DirectAccess provides seamless and transparent, always on secure remote access for managed Windows clients. To provide scalability and eliminate single points-of-failure, DirectAccess servers can be configured in load-balanced clusters. Supported load balancing options include integrated Windows Network Load Balancing (NLB) and external load balancers.
NLB is a simple load balancing solution included with the Windows Server operating system. While NLB is free, there are a number of serious drawbacks associated with its use.
Using an external load balancer provides a number of important benefits.
DirectAccess uses IPv6 transition technologies such as 6to4, Teredo, and IP-HTTPS for client connectivity. When the DirectAccess server is placed behind an external load balancer, only IP-HTTPS will be used. Configuring the load balancer for DirectAccess is similar to load balancing a secure web server.
DirectAccess must first be configured to use an external load balancer. To do this, open the Remote Access Management console, highlight DirectAccess and VPN in the navigation tree under Configuration, and then click Enable Load Balancing under Load Balanced Cluster in the Tasks pane (Figure 1).
Figure 1. Enable Load Balancing
Click Next and select the option to Use an external load balancer (Figure 2).
Figure 2. Use an external load balancer.
Click Next and enter a new IPv4 address for the DirectAccess server’s external network interface (Figure 3).
Figure 3. Enter a new dedicated IP addresses for the external network interface.
Click Next and enter a new IPv4 address for the DirectAccess server’s internal network interface (Figure 4). The existing IPv4 address will be redeployed as a VIP on the LoadMaster.
Figure 4. Enter a new dedicated IP addresses for the internal network interface.
Review the configuration and click Commit (Figure 5).
Figure 5. Confirm load balancing settings.
Note: New servers must meet all DirectAccess installation prerequisites prior to being added to the cluster. Network interfaces must be configured, the server joined to the domain, and all required certificates installed. In addition, the DirectAccess role must also be installed. However, it is not necessary to configure DirectAccess before joining the cluster. All configuration will be performed on an existing DirectAccess server.
To add more DirectAccess servers to the cluster, click Add or Remove Servers under Load Balanced Cluster in the Tasks pane (Figure 6).
Figure 6. Add or remove servers.
Click Add Server and enter the name of the DirectAccess server to be added to the cluster (Figure 7).
Figure 7. Add a server.
Click Next and confirm network and SSL certificate settings (Figure 8).
Figure 8. Configure network adapters and SSL certificate.
Click Next to confirm the server settings and then click Add and Close (Figure 9).
Figure 9. Confirm server settings.
Click Commit to apply the changes (Figure 10).
Figure 10. Commit changes.
On the LoadMaster, expand Virtual Services and click Add New. Enter a IPv4 address for the virtual service, specify port 443, and provide a service name. Click Add this Virtual Service when complete (Figure 11).
Figure 11. Specify the parameters for the virtual service.
Expand Standard Options and set the Persistence Options to Source IP Address. Set the Timeout value to 30 Minutes and the Scheduling Method to Least Connection (Figure 12).
Figure 12. Configure standard options.
Note: If the LoadMaster is located behind a network device performing NAT, leave the persistence set to none. Also, if the DirectAccess server does not use the LoadMaster as its default gateway, deselect Transparency and select Enable Subnet Originating Requests.
Expand Real Servers and set the Real Server Check Parameters to TCP Connection Only. Set the Checked Port to 443 and click Set Check Port (Figure 13).
Figure 13. Configure real server health check parameters.
Click Add New and enter the IPv4 address of the first DirectAccess server’s external network interface and click Add This Real Server. Repeat this step for each DirectAccess server in the cluster (Figure 14).
Figure 14. Specify the parameters for the real servers.
Using the Kemp LoadMaster load balancer provides significant advantages over using the native Windows Network Load Balancing (NLB) for DirectAccess. The LoadMaster offers positive scalability and improved performance with granular traffic control for DirectAccess connections. The LoadMaster supports load balancing for up to 32 DirectAccess servers in a single cluster.