DirectAccess Windows 2012 High availability NLB Cluster   11 comments

Windows Server | DirectAccess | Remote Access | VPN

DirectAccess is a feature in the Windows 7 , Windows Server 2008 R2 and Windows Server 2012 operating systems that gives users the experience of being seamlessly connected to their corporate network any time they have Internet access.

With DirectAccess, users are able to access corporate resources (such as e-mail servers, shared folders, or intranet web sites) following common security standards, anytime they have an internet connection.

The new thing here is that in windows 2012 you can use a single nic.

In my previous blog I showed the configuration but now I want to NLB the DirectAccess Server.

clip_image002 again my basic setup is here just on one server configured and the second node is stand by. Keep in mind Remote access must be installed on both machines and the NLB option must be installed.

image In the configuration menu you can choose enable load balancing.

 

clip_image004 clip_image006

The wizard shows me that I can choose Windows NLB or a hardware NLB solution.

Yes Ill take the WNLB. and as you can see you don’t need to setup UAG and NLB this and then direct access no go strait to the Remote access console and do your thing.

In this case I use an Edge directaccess option.

image

Fill in the IPv4 address that will be used as the external VIP by the Network Load Balancing feature. this address must be on the same IP subnet that dedicated external address of Windows 2012 servers.

image The Internal IP is just as you do a internal NLB option.

now that the NLB is ready just on one node

image We can add a second node to the NLB farm and have our DirectAccess highly available

To add the Second node just do add or remove node.

image On firewalls or other products that has multiple NIC’s I make sure that the naming is correct nic name = internet has internet access . or red or green but don’t leave this default now I can easy see what nic I need.

imageimage 

Just to remember If you use a self signed certificate you can’t use NLB so a root CA must be in place.

image after the commit my NLB is in place an overview is there with the NLB servers in it.

image

 

there are more PowerShell options that you can use.

Get-RemoteAccessHealth –cluster

Get-DAserver

more on Direct Access

Or on powershell

Direct Access Client Cmdlets in Windows PowerShell

Advertisements

11 responses to “DirectAccess Windows 2012 High availability NLB Cluster

Subscribe to comments with RSS.

  1. “Just to remember If you use a self signed certificate you can’t use NLB so a root CA must be in place.” I did it with self signed cert and it works like a charm.

  2. Robert

    Great post. Have been reading here, and elsewhere regarding setting up NLB. I just noticed there is a requirement for MAC Spoofing, do you happen to know if that’s an issue in a vSphere environment. I must have went through these steps a thousand times and have had no luck in success.

  3. Hi. I want use hardware balance. But I dont understand how many IP me need 🙂
    edge1: external IP – 91.23.21.110 – edge01.corp.com; internal IP – 10.0.0.100 – edge01.corp.local
    edge2: external IP – 91.23.21.111 – edge02.corp.local, internal IP – 10.0.0.101 – edge02.corp.local
    external IP for VIP 91.23.21.113 da.corp.com
    internal IP for VIP 10.0.0.102 edge.corp.local
    it is right? only this IPs?

    and next question, then I configuring network topology edge01 and select type – Edge, what type public for user connection:da.corp.com or edge01.corp.com

    thank you!

    • Hi Paul,
      the first part is correct.
      The second part am not sure what do you mean ?
      these two VIP is your communication external IP for VIP 91.23.21.113 da.corp.com
      internal IP for VIP 10.0.0.102 edge.corp.local

      so in communication from client to app you should use these

  4. I am a little confused.. I actually have this working. I want to publish via my Fortinnet or Cisco ASA firewall.. Which IP should I publish…

    My external IP address X.X.X.X Nat 443 to internal VIP of Direct access NLB VIP?

    Keep in mind on my fortinet I can do NLB bythe following

    External IP X.X.X.X Nat NLB on fortinet.. to 2 of the real DA servers?

  5. Question. If I have a server running DA at Location A, can I have a DA server running at a Location B (different state) so that when Location A goes down, Windows 7 machines will also failover to Location B? I know Win8 machines will automatically choose the closest available server, but what will Windows 7 do?

    • That is a great question. I have not played a lot with DA but there is a labguide (if you need it )
      http://technet.microsoft.com/en-us/library/hh831461.aspx

      The built-in feature for Multi-Site only works with Windows Server 2012 as the server.
      It is also important to note that only Windows 8 clients can roam between different endpoints.
      Windows 7 clients needs to be assigned to a specific endpoint (and therefore a separate GPO will be created for each endpoint where you have Windows 7 clients assigned)

      hope this helps you.

  6. Hello, I have a question regarding the second DA server IP address config.
    I’m setting up a dual NIC edge Direct Access 2012 server and plan to have a cluster. On the second DA server do I mirror the NIC and their IP addresses from the first DA server? Or does the second server have the same external IP addresses but a different internal NIC address? MS Technet states “Configure each of the servers that will be in the cluster with the same topology as the first Remote Access server” this this correct for both Internal and External NIC’s to be the same as the first server?
    Sorry hope I made sense, I cant find information on this anywhere.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

  • Twitter

  • %d bloggers like this: