Saturday 20 September 2014

Part 2: Clustering Microsoft DirectAccess with Network Load Balancing (NLB)

This post is intended to be part 2 of my previous post "Deploying Microsoft's DirectAccess on Windows Server 2012 R2, in a Simple Topology behind a NAT Firewall" which you can see here http://blog.ryanbetts.co.uk/2014/09/deploying-microsofts-directaccess-on.html

I am going to document the fairly easy process of configuring Windows Network Load Balancing (NLB), to make the DirectAccess installation highly available. To get started I have provisioned a second Windows Server 2012 R2 VM, I used the following command to install all of the required roles and features to support DirectAccess.
Add-WindowsFeature –Name DirectAccess-VPN, NLB -IncludeManagementTools

Once the roles are installed, return to the Remote Access console. Click on the Configuration pane, and from the Tasks section click Enable Load Balancing. Click Next at the initial wizard screen.
Selected Use Windows Network Load Balancing (NLB) I am going to cover load balancing DirectAccess with a pair of Citrix NetScaler VPX Load Balancers in a future post. Click Next.

This part is a little confusing at first, you must enter a Dedicated IP Address (DIP). This address will be assigned to the network interface of the first DirectAccess server, the IP in which it had will then become the NLB VIP. Click Next.

On the Summary page click Commit.

If everything is configured correctly, you should see green lights on the GPO update window. Click Close.

From the Configuration pane, click Add or Remote Servers from the Tasks list.


Click Browse and enter the hostname of the second DirectAccess server, click Next.

For now I am going to remain using self-signed certificates, click Next.

At this stage I have left the Network Location Server (NLS) on-box, although this will throw an error during the GPO reconfiguration changes. Click Next.

Click Add from the Summary page.

When the server is added to the list click Commit.

As expected the GPO reconfiguration throws the following error "When adding a server (running the network location server using a self-signed certificate) to a cluster, point the network location server DNS entry to the internal DIP of each cluster server. After GPO updates, update the DNS entry again to the cluster...".
At this point I am going reconfigure my Network Location Server (NLS) to reside on one of my Domain Controllers, the following blog post http://blog.ryanbetts.co.uk/2014/06/directaccess-configuring-network.html outlines exactly how to do this. To test it try connecting to the NLS website via Internet Explorer.

There is one gotcha when using an internal Certificate Authority for your Network Location Server (NLS), you must export the Root Certificate from the CA and import on the DirectAccess Server(s).

Now return to the Configuration pane, and click Configure under Step 3.

Click The Network Location Server is Deployed on a Remote Web Server (Recommended) and enter the FQDN you configured for the NLS website, click Validate to test this is working. If you do not have the Root CA Certificate imported into the Trusted Root Certificate Store this part will fail. Click Next.

From the Dashboard DirectAccess should report to be working correctly.

To view the DirectAccess NLB settings, and to view the NLB VIP use the following PowerShell command.
Get-RemoteAccessLoadBalancer