Configure F5 BIG-IP for DirectAccess NLS

Recently I wrote about the Network Location Server (NLS) and its importance for DirectAccess deployments. As I described previously, the NLS is nothing more than a web server with an SSL certificate installed. It should also be made highly available to prevent potential service disruption caused by planned or unplanned NLS server downtime. Any web server can serve as the NLS. In addition, if you have the F5 BIG-IP Local Traffic Manager (LTM) in your environment, you can easily configure the LTM to serve as the NLS.

To accomplish this, import the SSL certificate for the NLS and create an SSL client profile using its certificate and private key. Next, create a new iRule that contains the following code.

when HTTP_REQUEST {
HTTP::respond 200 
}

Configure F5 BGIP for DirectAccess NLS

Finally, create a new virtual server listening on TCP port 443 and assign this iRule as a resource for the virtual server. Once NLS reachability has been verified, update the DirectAccess configuration using the Remote Access Management console or the Set-DANetworkLocationServer PowerShell cmdlet.

Leave a comment

8 Comments

  1. Andrew

     /  February 12, 2015

    Richard,
    You had previously posted a walkthrough for setting up DirectAccess with Kemp load balancers. Is it possible to configure one of them for NLS like this?

    Reply
    • Not at this time. It is possible that you might see it as a feature in a future release of the Kemp LoadMaster load balancer though. Keep watching this site for more details. 🙂

      Reply
  2. Roger Kang

     /  July 14, 2015

    This is great, thanks! Got the iRule working but cant seem to change the NLS server using console or Set-DANetworkLocationServer command, get error: “Cannot create a file when that file already exists.” Any guidance for this issue?

    Reply
    • Unfortunately, no. I’ve not encountered that error in my travels. The only thing I can suggest is to be sure that you are running the command from an elevated command prompt window and that you also have permission to write to the DirectAccess client and server settings GPOs in AD.

      Reply
  1. DirectAccess Network Location Server Guidance | Richard Hicks' DirectAccess Blog
  2. Configure Kemp LoadMaster for DirectAccess NLS | Richard Hicks' DirectAccess Blog
  3. DirectAccess NLS Deployment Considerations for Large Enterprises | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: