Thursday, December 20, 2012 4:33 PM
I have looked into this alot and struggling to find a solution.
We are setting up 3 sites for DirectAccess and the customer would like a failover mechanism if one site was to fail so those users would automatically or as near as automatically use the next site for DA access. I have read up on Multi-Site and Global Server Load Balancers but these are not an option.
Is there any kind of solution that can be used, without 1. using an SSTP VPN as failover or having to bring the laptops back into the office to apply the other site's Group Policy?.
Also regarding multiple sites I have read to use ISATAP border routers - I cannot find much information on these ot the actual solution, can a Windows server be used as border ISATAP routers?. Alternatively if I had 2 ISATAP DNS entries pointing to 2 UAG DA servers would they not resolve to the their nearest site. Also IPv6 is not an option.
Thursday, December 20, 2012 5:16 PM
What operating system do you plan to use? Why not use Windows Server 2012?
Thursday, December 20, 2012 6:03 PMThanks for the reply. Not sure what Microsoft mean with 2012 DirectAccess. They state Support for clients running Windows 7 must be manually enabled on each entry point, and selection of an entry point by these clients is not supported. Does this still allow failover for win 7 clients ?
Friday, December 21, 2012 1:06 AMModerator
Thanks for the reply. Not sure what Microsoft mean with 2012 DirectAccess. They state Support for clients running Windows 7 must be manually enabled on each entry point, and selection of an entry point by these clients is not supported. Does this still allow failover for win 7 clients ?
You will need Windows 8 clients to take advantage of the new multi-site failover features in Windows Server 2012 DirectAccess...
Friday, December 21, 2012 1:30 AMThanks Jason. So just for me to be clear, if site 1 failed then all win7 clients would need to be brought back on site to apply the gpo's to access site 2 to continue using DA. If so I guess a VPN is the best option for disaster recovery or GSLB. THanks
Friday, December 21, 2012 10:03 AMModerator
Thanks Jason. So just for me to be clear, if site 1 failed then all win7 clients would need to be brought back on site to apply the gpo's to access site 2 to continue using DA. If so I guess a VPN is the best option for disaster recovery or GSLB. THanks
Yeah, you need to assign Windows 7 clients to a particluar, and most appropriate DA entry point/gateway/array via Group Policy. This allows you to set a preferred entry poing for DA clients (localise clients if they are usually closer to a particular DA gateway) and also spread the load across multiple sites. However, in the event that a gateway fails, then yes, those clients would need some form of out of band access (or visit corp net) in order to update their entry point via Group Policy.
A key advantage of Win8 is that it has the ability to define multi-entry points and the client can use a discovery mechanism to find the fastest gateway and also failover to another gateway if their "usual" gateway is not available.
There is an option in DCA to provide the user with http link which can be configured to say something like "Fallback to Remote Access Gateway" or similar. You can then use another web-based remote access solution as a backup for DA clients (SSL VPN, TMG/UAG SSTP, etc.)
- Edited by Jason Jones [MSFT]Microsoft Employee, Moderator Friday, December 21, 2012 10:03 AM
Friday, December 21, 2012 5:50 PM
We spent close to a year creating a solution for our customers that accomplishes precisely what you're looking to do. We have several customers on this solution today on our Windows 2008 R2 UAG 2010 appliances utilzing a complete software method (including global load balancing) for DirectAccess. Because limitations in global DNS prevents the ability to allow external queries to determine what client gets routed to the nearest location based on latency, we've architected a software based load balancing solution that leverages a global ip address database that routes users to the appropriate site based on where the user is located geographically, rather than the nebulous method of trying to determine latency. Also, you do not need to have Windows 8 clients for this.
I'm not trying to turn this thread into a sales pitch, but just wanted to let you know if you are struggling to find a solution we have one for you.
- Edited by Keith Plaskett Friday, December 21, 2012 5:57 PM Typo
Friday, December 21, 2012 8:00 PMThanks Jason. Yes I guess site resiliency for win 7 and DA is not the best solution natively?. It is good to get the answer from someone with good experience.
Friday, December 21, 2012 8:02 PMHi Keith I did recommend GSLB as a solution but the solution needs to be implemented by mid-feb so I don' think this is an option within the coming weeks. Your solution sounds perfect and would be interested to find out more. If you could send me your details I will contact you in Jan if that is OK to arrange some consultancy. Thanks
Saturday, December 29, 2012 4:32 AMHappy to help. It's probably best to reach me using the contact form in the link below. Just paste the link to this thread and send to my attention and we can talk about this in greater detail.
- Edited by Keith Plaskett Saturday, December 29, 2012 4:38 AM