DirectAccess and Citrix NetScaler Webinar

DirectAccess and Citrix NetScaler Webinar

Updated 5/2/2016: The webinar recording is now available online here.

Join me on Tuesday, April 26 at 11:00AM EDT for a live webinar to learn more about integrating the Citrix NetScaler Application Delivery Controller (ADC) with Microsoft DirectAccess. During the webinar, which will be hosted by Petri IT Knowledgebase, you will learn how to leverage the NetScaler to enhance and extend native high availability and redundancy capabilities included with DirectAccess.

Eliminating single points of failure is crucial for enterprise DirectAccess deployments. DirectAccess includes technologies such as load balancing for high availability and multisite for geographic redundancy, but they are somewhat limited. DirectAccess supports integration with third-party solutions like NetScaler to address these fundamental limitations.

DirectAccess Multisite Geographic Redundancy with Microsoft Azure Traffic ManagerNetScaler is an excellent platform that can be configured to improve upon native DirectAccess high availability and redundancy features. It provides superior load balancing compared to native Windows Network Load Balancing (NLB), with more throughput and better traffic visibility, while at the same time reducing resource utilization on the DirectAccess server.

For multisite DirectAccess deployments, the NetScaler can be configured to provide enhanced geographic redundancy, providing more intelligent entry point selection for Windows 8.x and Windows 10 clients and granular traffic control such as weighted request distribution and active/passive site failover.

DirectAccess and Citrix NetScaler WebinarIn addition, the NetScaler can be configured to serve as the DirectAccess Network Location Server (NLS), providing essential high availability for this critical service and reducing supporting infrastructure requirements.

Click here to view the recorded webinar.

Leave a comment


  1. Danny

     /  May 8, 2016

    Hi Richard,

    Thanks for the webinar.

    Somebody asked a question regarding manage out with external nlb’s.

    Will the workaround methods you mentioned work when using a single nic deployment and so the deployment is restricted to IPHTTPS only?

    If so, do you have any resources around implementing it?

    • Yes, the workarounds I described (enabling IPv6 or building out a separate ISATAP routing infrastructure) will work with single-NIC deployments. Unfortunately there isn’t much documentation for it because it is a formally unsupported configuration.

  2. HI Richard
    i had a issue that i try to configure the DA to use HLB , i go through the wizard and when asked on the VIP IP i typed the one the HLB guy provided to me which is not same as the internal IP’s for server . the IP of server start with 10.xx. & VIP start with 172.x.x after i press apply the connection to server lost & i can not configure the server TCP/IP with any IP , once i click finish the TCP/IP become empty , do you have any idea how i can solve this

  3. thx Richard for the video , i got the idea but i have more questions :
    1st if the DA servers with single adapter and their dedicated IP’s are on different subnet than the ELB subnet and firewall admin refuse to use the DA VIP i got from the DA wizard , can i ignore this VIP and use the ELB VIP and point to the two DA servers

    2nd why enable the NLB feature although i will use ELB

    • If the ELB VIP is in another subnet you can certainly use that, no problem. If you’re hosting the web probe host on the DirectAccess servers, update the DNS record to use the new VIP. Also, you don’t need to install the NLB role if you configure an external load balalncer. I was just showing that for demonstration purposes.

      • Thanks Richard for your prompt response , i will update the DNS record with the new VIP which is used on HLB , also shall i change the VIP record for Web prope host record as now i leave it to point on the VIP of DA not VIP on HLB , also i configured ISATAP records to point to two DA servers without pointing to VIP so which VIP i shall point to the one on HLB or DA VIP

      • No need to do anything with the ISATAP DNS records. ISATAP isn’t supported when DirectAccess is configured with load balancing or multisite. If you want manage out in this scenario, you’ll have to deploy IPv6 or build out a separate ISATAP routing infrastructure.

  4. Damian

     /  July 1, 2016

    Hi Richard,

    Is creating an ISATAP routing infrastructure as scary as it sounds? or is it just creating some DNS records and configuring group policy to tell the clients where the ISATAP router is? Do you have or know of any guides?


  5. Koen

     /  September 12, 2016

    Hi Richard
    Can you share your views on below article Citrix published recently regarding the ‘Manage Out problem’?

    Am I correct in assuming the internal Netscaler acts as an ISATAP router?

    • This feature was designed to ease some of the pain of routing IPv6 for DirectAccess manage out deployments. However, this solution requires that IPv6 be deployed on the internal network, so it’s really pointless (routing IPv6 isn’t difficult in the first place!). It would appear that Citrix didn’t fully understand the problem they were trying to solve. The real issue is that most organizations don’t have IPv6 deployed internally, hence the need for a transition technology like ISATAP. Since you can’t use the native ISATAP routing functionality on the DirectAccess server when using external load balancers, having the NetScaler serve as the ISATAP router would have been ideal. That’s not the case, however. So, if you want to use ISATAP with external load balancers or in multisite deployments, you’ll still have to deploy IPv6 or implement an external ISATAP routing infrastructure.


Leave a Reply

%d bloggers like this: