Earlier this year I authored the Windows Server 2012 R2 DirectAccess Deployment Guide for Kemp LoadMaster load balancers. The documentation described in detail how to configure the Kemp LoadMaster to provide load balancing for DirectAccess when configured with two network adapters. It also assumed that the DirectAccess server is configured to use the LoadMaster as its default gateway.
There are many scenarios in which the DirectAccess server does not use the LoadMaster as its default gateway, most commonly deployments where the DirectAccess server is configured with a single NIC. To support load balancing for DirectAccess configured with a single NIC, it will be necessary to make some changes to the LoadMaster configuration to enable load balancing support for this scenario.
To configure the Kemp LoadMaster for load balancing DirectAccess single NIC deployments, follow the guidance to create the virtual service as documented. After creating the virtual service for DirectAccess, expand Standard Options, deselect Transparency, and then select Subnet Originating Requests.
This will configure the LoadMaster to forward traffic to the DirectAccess server using the internal IP address of the LoadMaster as the source IP address for the connection instead of the original public address of the client. This allows the DirectAccess server to return DirectAccess traffic to the LoadMaster without having to use it as its default gateway.
Jeff
/ September 16, 2015In this scenario, the LB’s int0 is Internet facing and int1 is on the DMZ along with the single nic DA servers, correct?
IOW’s, the LB isn’t configured with int0 on the DMZ and int1 along with the single nic DA servers on the production network.
Thanks,
Jeff
acmcomputers
/ July 22, 2016We’re seeing strange behaviour with Single NIC DA servers sat in a DMZ as a load balanced pair of servers behind the VIP of a Kemp Load balancer. When we establish a successful connection to one of the DA servers, if we gracefully shut down the DA server, the client machine acknowledges the loss of the DA server but sits continuously at “Connecting”. The only way for the client to successfully reconnect to the remaining active DA server is to reboot the client. Once the client has been rebooted, it establishes a new connection to the remaining available load balanced DA server. Have you ever seen this behaviour before?
Richard M. Hicks
/ July 25, 2016In this state when the UI reports “connecting” have you confirmed that connectivity is actually broken? Or are you relying solely on what the UI is reporting?
acmcomputers
/ July 25, 2016Hi Richard, yes we confirmed have lost all connectivity. I have managed to overcome the problem by configuring the Kemps to use the following L7 configuration setting: “drop connections on RS failure”, a setting that doesn’t seem to be documented anywhere specifically for Direct Access failover. Without this setting defined, the idle timeout default of 660 seconds comes into play at which point the client successfully connects to the remaining node in the same entry point! Wonder if you’ve seen this behaviour before as it seems the client is the device is reluctant to release the persistence and force and new tcp connection. Many thanks
Richard M. Hicks
/ July 25, 2016Thanks for the update and the tip. I’ve not heard others complain about this, but still good to know. I’ll definitely be doing some testing with that setting soon. 🙂
ferminator
/ July 24, 2017First of all, thanks for all the work you put into this log. It has helped me on several occasions with DirectAccess deployments.
Just to make sure, this should also cover the scenario where I have two single NIC DirectAccess servers in the internal network zone and the Kemp LoadMaster is in the DMZ with a single NIC, only? What about IPs? Say my internal DA servers have IPs 192.168.1.11 and 192.168.1.12. Before I set up the cluster, I gave DA1 the IP 192.168.1.10, which then became the cluster IP. The single NIC LoadMaster in the DMZ has 172.16.0.100 as the VIP for traffic to the DirectAccess servers, and the IPs 192.168.1.11 and 192.168.1.12 are configured as “real servers”.
Thoughts? Thank you very much! 🙂
Richard M. Hicks
/ July 24, 2017Correct. The VIP doesn’t necessarily have to be the IPv4 address assigned to the first DirectAccess server. When using an ELB, the VIP can be anything, really. The only consideration is that the directaccess-WebProbeHost URL needs to accessible. You can resolve this by load balancing port 80 on each DirectAccess server with the ELB, or by simply updating DNS and making sure the web probe host DNS record resolves to the IPv4 address of each/all DirectAccess servers. More information here:
https://directaccess.richardhicks.com/2017/05/22/directaccess-network-connectivity-assistant-nca-configuration-guidance/
https://directaccess.richardhicks.com/2014/08/12/directaccess-clients-in-connecting-state-when-using-external-load-balancer/
https://directaccess.richardhicks.com/2016/06/21/directaccess-load-balancing-video/
Thanks!