Load Balancing DirectAccess with the KEMP Loadmaster Load Balancer
DirectAccess provides seamless and transparent, always on secure remote access for managed Windows clients. To provide scalability and eliminate single points-of-failure, DirectAccess servers can be configured in load-balanced clusters. Supported load balancing options include integrated Windows Network Load Balancing (NLB) and external load balancers.
NLB is a simple load balancing solution included with the Windows Server operating system. While NLB is free, there are a number of serious drawbacks associated with its use.
- Broadcast-Based – Nodes in the NLB cluster communicate configuration and status information using layer two broadcasts. These heartbeat messages are broadcast by each node every second. Switch flooding is induced by design to ensure that all nodes “see” all traffic for the cluster Virtual IP Address (VIP), which results in a high level of noise on the network segment as well as increased CPU utilization on each DirectAccess server.
- Limited Scalability – When using NLB, no more than 8 nodes are supported in a cluster. However, due to the broadcast-based nature of NLB, scalability and performance suffer when the cluster includes more than 4 nodes.
- Lack of Control – NLB supports only the round robin request distribution algorithm. This limits deployment flexibility and can be potentially problematic after a node goes offline.
External Load Balancer
Using an external load balancer provides a number of important benefits.
- Network Layer-Based – External load balancers provide traffic control from layers 3 through 7, providing better throughput and performance compared to NLB.
- Positive Scalability – Up to 32 nodes are supported in the DirectAccess server cluster using an external load balancer. The full processing power of each node added to the cluster is available for handling connection requests.
- Granular Control – External load balancers provide fine-grained control over connection requests. Connections can be delivered to DirectAccess servers using not only round robin, but weighted round robin, least connections, source IP address hash, and many more.
Load Balancing for DirectAccess
DirectAccess uses IPv6 transition technologies such as 6to4, Teredo, and IP-HTTPS for client connectivity. When the DirectAccess server is placed behind an external load balancer, only IP-HTTPS will be used. Configuring the load balancer for DirectAccess is similar to load balancing a secure web server.
Enable Load Balancing
DirectAccess must first be configured to use an external load balancer. To do this, open the Remote Access Management console, highlight DirectAccess and VPN in the navigation tree under Configuration, and then click Enable Load Balancing under Load Balanced Cluster in the Tasks pane (Figure 1).
Figure 1. Enable Load Balancing
Click Next and select the option to Use an external load balancer (Figure 2).
Figure 2. Use an external load balancer.
Click Next and enter a new IPv4 address for the DirectAccess server’s external network interface (Figure 3).
Figure 3. Enter a new dedicated IP addresses for the external network interface.
Click Next and enter a new IPv4 address for the DirectAccess server’s internal network interface (Figure 4). The existing IPv4 address will be redeployed as a VIP on the LoadMaster.
Figure 4. Enter a new dedicated IP addresses for the internal network interface.
Review the configuration and click Commit (Figure 5).
Figure 5. Confirm load balancing settings.
Add Additional DirectAccess Servers
Note: New servers must meet all DirectAccess installation prerequisites prior to being added to the cluster. Network interfaces must be configured, the server joined to the domain, and all required certificates installed. In addition, the DirectAccess role must also be installed. However, it is not necessary to configure DirectAccess before joining the cluster. All configuration will be performed on an existing DirectAccess server.
To add more DirectAccess servers to the cluster, click Add or Remove Servers under Load Balanced Cluster in the Tasks pane (Figure 6).
Figure 6. Add or remove servers.
Click Add Server and enter the name of the DirectAccess server to be added to the cluster (Figure 7).
Figure 7. Add a server.
Click Next and confirm network and SSL certificate settings (Figure 8).
Figure 8. Configure network adapters and SSL certificate.
Click Next to confirm the server settings and then click Add and Close (Figure 9).
Figure 9. Confirm server settings.
Click Commit to apply the changes (Figure 10).
Figure 10. Commit changes.
Configure the LoadMaster
On the LoadMaster, expand Virtual Services and click Add New. Enter a IPv4 address for the virtual service, specify port 443, and provide a service name. Click Add this Virtual Service when complete (Figure 11).
Figure 11. Specify the parameters for the virtual service.
Expand Standard Options and set the Persistence Options to Source IP Address. Set the Timeout value to 30 Minutes and the Scheduling Method to Least Connection (Figure 12).
Figure 12. Configure standard options.
Note: If the LoadMaster is located behind a network device performing NAT, leave the persistence set to none. Also, if the DirectAccess server does not use the LoadMaster as its default gateway, deselect Transparency and select Enable Subnet Originating Requests.
Expand Real Servers and set the Real Server Check Parameters to TCP Connection Only. Set the Checked Port to 443 and click Set Check Port (Figure 13).
Figure 13. Configure real server health check parameters.
Click Add New and enter the IPv4 address of the first DirectAccess server’s external network interface and click Add This Real Server. Repeat this step for each DirectAccess server in the cluster (Figure 14).
Figure 14. Specify the parameters for the real servers.
Using the KEMP LoadMaster load balancer provides significant advantages over using the native Windows Network Load Balancing (NLB) for DirectAccess. The LoadMaster offers positive scalability and improved performance with granular traffic control for DirectAccess connections. The LoadMaster supports load balancing for up to 32 DirectAccess servers in a single cluster.