locked
Configuring Load balancing of DA Servers with NLB and a hardware load balancer RRS feed

  • Question

  • Hi,

     I have 2 DA servers, both with 2 NICs (1 in DMZ and 1 on the internal network). The second server has had the DA role installed, but not configured. I want to configure load balancing in the following manner:
    - External\DMZ NIC using NLB
    - Interbal NIC using a hardware load balancer

    All of the GUI and PowerShell options I've seen want to use the same load balancing method for both the internal and external interface, what I don't know is how to configure load balancing to accomodate a mixed load balancing setup?

    In addition, I'm looking at using manage out with limited isatap applying to a single server, this server will then be used to RDP, remote assist, etc clients. I'm planning on following the process listed here: https://www.packtpub.com/books/content/configuring-manage-out-directaccess-clients. The manage out server will be on the same VLAN as my DA servers and clients connect to the DA servers via ip-https. What I would like to know is if I need to open any additional ports between my manage out server to the DA clients? My understanding is that using limited isatap, the manage out server's ipv6 traffic is routed via the DA servers and encapsulated in ipv4 over the internet, so therefore no additional ports need to be open, other than say 3389 on the DA client?

     Thanks

    IT Support/Everything

    Tuesday, August 11, 2015 3:32 PM

Answers

All replies

  • Not possible by design. I strongly recommand you to forget about NLB and switch to HLB. Kemp provide a good implementation guide : http://directaccess.richardhicks.com/2015/02/05/directaccess-deployment-guide-for-kemp-loadmaster-load-balancers/ and you can even manage Kemp from DirectAccess to manage availability of the service : http://danstoncloud.com/blogs/simplebydesign/archive/2015/05/25/monitoring-directaccess-with-kemp.aspx

    Manage-out : Yes you will need to open ports on the DirectAccess clients as all network trafic will be rejected because not initiated by the DirectAccess client itself. Required protocols need to be declared and NAT-Transversal need to be allowed. I've documented remote Management with Windows Remote Assistance here : http://danstoncloud.com/blogs/simplebydesign/archive/2014/07/30/windows-remote-assistance-between-directaccess-clients-made-easy-and-simple.aspx

    For RDP, it's the same approach, except that the DirectAccess client need to register it's AAAA IPv6 address in internal DNS to allow you to resolve It. It's not required in Windows Remote Assistance as all IP (V4+V6) are included in the invitation file.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Proposed as answer by BenoitSMVP Tuesday, August 11, 2015 8:16 PM
    Tuesday, August 11, 2015 4:10 PM
  • Thanks Benoit, I'll have a good read through the links. It's a shame about the load balancing. We only have a HLB available on one side, not two, hence I wanted to utilise HLB and NLB.

    IT Support/Everything

    Tuesday, August 11, 2015 8:13 PM
  • Hi

    A single load balancer can act a front-end and back-end. Since Windows Server 2012, Public IPv4 addresses are no longer mandatory, so from a security guy point of view, it's much more acceptable. Not perfect but more acceptable.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Proposed as answer by BenoitSMVP Tuesday, August 11, 2015 8:16 PM
    Tuesday, August 11, 2015 8:16 PM
  • Hi,

    Do you know of any articles of how I can configure this? The DA servers have 2 NICs (1 in the DMZ and 1 in the internal network). The HLB is in the internal network. Using the method you suggested, I'm guessing there's no point in having dual NIC DA servers?


    IT Support/Everything

    Tuesday, August 11, 2015 8:29 PM
  • 2 NIC is almost mandatory, but possible to do it with a single network card. Have a look at richard Hicks blog post : http://directaccess.richardhicks.com/2015/07/13/directaccess-single-nic-load-balancing-with-kemp-loadmaster/

    IMO, even if it's possible, it's not my recommanded deployment scenarios. Remember, a HLB Appliance may have more than two network interfaces.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Proposed as answer by BenoitSMVP Tuesday, August 11, 2015 8:34 PM
    • Marked as answer by Aetius2012 Thursday, August 13, 2015 11:42 AM
    Tuesday, August 11, 2015 8:33 PM