Configure F5 BIG-IP for DirectAccess NLS

Recently I wrote about the Network Location Server (NLS) and its importance for DirectAccess deployments. As I described previously, the NLS is nothing more than a web server with an SSL certificate installed. It should also be made highly available to prevent potential service disruption caused by planned or unplanned NLS server downtime. Any web server can serve as the NLS. In addition, if you have the F5 BIG-IP Local Traffic Manager (LTM) in your environment, you can easily configure the LTM to serve as the NLS.

To accomplish this, import the SSL certificate for the NLS and create an SSL client profile using its certificate and private key. Next, create a new iRule that contains the following code.

HTTP::respond 200 

Configure F5 BGIP for DirectAccess NLS

Finally, create a new virtual server listening on TCP port 443 and assign this iRule as a resource for the virtual server. Once NLS reachability has been verified, update the DirectAccess configuration using the Remote Access Management console or the Set-DANetworkLocationServer PowerShell cmdlet.

Leave a comment


  1. Andrew

     /  February 12, 2015

    You had previously posted a walkthrough for setting up DirectAccess with Kemp load balancers. Is it possible to configure one of them for NLS like this?

    • Not at this time. It is possible that you might see it as a feature in a future release of the Kemp LoadMaster load balancer though. Keep watching this site for more details. 🙂

  2. Roger Kang

     /  July 14, 2015

    This is great, thanks! Got the iRule working but cant seem to change the NLS server using console or Set-DANetworkLocationServer command, get error: “Cannot create a file when that file already exists.” Any guidance for this issue?

    • Unfortunately, no. I’ve not encountered that error in my travels. The only thing I can suggest is to be sure that you are running the command from an elevated command prompt window and that you also have permission to write to the DirectAccess client and server settings GPOs in AD.

  1. DirectAccess Network Location Server Guidance | Richard Hicks' DirectAccess Blog
  2. Configure Kemp LoadMaster for DirectAccess NLS | Richard Hicks' DirectAccess Blog
  3. DirectAccess NLS Deployment Considerations for Large Enterprises | Richard M. Hicks Consulting, Inc.

Leave a Reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading