Introduction
The Network Location Server (NLS) is a crucial DirectAccess supporting infrastructure component. It is secure web server that DirectAccess clients use to determine if they are inside or outside of the corporate network.
NLS Availability
The NLS should be highly available. If this service is not available, DirectAccess clients on the internal network will think they are outside and attempt to establish a DirectAccess connection. Typically, this results in the DirectAccess client not being able to reach internal resources by hostname. Full connectivity for DirectAccess clients on the internal network will not be restored until the NLS is online.
It is recommended that the NLS be deployed in a load-balanced cluster for high availability. However, this requires deploying multiple servers, adding more cost, complexity, and management overhead to the solution.
NLS and Citrix NetScaler
Configuring the Citrix NetScaler to serve as the NLS is an attractive alternative to deploying additional servers for this role. Using the NetScaler for the NLS reduces costs by leveraging existing infrastructure. In addition, the NetScaler requires less servicing than a typical Windows server, and is often itself already highly available.
Configure Citrix NetScaler
To configure the NetScaler to serve as a DirectAccess NLS, open the NetScaler management console, expand AppExpert, and then select Actions. Click Add, provide a descriptive name for the responder action, and then enter the following in the Expression field and click Create.
"HTTP/1.0 200 OK" +"\r\n\r\n" + "DirectAccess Network Location Server (NLS)" + "\r\n"
Select Policies, click Add, and then provide a descriptive name for the responder policy. Enter HTTP.REQ.IS_VALID in the Expression field and click Create.
Expand Traffic Management, expand Load Balancing and select Services. Click Add, provide a descriptive name for the service, choose New Server, and enter the IPv4 loopback address 127.0.0.1. Select SSL for the Protocol, enter a random port number for the Port and then click More.
Uncheck the box next to Health Monitoring and click Ok and Done.
Select Virtual Servers and click Add. Provide a descriptive name for the virtual server, select SSL for the Protocol, enter an IP address for the virtual server and click Ok.
Under Services and Service Groups click No Load Balancing Virtual Server Service Binding.
Click to select a service, choose the service created previously and click Ok, Bind and Ok.
Under Certificates click No Server Certificate.
Click to select a server certificate, choose the SSL certificate to be used by the NLS and click Ok, Bind, and Ok.
Under Advanced click Policies, and then click the + icon. From the Choose Policy drown-list choose Responder and click Continue. Click to select a Policy Binding and choose the responder policy created previously. Click Ok, Bind, and Done.
Testing NLS Functionality
Open a web browser on a client connected to the internal network and browse to the NLS URL. Ensure that there are no certificate errors and that the NetScaler is responding with the configured web page.
Summary
The Network Location Server (NLS) is an important, and often overlooked, supporting infrastructure component for DirectAccess. It is used by DirectAccess clients to determine their network location. If it is unavailable for any reason it can be very disruptive. Ensuring that the NLS is highly available is critical. Configuring the NLS on the Citrix NetScaler can be a cost-effective alternative to deploying additional servers, while at the same time reducing the chance of an outage due to NLS failure.
Richard van de Ven
/ December 14, 2017Can we add the NLS as a SAN to the DirectAccess Certificate? Or do you recommend to use a dedicated public certificate for NLS as well?
Richard M. Hicks
/ December 14, 2017You should definitely be using a dedicated certificate for the NLS. I’ve never tested the NLS using with a multi-SAN certificate before so I’m not sure how it would behave. In theory it should work, but probably not a good idea anyway.
Jarno Meijer
/ October 4, 2018Which Citrix Netscaler License is used? Standard, Enterprise or Platinum?
Richard M. Hicks
/ October 4, 2018I am not certain, but I believe this is supported with the Standard license.
loginjme
/ October 4, 2018That’s right. When using VPN capabilities you also need an universal client license which is user based. The NS is appliance based and you need two when you want to enable HA.
If costs is an issue you can use VPX 1000 with VPX 200 mixed. If fail over is used you have a degradation in bandwith.
Richard van de Ven
/ October 5, 2018Standard license is oke for DA. I like to suggest you to take a look at Always on VPN if you are in still in investigating process for DA.
We switched from DA to Always on VPN a few months ago.
Our first impression is that Always on VPN is quicker and more stable than DA.
Rgds
Richard