I have some more information, but so far it seems like disabling duplicate address detection and resetting the DNS64 AcceptInterface parameter to the internal interface instead of the loopback adapter resolves the issue.

• Anonymous
  January 01, 2003
  Hi Jarid, Can you check a few things out for me please? If you look at the interfaces on each node in the array, are any of them duplicates/conflicts between the two nodes? My second point I need some clarification on is, does enabling load balancing break DirectAccess on a single server? Or does it stop working only when the second node is introduced? Thanks, Gregg

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 29, 2013
  The comment has been removed

• Anonymous
  January 30, 2013
  The comment has been removed

• Anonymous
  February 04, 2013
  Ok great. Look forward to hearing what you find out. Thanks.

• Anonymous
  February 06, 2013
  Sorry, I had posted a reply but I find it sometimes doesn't actually seem to do anything on this site for some reason - they just disappear. I've now posted this 3 times. Anyway, I found that when you initially configure load balancing for two nodes the wizard sets the same IPv6 address for each node which results in a conflict. I just manually changed it on one of the nodes and then added that node back to the cluster and then there is no longer a conflict. On the other point, yes as soon as you enable load balancing on a single server it breaks the working configuration. I have added the second node (and the same issue persists), but for the most part I've done most of my testing with just the one node using an external load balancer as it doesn't make a huge amount of difference from that point of view whether there is 1 node or 8 or more. As soon as you enable load balancing using an external load balancer, DirectAccess no longer works, with the issue I mentioned previously being the result. The hotfix that was to do with DNS64 not working with an external load balancer (which sounds applicable to this scenario as it can't resolve internal IPv4 addresses used for connectivity checks etc.) doesn't seem to make any difference. What have you been able to find out on your end?

• Anonymous
  February 09, 2013
  Every business has unique IT requirements, and that’s why we provide a wide portfolio of hosted solutions. IT Monteur offers Managed Dedicated Server with Delightful Support for your business at best price.

• Anonymous
  February 18, 2013
  Hi Gregg, Just wondering where you were able to get up to with this? Thanks, Jared

• Anonymous
  February 25, 2013
  The comment has been removed

• Anonymous
  March 06, 2013
  Hi Gregg, Thanks for the response. I checked my commands with yours and the outcome of both are the same however just to ensure there are no discrepencies I have used yours but still end up with the same problem for clients. The only difference in my config I think is that I'm using a single NIC. So yesterday I decided I would remove all the config and switch the topology to using two NIC's. I put back the exact same configuration and this time is works. I had wiped and started over again several times with the single NIC configuration so pretty sure it wasn't something with the setup but rather an issue with using a single NIC with an external load balancer. Maybe something for Microsoft to look into further. There's obviously an issue as well the AcceptInterface value being incorrect when enabling Load Balancing. Anyway, thanks for your help with this. Got there in the end. Jared

• Anonymous
  April 15, 2013
  The comment has been removed

• Anonymous
  July 30, 2013
  When you configure load balancing with an external LB, it only asks for one IPv4 address for the VIP. Does this mean that Teredo is not available in a load balanced implementation?

• Anonymous
  September 19, 2013
  The comment has been removed

• Anonymous
  November 09, 2013
  The comment has been removed

• Anonymous
  June 16, 2014
  The comment has been removed

• Anonymous
  July 30, 2014
  Remote Management is one of the top feature provided by DirectAccess. By default a DirectAccess client

• Anonymous
  December 15, 2014
  The comment has been removed

  • Anonymous
    July 07, 2016
    I have the same question as Neil, can ISATAP be enabled on one of the nodes in a cluster when using an external load balancer?

• Anonymous
  June 15, 2016
  The comment has been removed

• Anonymous
  November 18, 2016
  Please, somebody has a guide to configure Direct Access and F5? Tks.