DirectAccess Multisite Geographic Redundancy with Microsoft Azure Traffic Manager

Introduction

DirectAccess Multisite Geographic Redundancy with Microsoft Azure Traffic ManagerTo provide geographic redundancy, DirectAccess can be deployed in a multisite configuration. In this scenario, Windows 8.x and Windows 10 clients are aware of all entry points in the enterprise and will automatically select the nearest available entry point to connect to. The nearest entry point is defined as the one that responds the quickest. When a Windows 8.x or Windows 10 client attempts to establish DirectAccess connectivity, an HTTP GET is sent to all entry points and the client will select the one with the shortest Round Trip Time (RTT) for the request.

Note: Windows 7 clients can be provisioned when DirectAccess is configured for multisite access, but they must be assigned to an individual entry point.

Challenges

There are a number of challenges that come with the default multisite configuration. Choosing an entry point based solely on network latency is rather simplistic and can often produce unexpected results. It also lacks support for granular traffic distribution or active/passive configuration.

GSLB

DirectAccess Multisite Geographic Redundancy with Microsoft Azure Traffic ManagerFor the best experience, DirectAccess can be configured to use a Global Server Load Balancing (GSLB) solution to enhance transparent site selection and failover for Windows 8.x and Windows 10 clients. Commonly this is implemented using an on-premises appliance (Citrix NetScaler, F5 Global Traffic Manager, Kemp LoadMaster, A10 Thunder, etc.). These solutions offer exceptional control over DirectAccess traffic distribution, but they add expense and complexity.

Azure Traffic Manager

Azure Traffic Manager is a cloud-based GSLB solution that is a simple and cost-effective alternative to dedicated on-premises appliances. While it does not offer all of the features that GSLB appliances provide, it does provide better traffic distribution options than the default configuration. Importantly, it enables active/passive failover, which is a common requirement not supported natively with DirectAccess.

DirectAccess Multisite Geographic Redundancy with Microsoft Azure Traffic Manager

Traffic Manager Configuration

In the Azure portal (the new one, not the old one!) click New, Networking, and then Traffic Manager profile.

DirectAccess Multisite Geographic Redundancy with Microsoft Azure Traffic Manager

Provide a name and select a Routing method.

DirectAccess Multisite Geographic Redundancy with Microsoft Azure Traffic Manager

Routing method options are Performance, Weighted and Priority.

  • Performance. Select this option to enable clients to connect to the entry point with the lowest network latency.
  • Weighted. Select this option to enable clients to prefer some entry points more than others. Assign a weight value of 1 to 1000 for each entry point. Higher values have more preference. Values for entry points can be the same, if desired.
  • Priority. Select this option to enable clients to connect to a primary entry point, then fail over to a secondary or tertiary entry point in the event of an outage. Assign a priority value of 1 to 1000 for each entry point. Lower values take precedence. Each entry point must be assigned a unique priority value.

Click Create when finished. Next click Settings for the new traffic manager profile and click Configuration. Change Protocol to HTTPS, Port to 443, and Path to /IPHTTPS. Click Save when finished.

DirectAccess Multisite Geographic Redundancy with Microsoft Azure Traffic Manager

Next click Endpoints and click Add. Select External endpoint from the drop down list, provide a descriptive name, and then enter the Fully-Qualified Domain Name (FQDN) of the first DirectAccess entry point. When using the Performance routing method, choose a location that best represents the geography where the DirectAccess entry point is located. When using the Weighted or Priority routing methods, specify an appropriate value accordingly. Click Ok when finished. Repeat these steps for each entry point in the organization.

DirectAccess Multisite Geographic Redundancy with Microsoft Azure Traffic Manager

DirectAccess Configuration

In the Remote Access Management console, highlight DirectAccess and VPN below Configuration in the navigation tree and then click Configure Multisite Settings below Multisite Deployment in the Tasks pane. Click Global Load Balancing and choose Yes, use global load balancing. Enter the FQDN of the Azure Traffic Manager profile and click Next, and then click Commit.

DirectAccess Multisite Geographic Redundancy with Microsoft Azure Traffic Manager

Note: An SSL certificate with a subject name matching that of the GSLB FQDN is not required.

In some cases, the management console may report that global load balancing addresses cannot be identified automatically for some or all entry points.

DirectAccess Multisite Geographic Redundancy with Microsoft Azure Traffic Manager

If this occurs, it will be necessary to run the Set-DAEntryPoint PowerShell cmdlet to assign GLSB IP addresses to each entry point. The GSLB IP address is the public IPv4 address that the entry point public hostname resolves to.

Set-DAEntryPoint -Name [entrypoint_name] -GslbIP [external_ip_address]

For example:

Set-DAEntryPoint -Name "US West" -GslbIP 203.0.113.195
Set-DAEntryPoint -Name "US East" -GslbIP 198.51.100.21

Summary

DirectAccess includes native functionality to enable geographic load balancing for Windows 8.x and Windows 10 clients. The site selection process used by DirectAccess clients in this scenario is basic, and has the potential to yield unexpected results. Azure Traffic Manager is a simple, cost-effective alternative to dedicated on-premises GSLB appliances. It can be integrated with DirectAccess to address some of the shortcomings with the native entry point selection process.

Additional Resources

DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS

Introduction

When preparing a DirectAccess server, an SSL certificate is required for the IP-HTTPS IPv6 transition technology. This certificate is often issued by a public Certification Authority (CA), but it can also be issued an organization’s internal Public Key Infrastructure (PKI).

SSL Certificate

Commonly an SSL certificate is issued for a single hostname, or subject. As long as the hostname matches the subject, everything works fine.

DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS

Multi-SAN SSL Certificate

To ease the management burden of using multiple certificates, or reduce the expense associated with using a wildcard certificate, organizations can request a multi-SAN (Subject Alternative Name) certificate, which matches more than one subject. The additional subjects are included in the Subject Alternative Name field on the SSL certificate.

DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS
A single multi-SAN certificate can be installed on multiple hosts and will work without issue as long as the hostname matches one of the SAN entries.

DirectAccess and Multi-SAN Certificates

When implementing DirectAccess in a multisite configuration, each entry point in the organization will have a unique public hostname. Instinctively, using a multi-SAN SSL certificate in this scenario would seem ideal.

Unfortunately, support for multi-SAN SSL certificates with DirectAccess is limited. To use a multi-SAN certificate for DirectAccess IP-HTTPS, the public hostname must match the name listed in the Subject field. In the example above, the subject is da.richardhicks.net, with SAN entries for da-west.richardhicks.net and da-east.richardhicks.net.

In this scenario, only the public name da.richardhicks.net is supported for use with DirectAccess. It will not work for any of the SAN entries. For example, attempting to configure DirectAccess to use this certificate with the public hostname da-west.richardhicks.net will fail with the following error message.

The subject name of certificate CN=[certificate subject name] is invalid.
Select a certificate with a valid subject name.

DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS

Attempting to work around this issue by using the Set-DAServer PowerShell cmdlet also fails to recognize the SSL certificate correctly.

DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS

Summary

Using a multi-SAN SSL certificate for the DirectAccess IP-HTTPS IPv6 transition technology is only supported when the public hostname matches the subject name of the certificate. Configuring DirectAccess with a public hostname listed in the SAN list is not supported. For multisite DirectAccess deployments, individual certificates must be issued for each entry point. Alternatively, a wildcard certificate can be used.

3 Important Things You Need to Know about Windows 10 and DirectAccess

DirectAccess and Windows 10 - Better TogetherDirectAccess has been with us for quite some time know, having been originally introduced with Windows Server 2008 R2, later enhanced with Forefront Unified Access Gateway (UAG) 2010, and finally integrated in to the base operating system in Windows Server 2012 R2. Client support for DirectAccess begins with Windows 7 (Enterprise or Ultimate), and also includes Windows 8.x (Enterprise) and Windows 10 (Enterprise or Education).

Although Windows 7 clients are supported for DirectAccess, Windows 10 is highly preferred. Here are three important things you need to know about using Windows 10 with DirectAccess.

  1. Windows 10 Provides Improved Performance and Scalability – Windows 10 includes support for null encryption when using the IP-HTTPS IPv6 transition protocol. This eliminates the needless double-encryption performed by Windows 7 clients, and dramatically reduces the protocol overhead for clients connecting behind port-restricted firewalls. DirectAccess servers can support many more concurrent IP-HTTPS sessions with Windows 10, and it has the added benefit of making the more secure perimeter/DMZ deployment behind an edge security device performing NAT much more attractive.
  2. Windows 10 Supports Geographic Redundancy – Windows 10 includes full support for DirectAccess multisite deployments. Where Windows 7 clients had to be assigned to a single entry point, Windows 10 clients are aware of all entry points in the organization. They are able to automatically select the nearest entry point on startup, and transparently failover to another site if the current site becomes unavailable.
  3. Windows 10 Features an Enhanced Management Experience – From a troubleshooting and support perspective, Windows 10 makes things much easier. The DirectAccess connectivity assistant, an optional component for Windows 7, is now fully integrated with the Windows 10 UI. PowerShell is greatly improved and now includes many native DirectAccess configuration and troubleshooting commands.

As you can see, there are a number of significant advantages for using Windows 10 with DirectAccess. Windows 10 now supports all of the enterprise features of DirectAccess, including geographic redundancy and performance and scalability improvements. Windows 10 is also easier to troubleshoot and manage. If you’re still supporting Windows 7, DirectAccess in Windows Server 2012 R2 can certainly support them. However, without a doubt the best experience, both from an administrator’s and the end user’s perspective, is with Windows 10. Just one more reason to begin planning your migration to Windows 10 with DirectAccess today!

Need assistance with implementing  DirectAccess with Windows 10? I can help! More details here.

Configuring Multiple Windows Server 2012 R2 DirectAccess Instances

DirectAccess in Windows Server 2012 R2 supports many different deployment configurations. It can be deployed with a single server, multiple servers in a single location, multiple servers in multiple locations, edge facing, in a perimeter or DMZ network, etc.

Global Settings

There are a number of important DirectAccess settings that are global in scope and apply to all DirectAccess clients, such as certificate authentication, force tunneling, one-time password, and many more. For example, if you configure DirectAccess to use Kerberos Proxy instead of certificates for authentication, Windows 7 clients are not supported. In this scenario it is advantageous to have a second parallel DirectAccess deployment configured specifically for Windows 7 clients. This allows Windows 8 clients to take advantage of the performance gains afforded by Kerberos Proxy, while at the same time providing an avenue of support for Windows 7 clients.

Parallel Deployments

To the surprise of many, it is indeed possible to deploy DirectAccess more than once in an organization. I’ve been helping customers deploy DirectAccess for nearly five years now, and I’ve done this on more than a few occasions. In fact, there are some additional important uses cases that having more than one DirectAccess deployment can address.

Common Use Cases

QA and Testing – Having a separate DirectAccess deployment to perform testing and quality assurance can be quite helpful. Here you can validate configuration changes and verify updates without potential negative impact on the production deployment.

Delegated Administration – DirectAccess provides support for geographic redundancy, allowing administrators to create DirectAccess entry points in many different locations. DirectAccess in Windows Server 2012 R2 lacks support for delegated administration though, and in some cases it may make more sense to have multiple separate deployments as opposed to a single, multisite deployment. For example, many organizations are divided in to different business units internally and may operate autonomously. They may also have different configuration requirements, which can be better addressed using individual DirectAccess implementations.

Migration – If you have currently deployed DirectAccess using Windows Server 2008 R2 with or without Forefront UAG 2010, migrating to Windows Server 2012 R2 can be challenging because a direct, in-place upgrade is not supported. You can, however, deploy DirectAccess using Windows Server 2012 R2 in parallel to your existing deployment and simply migrate users to the new solution by moving the DirectAccess client computer accounts to a new security group assigned to the new deployment.

Major Configuration Changes – This strategy is also useful for scenarios where implementing changes to the DirectAccess configuration would be disruptive for remote users. For example, changing from a single site to a multisite configuration would typically require that all DirectAccess clients be on the LAN or connect remotely out-of-band to receive group policy settings changes after multisite is first configured. In addition, parallel deployments can significantly ease the pain of transitioning to a new root CA if required.

Unique Client Requirements – Having a separate deployment may be required to take advantage of the unique capabilities of each client operating system. For example, Windows 10 clients do not support Microsoft Network Access Protection (NAP) integration. NAP is a global setting in DirectAccess and applies to all clients. If you still require NAP integration and endpoint validation using NAP for Windows 7 and Windows 8.x, another DirectAccess deployment will be required to support Windows 10 clients.

Requirements

To support multiple Windows Server 2012 R2 DirectAccess deployments in the same organization, the following is required:

Unique IP Addresses – It probably goes without saying, but each DirectAccess deployment must have unique internal and external IPv4 addresses.

Distinct Public Hostname – The public hostname used for each deployment must also be unique. Multi-SAN certificates have limited support for DirectAccess IP-HTTPS (public hostname must be the first entry in the list), so consider using a wildcard certificate or obtain certificates individually for each deployment.

Group Policy Objects – You must use unique Active Directory Group Policy Objects (GPOs) to support multiple DirectAccess deployments in a single organization. You have the option to specify a unique GPO when you configure DirectAccess for the first time by clicking the Change link next to GPO Settings on the Remote Access Review screen.

Configuring Multiple Windows Server 2012 R2 DirectAccess Instances

Enter a distinct name for both the client and server GPOs. Click Ok and then click Apply to apply the DirectAccess settings for this deployment.

Configuring Multiple Windows Server 2012 R2 DirectAccess Instances

Windows 7 DirectAccess Connectivity Assistant (DCA) GPOs – If the DirectAccess Connectivity Assistant (DCA) v2.0 has been deployed for Windows 7 clients, separate GPOs containing the DCA client settings for each individual deployment will have to be configured. Each DirectAccess deployment will have unique Dynamic Tunnel Endpoint (DTE) IPv6 addresses which are used by the DCA to confirm corporate network connectivity. The rest of the DCA settings can be the same, if desired.

Supporting Infrastructure

The rest of the supporting infrastructure (AD DS, PKI, NLS, etc.) can be shared between the individual DirectAccess deployments without issue. Once you’ve deployed multiple DirectAccess deployments, make sure that DirectAccess clients DO NOT belong to more than one DirectAccess client security group to prevent connectivity issues.

Summary

DirectAccess with Windows Server 2012 R2 supports many different deployment models. For a given DirectAccess deployment model, some settings are global in scope and may not provide the flexibility required by some organizations. To address these challenges, consider a parallel deployment of DirectAccess. This will enable you to take advantage of the unique capabilities of each client operating system, or allow you to meet the often disparate configuration requirements that a single deployment cannot support.

DirectAccess and Windows 10 Better Together

With last week’s release of Windows 10, many organizations who chose to skip Windows 8 are now beginning to deploy Windows 10. To maximize investment in Windows 10, DirectAccess can be leveraged to provide employees with seamless and transparent, always on, secure remote corporate network connectivity. DirectAccess has been around for many years, and today the most popular DirectAccess client is Windows 7. However, Windows 10 provides better support for DirectAccess features that enhance performance and availability, while at the same making it easier to implement and support. Windows 10 opens up many new and compelling deployment scenarios for small businesses to large scale enterprises.

Full Support for Geographic Redundancy

Without a doubt the most important DirectAccess feature Windows 10 supports is automatic entry point selection and transparent failover for multisite deployments. DirectAccess multisite deployment provides essential geographic redundancy for organizations with multiple physical locations. Windows 7 has only minimal support for multisite deployment, with clients required to be assigned to a single entry point. Windows 10 clients are aware of all entry points and will intelligently select the closest entry point when establishing a DirectAccess connection. If the entry point becomes unavailable during the connection, Windows 10 clients will transparently connect to another entry point automatically.

Better Scalability and Performance

Windows 10, like Windows 8 before it, includes support for IP-HTTPS null encryption. This feature greatly improves scalability on the DirectAccess server by eliminating the needless double encryption that Windows 7 clients perform. This reduces resource consumption on the server and enables the server to support many more DirectAccess client connections.

DirectAccess and Windows 10 Better Together

Enhanced Supportability

Many will also appreciate Windows 10’s built-in DirectAccess connectivity status indicator. No longer will administrators have to deploy, manage, and maintain additional software to provide this essential functionality.

To access DirectAccess information in Windows 10, press Window Key + I, click Network & Internet, and then click the DirectAccess tab. Here you will find vital details about DirectAccess configuration and status such as connection state, currently connected entry point, and a site selection drop down box (if manual site selection is enabled by an administrator). In addition you can generate and collect log information for troubleshooting purposes.

DirectAccess and Windows 10 Better Together

Native PowerShell Support

Anyone tasked with troubleshooting DirectAccess configuration and connectivity issues will appreciate the native PowerShell integration with DirectAccess in Windows 10. With just a few commands a wealth of information about DirectAccess configuration and connectivity status can be obtained.

Need to quickly determine if a Windows 10 client has been provisioned for DirectAccess successfully?

Get-DAClientExperienceConfiguration

DirectAccess and Windows 10 Better Together

Has the Windows 10 client connected successfully? If not, why?

Get-DAConnectionStatus

DirectAccess and Windows 10 Better Together

Need to identify the Network Location Server (NLS) the client is configured to use?

Get-NCSIPolicyConfiguration

DirectAccess and Windows 10 Better Together

Looking for DirectAccess multisite entry point details and connection status?

Get-DAEntryPointTableItem

DirectAccess and Windows 10 Better Together

PKI Optional (But Recommended)

Finally, when Windows 10 (and Windows 8.x) clients are supported exclusively a Public Key Infrastructure (PKI) is optional. Here instead the Kerberos Proxy is leveraged to perform DirectAccess client authentication, which reduces infrastructure requirements by eliminating the need for a PKI. However, this configuration offers only limited support for DirectAccess features. For example, a PKI is still required if any Windows 7 clients are deployed. Also, PKI is required to support features such as one-time password (OTP) authentication, Microsoft Network Access Protection (NAP) integration, load balancing (integrated or external), force tunneling, and multisite configuration.

DirectAccess and Windows 10 Better Together

For optimum security and maximum deployment flexibility it is recommended that PKI be used to manage certificates for all DirectAccess deployments including those supporting only Windows 8.x and Windows 10 clients.

Summary

DirectAccess and Windows 10 are much better together. Windows 10 provides full support for the geographic load balancing features of DirectAccess and at the same time offers improved scalability and performance. Windows 10 also makes supporting and troubleshooting DirectAccess clients much easier. And for smaller deployments, Windows 10 can lower the barrier to entry for organizations considering DirectAccess by eliminating the need for a full PKI deployment.

Additional Resources

Video: DirectAccess and Windows 10 in Action
DirectAccess and Windows 10 in Education
Implementing DirectAccess with Windows Server 2016 Book
Implementing DirectAccess with Windows Server 2012 R2 Video Training Course
DirectAccess Consulting Services

DirectAccess Consulting Services Now Available

Microsoft Certified Solutions Associate (MCSA)For the last five years I’ve been helping organizations large and small deploy DirectAccess. During that time I have amassed a wealth of knowledge and experience with this unique technology. DirectAccess is not trivial to install, configure, or troubleshoot. Also, it’s easy to make mistakes in the planning and design phase that can turn in to serious issues later in the deployment. To make matters worse, many organizations are deploying DirectAccess for the first time, and without essential guidance they are prone to making common mistakes or choosing configuration options that are less than optimal both in terms of supportability and performance.

Having deployed DirectAccess for some of the largest companies in the world, there isn’t much I haven’t already encountered. If you are looking for the best chance of success for your DirectAccess deployment, consider a consulting engagement with me. I can provide assistance with all facets of DirectAccess implementation including planning and design, installation, configuration, and troubleshooting. Consulting services at reasonable rates are available for all types of DirectAccess work including:

  • New DirectAccess installations
  • Migration from previous versions of DirectAccess
  • Upgrade or expansion of existing DirectAccess deployment
  • Enterprise planning and design for large-scale, multisite DirectAccess deployments
  • DirectAccess high availability (local and geographic)
  • Manage-out for DirectAccess with external hardware load balancers and/or multisite configuration
  • Multisite DirectAccess with geographic redundancy for Windows 7 clients
  • Existing DirectAccess design review and security assessment
  • Windows Server 2012 R2 client-based VPN configuration
  • DirectAccess client connectivity troubleshooting
  • DirectAccess training

Additionally, consulting services are available for a variety of security solutions as well as on-premises and cloud networking technologies such as:

  • Azure networking and infrastructure
  • Cross-premises connectivity to Azure
  • Certificate services (PKI)
  • IP address management
  • ISA Server and Forefront Threat Management Gateway (TMG) migration

All services can be performed on-site or remotely. If you are interested in obtaining my services, drop me a note at rich@richardhicks.com for more details.

DirectAccess DNS Records Explained

After installing and configuring DirectAccess with Windows Server 2012 R2, several new host records appear automatically in the internal DNS (assuming dynamic DNS is supported, of course). One of them is directaccess-corpConnectivityHost and the other is directaccess-WebProbeHost. These DirectAccess DNS entries are used by Windows 8 and later clients for connectivity checks at various stages of DirectAccess connection establishment.

DirectAccess DNS Records Explained

Figure 1 – DirectAccess DNS records for IPv4-only network.

DirectAccess DNS Records Explained

Figure 2 – DirectAccess DNS records for dual-stack IPv4/IPv6 network.

Here is a detailed description for each of these DirectAccess DNS entries.

directaccess-corpConnectivityHost – This DNS host record includes both A and AAAA records when deployed on IPv4-only networks. Its A host record resolves to 127.0.0.1, which is the IPv4 loopback address. Its AAAA host record resolves to an IPv6 address that is a combination of the DirectAccess NAT64 IPv6 prefix and 7F00:1 (the hexadecimal equivalent of 127.0.0.1). When DirectAccess is configured on a network with native IPv6, the directaccess-corpConnectivityHost DNS record will only include a single AAAA record resolving to ::1.

This host record is used by the DirectAccess client to determine if name resolution for the corporate namespace is working after the IPv6 transition tunnel (6to4, Teredo, or IP-HTTPS) has been established. It does this by attempting to resolve the hostname directaccess-corpConnectivityHost.<corp_fqdn> (e.g. directaccess-corpConnectivityHost.corp.example.net) to an IPv6 address that it expects (the organization’s NAT64 prefix + 7F00:1 or ::1). If it does not resolve, or resolves to a different address, the client will assume that the transition tunnel was not established successfully and, if possible, fall back to another IPv6 transition protocol and repeat the process until it is successful.

Note: The DirectAccess client does not attempt to connect to the IP address resolved by directaccess-corpConnectivityHost. It simply compares the IP address returned by the query to the expected address (NAT64 prefix + 7F00:1 or ::1).

directaccess-WebProbeHost – This DNS host record includes only A records and resolves to the IPv4 address assigned to the internal network interface of the DirectAccess server. If load balancing is enabled, this host record will resolve to the virtual IP address (VIP) of the array. For multisite deployments there will be directaccess-WebProbeHost A host records for each entry point in the organization.

This host record is used by the DirectAccess client to verify end-to-end corporate network connectivity over the DirectAccess connection. The client will attempt to connect to the directaccess-WebProbeHost URL using HTTP. If successful, the DirectAccess connectivity status indicator will show Connected.

If any of these DirectAccess DNS records are missing or incorrect, a number of issues may arise. If the directaccess-corpConnectivityHost host record is missing or incorrect, DirectAccess IPv6 transition tunnel establishment may fail. If the directaccess-WebProbeHost record is missing or incorrect, the DirectAccess connectivity status indicator will perpetually show Connecting. This commonly occurs when an external load balancer is used and a virtual server isn’t created for the web probe host port (TCP 80). In addition, these DirectAccess DNS entries are not static and may be deleted if DNS scavenging of stale resource records is enabled on the DNS server.

DirectAccess Load Balancing and Multisite Configuration Options Unavailable

Looking for more information about DirectAccess load balancing? See my post entitled DirectAccess Deployment Guide for Kemp LoadMaster Load Balancers.

DirectAccess in Windows Server 2012 R2 supports load balancing and multisite configuration options to provide both local and geographic redundancy, respectively. To configure either of these options, open the Remote Access Management console, expand Configuration in the navigation tree, highlight DirectAccess and VPN, and then select either Enable Multisite or Enable Load Balancing in the Tasks pane.

DirectAccess Load Balancing and Multisite Configuration Options Unavailable

Depending on your configuration you may encounter a scenario in which these features do not appear in the Remote Access Management console.

DirectAccess Load Balancing and Multisite Configuration Options Unavailable

This occurs when the Web Application Proxy (WAP) role is installed on the DirectAccess server. Although this is a supported configuration, enabling load balancing or multisite on a DirectAccess server with WAP installed requires additional configuration. Specifically, load balancing and/or multisite must be configured before installing the WAP role.

To restore support for load balancing and multisite configuration options, remove the WAP role using the GUI or with the Uninstall-WindowsFeature Web-Application-Proxy PowerShell command.

DirectAccess Deployment Guide for KEMP LoadMaster Load Balancers

DirectAccess Deployment Guide for Kemp LoadMaster Load BalancersA few months ago I had the opportunity to work with the folks at KEMP Technologies to document the use of their LoadMaster load balancers for Windows Server 2012 R2 DirectAccess deployments. DirectAccess has several critical single points of failure which can benefit from the use of a load balancer. Typically Windows Network Load Balancing (NLB) is used in these scenarios, but NLB suffers from some serious limitations and lacks essential capabilities required to fully address these requirements. The use of an external third-party load balancer can provide better load distribution and more granular traffic control, while at the same time improving availability with intelligent service health checks.

Working with the LoadMaster was a great experience. Installation was quick and simple, and their web-based management console is intuitive and easy to use. The LoadMaster includes essential features that are required for load balancing DirectAccess servers, and advanced capabilities that can be leveraged to enhance geographic redundancy for multisite deployments.

DirectAccess Deployment Guide for KEMP LoadMaster Load Balancers

KEMP offers the widest platform coverage with their solutions, including dedicated hardware appliances, virtual appliances for multiple hypervisors including Hyper-V, cloud-based including Microsoft Azure, as well as bare metal support for installation on your own hardware. You can download a fully functional free trial here.

You can view and download the Windows Server 2012 R2 DirectAccess Deployment Guide for the KEMP LoadMaster load balancing solution here.

Additional Resources

Video: Enable Load Balancing for DirectAccess

Configure KEMP LoadMaster Load Balancer for DirectAccess Network Location Server (NLS)

DirectAccess Single NIC Load Balancing with KEMP LoadMaster Load Balancers

DirectAccess and the Free KEMP LoadMaster Load Balancer

Webinar Recording: DirectAccess Load Balancing Tips and Tricks

Webinar Recording: DirectAccess Multisite with Windows 10 and KEMP LoadMaster GEO

Webinar Recording: Maximize Your Investment in Windows 10 with DirectAccess and the KEMP LoadMaster Load Balancer

Implementing DirectAccess with Windows Server 2016 book

 

Active Directory IP Subnets for DirectAccess Clients

Introduction

When deploying Windows Server 2012 R2 DirectAccess I’m often asked which Active Directory (AD) site a client is associated with when it establishes DirectAccess connectivity. The answer depends on the client’s operating system. Windows 8.x and later clients automatically associate themselves with the site to which the DirectAccess server they are connected to belongs. Windows 7 clients lack this capability, and depending on current AD configuration, Windows 7 clients may associate with an incorrect site. This can lead to potential problems such as slow logon times and mapped drive failures. To address this issue it is important to configure IP subnets in AD for DirectAccess clients to eliminate any potential problems. In this article I’ll demonstrate how to create IP subnets in AD and how to identify IPv6 subnets used by DirectAccess clients.

Active Directory IP Subnets

Configuring IP subnets in AD is relatively straightforward. In the Active Directory Sites and Services management console, right-click Subnets and choose New Subnet. Enter the IP subnet prefix and select the AD site where the DirectAccess server for this subnet resides.

Active Directory IP Subnets for DirectAccess Clients

IPv6 Subnets for DirectAccess Clients

To configure AD IP subnets for DirectAccess clients, it will be necessary to identify all potential IP subnets that may be in use. IP subnets used by DirectAccess clients depend on the IPv6 transition protocols supported by the DirectAccess configuration. DirectAccess supports 6to4, Teredo, and IP-HTTPS for client to server communication, and the Intrasite Automatic Tunnel Addressing Protocol (ISATAP) for manage-out connectivity. Any or all of these protocols may be used for a particular DirectAccess configuration.

  • 6to4 – Supported if the DirectAccess server is edge-facing with a public IPv4 address assigned to its external network interface.
  • Teredo – Supported if the DirectAccess server is edge-facing with two consecutive public IPv4 addresses assigned to its external network interface.
  • IP-HTTPS – Supported in all deployment scenarios, and is used exclusively if the DirectAccess server is located behind a NAT device in a perimeter or DMZ network.
  • ISATAP – Optionally used when manage out is enabled and configured.

IP subnets should be configured in AD for all IPv6 transition protocols supported for the DirectAccess deployment.

Identify the 6to4 IPv6 Subnet

Note: Information for the 6to4 protocol is provided here for completeness. However, it is generally recommended that 6to4 be disabled for DirectAccess deployments, making this configuration unnecessary. More information about disabling 6to4 can be found here.

The 6to4 IPv6 transition protocol is only supported when the DirectAccess server is edge-facing with a public IPv4 address assigned to its external network interface. 6to4 IPv6 addresses are assigned using the 2002::/16 prefix. For single site DirectAccess deployments, an administrator should create an IP subnet in AD using this prefix and assign it to the AD site where the DirectAccess server resides. If public IPv4 addressing is used internally and the 6to4 transition protocol has not been disabled, it is essential that more specific IP subnets for internal 6to4 clients also be configured.

6to4 and DirectAccess Multisite Challenges

The 6to4 IPv6 transition protocol presents a challenge for multisite DirectAccess deployments. When a client creates a 6to4 IPv6 address, it appends the 2002::/16 prefix with its public IPv4 address represented in hexadecimal using the form WWXX:YYZZ::WWXX:YYZZ. For example, if the DirectAccess client’s public IPv4 address is 198.51.100.83, its 6to4 address would be 2002:c633:6453::c633:6453. Since this IPv6 address is created using only the client’s IPv4 address, there is no way to associate the client to a specific entry point. This is one of the reasons why 6to4 is not recommended for use in DirectAccess deployments. If you must support the 6to4 IPv6 transition protocol in a multisite configuration, assign the 2002::/16 IP subnet to the most centrally located AD site.

Identify the Teredo IPv6 Subnet

The Teredo IPv6 transition protocol is only supported when the DirectAccess server is edge facing with two consecutive public IPv4 addresses assigned to its external network interface. Teredo IPv6 addresses begin with 2001: followed by the primary public IPv4 address (represented in hexadecimal) of the DirectAccess server. For example, if the DirectAccess server’s primary public IPv4 address is 203.0.113.240, the DirectAccess client will be assigned a Teredo IPv6 address using the 2001:cb00:71f0::/48 prefix. An administrator should create an IP subnet in AD using this prefix and assign it to the AD site where the DirectAccess server resides. For multisite deployments, repeat these steps for each DirectAccess entry point.

Identify the IP-HTTPS IPv6 Subnet

The IP-HTTPS IPv6 transition protocol is supported in all DirectAccess configurations and its IPv6 subnet should always be assigned to an AD site. The IP-HTTPS IPv6 prefix assignment differs between single site and multisite deployments.

Single Site Deployment

For single site deployments, a /64 IPv6 prefix is assigned for DirectAccess clients. To identify this subnet, run the Get-RemoteAccess PowerShell command on the DirectAccess server and locate the value of ClientIPv6Prefix

Active Directory IP Subnets for DirectAccess Clients

Multisite Deployment

For multisite deployments, a unique /64  IPv6 subnet is assigned to single node entry points. If load balancing is enabled, a /59 IPv6 subnet is assigned to the entry point, and each server within the entry point is assigned a /64 prefix for DirectAccess clients. To identify the IPv6 prefixes for each entry point, highlight DirectAccess and VPN below the Configuration node in the Remote Access Management console, and then select the DirectAccess entry point.

Active Directory IP Subnets for DirectAccess Clients

For edge facing deployments with a public IPv4 address assigned to the external network interface, the IPv6 prefix assigned to DirectAccess clients is from the 2002::/16 globally unique address (GUA) range. If the DirectAccess server is configured using a private IPv4 address with a single network interface or with two network interfaces behind a NAT, the IPv6 prefix assigned to DirectAccess clients will be from the fd00::/8 unique local address (ULA) range. An administrator should create an IP subnet in AD using this prefix and assign it to the AD site where the DirectAccess server resides.

Note: Uninstalling and reinstalling DirectAccess will result in a new IP-HTTPS network ID being created. If these changes are made, be sure to update AD IP subnets accordingly.

Identify the ISATAP IPv6 Subnet

Although this article focuses primarily on the IPv6 subnets used by remote DirectAccess clients, it is also important not to overlook AD IP subnet configuration for internal clients if ISATAP is configured for manage out. IP subnets used by ISATAP clients vary depending on the network configuration of the DirectAccess server.

Edge Deployment

For edge deployments, ISATAP addresses are assigned from the 2002::/16 GUA range. This is appended with the public IPv4 address of the DirectAccess server in hexadecimal using the form WWXX:YYZZ:1:0:5efe and the IPv4 address of the ISTAP client in familiar dotted-decimal notation. For example, if the DirectAccess server’s primary public IPv4 address is 203.0.113.240 and the client’s IP address is 172.16.1.77, the DirectAccess client will be assigned the ISATAP address 2002:cb00:71f0:1:0:5efe:172.16.1.77. The subnet to be created by the administrator in AD will then be 2002:cb00:71f0:1:0:5efe::/96 plus the IPv4 network prefix. For example, if the client’s IP address uses a /24 prefix, the AD IP subnet would be configured using 2002:cb00:71f0:1:0:5efe:172.16.1.0/120. This IP subnet should be assigned to the same site where the corresponding IPv4 subnet is assigned.

Perimeter/DMZ Deployment

For perimeter/DMZ deployments, ISATAP addresses are assigned randomly from the fd00::/8 ULA range and begin with fdXX:XXXX:XXXX:1:0:5efe followed by the IPv4 address of the ISTAP client in dotted-decimal notation. For example, if the DirectAccess client’s IP address is 172.16.1.77, its ISATAP address might look like fdca:3ce5:b0a:1:0:5efe:172.16.1.77. The subnet to be created by the administrator in AD will then be fdca:3ce5:b0a:1:0:5efe::/96 plus the IPv4 network prefix. If the clients’ IP address uses a /24 prefix, the AD IP subnet would be configured using fdca:3ce5:b0a:1:0:5efe:172.16.1.0/120. This IP subnet should be assigned to the same site where the corresponding IPv4 subnet is assigned.

Summary

The configuration of Active Directory IP subnets for DirectAccess clients is an often overlooked aspect of DirectAccess deployments. Proper IP subnet mapping to AD sites is critical, especially for large enterprise deployments with complex networks spanning multiple physical locations. It ensures that Windows 7 DirectAccess clients communicate with the closest AD domain controller when they establish a DirectAccess connection, which can eliminate potential issues. In addition, it is recommended to disable 6to4 for DirectAccess clients to avoid the pitfalls that come with the use of this IPv6 transition protocol. Also, don’t forget to configure IP subnets for any internal clients that use ISATAP for manage out.

%d bloggers like this: