Configuring Multicast NLB for DirectAccess

Introduction

DirectAccess in Windows Server 2012 R2 includes support for load balancing using either Windows Network Load Balancing (NLB) or an external physical or virtual load balancer. There are advantages and disadvantages to each, but NLB is commonly deployed due to its cost (free!) and relative ease of configuration. NLB has three operation modes – Unicast, Multicast, and IGMP Multicast. It may become necessary to change the NLB operation mode depending on the environment where DirectAccess is deployed. This article describes when and how to make those changes.

Default Configuration

When NLB is first configured, the default cluster operation mode is set to Unicast. In this configuration, all nodes in the NLB cluster share the same MAC address. The NLB kernel mode driver prevents the switch from learning the MAC address for any node in the cluster by masking it on the wire. When a frame is delivered to the switch where the NLB cluster resides, without a MAC address to switch port mapping the frame is delivered to all ports on the switch. This induces switch flooding and is by design. It is required for all nodes in the cluster to “see” all traffic. The NLB driver then determines which node will handle the request.

NLB on Hyper-V

Unicast NLB typically works without issue in most physical environments. However, enabling NLB when the DirectAccess server is running on a virtual machine requires some additional configuration. For Hyper-V, the only thing that is required is to enable MAC Address Spoofing on the virtual network adapter as I discussed here. No other changes are required.

NLB on VMWare

For VMware environments, it will be necessary to change the cluster operation mode from unicast to multicast. This is because the VMware hypervisor proactively informs the virtual switch of the virtual machine’s MAC address on startup and during other virtual networking events. When this occurs, all traffic for the NLB Virtual IP Address (VIP) will be delivered to a single node in the cluster. In multicast operation mode, all nodes in the NLB cluster retain their original MAC address and a unique MAC address is assigned to the cluster VIP. As such, there’s no need to prevent the switch from learning the virtual machine’s MAC address.

Configuring Multicast NLB

To enable Multicast NLB, first enable load balancing for DirectAccess using the Remote Access Management console as usual. DO NOT perform the initial configuration of NLB outside of the Remote Access Management console! Before adding another member to the array, open the Network Load Balancing Manager, right-click the cluster and choose Cluster Properties. Select the Cluster Parameters tab and change the Cluster operation mode to Multicast.

Configuring Multicast NLB for DirectAccess

When opening the Network Load Balancing Manager locally on the DirectAccess server, you may receive the following error message:

“Running NLB Manager on a system with all networks bound to NLB might
not work as expected. If all interfaces are set to run NLB in “unicast”
mode, NLB manager will fail to connect to hosts.”

Configuring Multicast NLB for DirectAccess

If you encounter this error message it will be necessary to run the NLB Manager on another host. You can install the NLB Manager on a Windows Server 2012 R2 system by using the following PowerShell command.

Install-WindowsFeature RSAT-NLB

Optionally you can download and install the Windows Remote Server Administration Tools (RSAT) on a Windows desktop client and manage NLB remotely.

Once this change has been made you can add additional DirectAccess servers to the array using the Remote Access Management console.

Additional Configuration

If you cannot communicate with the cluster VIP from a remote subnet, but can connect to it while on the same subnet, it might be necessary to configure static ARP entries on any routers for the subnet where the NLB cluster resides. Often this is required because routers will reject responses to ARP requests that are from a host with a unicast IP address but have a multicast MAC address.

DirectAccess, Windows 10, and Network Access Protection (NAP)

Windows 10, DirectAccess, and NAPFirst introduced with Windows Server 2008, Microsoft Network Access Protection (NAP) is a technology that allows IT administrators to create and enforce system health requirements that must be met before a computer can connect to the network. Common NAP enforcement points include Ethernet switches (802.1x), DHCP, IPsec, remote access VPN, and Terminal Services Gateway (TS Gateway) connections. DirectAccess also supports NAP integration, which allows administrators to extend this solution to include their DirectAccess clients.

Unfortunately, NAP has proven not to be very popular, and the adoption rate for this technology has been quite minimal. With that, Microsoft formally deprecated NAP in Windows Server 2012 R2, and removed it completely from Windows Server 2016.

Crucially the plumbing for NAP integration in the Windows 10 client operating system has also been removed. For DirectAccess deployments that have been configured to use NAP, this obviously presents a problem. In this scenario, Windows 7/8 clients will function normally. However, Windows 10 clients will not be able to connect. Since NAP integration with DirectAccess is a global setting, all clients must conform to NAP. There is no option to exclude only Windows 10 clients from NAP.

DirectAccess, Windows 10, and NAP

There are two ways in which to resolve this problem. The first is simply to disable NAP integration. However, if you still want to enforce NAP requirements for Windows 7/8 clients, but at the same time also want to allow Windows 10 clients to use DirectAccess, a separate dedicated DirectAccess deployment without NAP integration configured will have to be deployed to support Windows 10 DirectAccess clients.

New Pluralsight Windows Server 2012 R2 DirectAccess, VPN, and WAP Video Training Course

Pluralsight IT Pro and Developer TrainingI’m very excited to announce that my latest video training course is now available on Pluralsight! Recently I had the opportunity record a “Play-by-Play” session entitled Secure Remote Access with Windows Server 2012 R2. In this course I cover all aspects of the Unified Remote Access role in Windows Server 2012 R2 including DirectAccess, client-based remote access VPN, site-to-site VPN, and the Web Application Proxy (WAP). This training course differs from some of the other DirectAccess video training content I’ve developed in the past. This course is much less formal, and takes a casual, conversational approach to delivering the content. Many scenarios are presented and discussed, and of course there is plenty of practical demonstration as well. I think you’ll really like this unique format.

Pluralsight IT Pro and Developer Training

Pluralsight video training is available as a monthly subscription. If you don’t already have a Pluralsight account, you can sign up immediately and get a 10-day free trial. In addition to viewing my new course, be sure to browse their amazing video training course catalog. The amount and quality of content they have is astounding. You’ll find my DirectAccess with Windows Server 2012 R2 course there, along with many others. I’m confident you’ll find the service a tremendous value. Get started now!

WEBINAR: Maximize Your Investment in Windows 10 with DirectAccess and the Kemp LoadMaster

Kemp Technologies LoadMaster Load BalancerWith the recent release of Microsoft’s Windows 10 client operating system, many organizations are now planning their migration to Windows 10 from previous versions. For those organizations looking to maximize their investment in Windows 10, many are considering the deployment of DirectAccess with Windows Server 2012 R2.

DirectAccess and Windows 10 - Better TogetherDirectAccess and Windows 10 are much better together. Windows 10 includes full support for all of the important enterprise features of DirectAccess in Windows Server 2012 R2, including geographic redundancy, transparent site selection, and IP-HTTPS performance improvements. The Kemp LoadMaster load balancer can be used to extend and enhance the native high availability features of DirectAccess, and it can be used to reduce supporting infrastructure requirements.

To learn more about maximizing your investment in Windows 10 with DirectAccess and the Kemp LoadMaster load balancer, be sure to attend our upcoming webinar on Thursday, October 15 when I’ll discuss in detail and demonstrate the advantages of Windows 10 and the Kemp LoadMaster load balancer.

You can register for the Windows Server 2012 R2 DirectAccess and Kemp Technologies LoadMaster webinar here.

Kemp Technologies LoadMaster Load Balancer

Microsoft Most Valuable Professional (MVP) 2015

Microsoft Most Valuable Professional (MVP)Once again I’m very pleased to announce that I have been awarded the Microsoft Most Valuable Professional (MVP) award for 2015! This marks my 7th consecutive year receiving this prestigious award from Microsoft. It is a tremendous honor to be recognized for my technical expertise and community contributions over the last year. I thoroughly enjoy working with Microsoft technologies and helping organizations implement secure remote access and Azure virtual networking solutions. I look forward to engaging with customers and the community even more over the next year. And to all of my fellow MVPs, I look forward to seeing you at the summit in November!

%d bloggers like this: