Recently I wrote about the Network Location Server (NLS) and its importance for DirectAccess deployments. As I described previously, the NLS is nothing more than a web server with an SSL certificate installed. It should also be made highly available to prevent potential service disruption caused by planned or unplanned NLS server downtime. Any web server can serve as the NLS. In addition, if you have the F5 BIG-IP Local Traffic Manager (LTM) in your environment, you can easily configure the LTM to serve as the NLS.
To accomplish this, import the SSL certificate for the NLS and create an SSL client profile using its certificate and private key. Next, create a new iRule that contains the following code.
when HTTP_REQUEST { HTTP::respond 200 }
Finally, create a new virtual server listening on TCP port 443 and assign this iRule as a resource for the virtual server. Once NLS reachability has been verified, update the DirectAccess configuration using the Remote Access Management console or the Set-DANetworkLocationServer PowerShell cmdlet.
Andrew
/ February 12, 2015Richard,
You had previously posted a walkthrough for setting up DirectAccess with Kemp load balancers. Is it possible to configure one of them for NLS like this?
Richard Hicks
/ February 12, 2015Not at this time. It is possible that you might see it as a feature in a future release of the Kemp LoadMaster load balancer though. Keep watching this site for more details. 🙂
Andrew
/ February 13, 2015Thanks for the reply!
Roger Kang
/ July 14, 2015This is great, thanks! Got the iRule working but cant seem to change the NLS server using console or Set-DANetworkLocationServer command, get error: “Cannot create a file when that file already exists.” Any guidance for this issue?
Richard Hicks
/ July 14, 2015Unfortunately, no. I’ve not encountered that error in my travels. The only thing I can suggest is to be sure that you are running the command from an elevated command prompt window and that you also have permission to write to the DirectAccess client and server settings GPOs in AD.