Introduction
The Network Location Server (NLS) is a crucial DirectAccess supporting infrastructure component. It is secure web server that DirectAccess clients use to determine if they are inside or outside of the corporate network.
NLS Availability
The NLS should be highly available. If this service is not available, DirectAccess clients on the internal network will think they are outside and attempt to establish a DirectAccess connection. Typically, this results in the DirectAccess client not being able to reach internal resources by hostname. Full connectivity for DirectAccess clients on the internal network will not be restored until the NLS is online.
It is recommended that the NLS be deployed in a load-balanced cluster for high availability. However, this requires deploying multiple servers, adding more cost, complexity, and management overhead to the solution.
NLS and Citrix NetScaler
Configuring the Citrix NetScaler to serve as the NLS is an attractive alternative to deploying additional servers for this role. Using the NetScaler for the NLS reduces costs by leveraging existing infrastructure. In addition, the NetScaler requires less servicing than a typical Windows server, and is often itself already highly available.
Configure Citrix NetScaler
To configure the NetScaler to serve as a DirectAccess NLS, open the NetScaler management console, expand AppExpert, and then select Actions. Click Add, provide a descriptive name for the responder action, and then enter the following in the Expression field and click Create.
"HTTP/1.0 200 OK" +"\r\n\r\n" + "DirectAccess Network Location Server (NLS)" + "\r\n"
Select Policies, click Add, and then provide a descriptive name for the responder policy. Enter HTTP.REQ.IS_VALID in the Expression field and click Create.
Expand Traffic Management, expand Load Balancing and select Services. Click Add, provide a descriptive name for the service, choose New Server, and enter the IPv4 loopback address 127.0.0.1. Select SSL for the Protocol, enter a random port number for the Port and then click More.
Uncheck the box next to Health Monitoring and click Ok and Done.
Select Virtual Servers and click Add. Provide a descriptive name for the virtual server, select SSL for the Protocol, enter an IP address for the virtual server and click Ok.
Under Services and Service Groups click No Load Balancing Virtual Server Service Binding.
Click to select a service, choose the service created previously and click Ok, Bind and Ok.
Under Certificates click No Server Certificate.
Click to select a server certificate, choose the SSL certificate to be used by the NLS and click Ok, Bind, and Ok.
Under Advanced click Policies, and then click the + icon. From the Choose Policy drown-list choose Responder and click Continue. Click to select a Policy Binding and choose the responder policy created previously. Click Ok, Bind, and Done.
Testing NLS Functionality
Open a web browser on a client connected to the internal network and browse to the NLS URL. Ensure that there are no certificate errors and that the NetScaler is responding with the configured web page.
Summary
The Network Location Server (NLS) is an important, and often overlooked, supporting infrastructure component for DirectAccess. It is used by DirectAccess clients to determine their network location. If it is unavailable for any reason it can be very disruptive. Ensuring that the NLS is highly available is critical. Configuring the NLS on the Citrix NetScaler can be a cost-effective alternative to deploying additional servers, while at the same time reducing the chance of an outage due to NLS failure.
IP-HTTPS is an IPv6 transition technology used by DirectAccess. It enables DirectAccess clients to communicate with the DirectAccess server using IPv6 over the public IPv4 Internet by encapsulating IPv6 packets in HTTP and authenticating (and optionally encrypting) them using SSL/TLS. IP-HTTPS is supported for all DirectAccess network deployment configurations and is enabled by default.
To mitigate these risks, it is recommended that an Application Delivery Controller (ADC) such as the Citrix NetScaler be configured to preauthenticate DirectAccess clients prior to establishing the IP-HTTPS transition tunnel.
DirectAccess and Windows 10 are much better together. Windows 10 includes full support for all of the important enterprise features of DirectAccess in Windows Server 2012 R2, including geographic redundancy, transparent site selection, and IP-HTTPS performance improvements. The Kemp LoadMaster load balancer can be used to extend and enhance the native high availability features of DirectAccess, and it can be used to reduce supporting infrastructure requirements.
