UAG External Load Balancing and ISATAP RRS feed

  • Question

  • Hi Experts,

    I am deploying a UAG Array to be used for Direct Access. The Array will consist of two servers and use an F5 External Load Balancer. In addition and in similarity to 90% of the other corporate intranets out there, the internal network is IPv4 with no IPv6 transition technologies deployed. The article http://blogs.technet.com/b/edgeaccessblog/archive/2010/05/17/configuring-an-external-load-balanced-uag-directaccess-array-for-an-ipv4-only-network.aspx isgreat but to my mind has no information to support ‘Manage Out’ and throws up a number of questions: (Note that I want to enable ‘Manage Out’ capability and as far as I am aware that is achieved by using ISATAP)

    1. The article describes that you have to generate and configure your own IPv6 address for the internal interface when using an external load balancer. Does anyone know why? Why not let UAG assign the addresses as per the default?
    2. UAG by default configures itself as an ISATAP router when there is no IPv6 infrastructure deployed on the internal network to facilitate ‘manage out’. This still applies when using Windows NLB. Why does this no longer apply when using an external load balancer? I.e. Why does UAG no longer configure itself as a ISATAP router?
    3. In relation to question 2; you therefore need to move your ISATAP router to a different device (http://technet.microsoft.com/en-us/library/ee690463.aspx), in doing so how do you configure the ISATAP environment to traverse the UAG servers without some sort of load balancing on the internal interfaces? I’m assuming that you can only tell the ISATAP router to use the one default gateway i.e. either one UAG server or the other. This means that you would have all your outbound internally initiated traffic going via one server only – not very good for performance or fault tolerance.
    4. In relation to question 3; I thought therefore that NLB could be used on the internal interface to solve the above problem, except that I have read that you can’t mix and match external load balancing and NLB even though they are on separate networks due to bidirectional affinity. What does this actually mean and why does this not occur when load balancing is mixed in this manor?

    Therefore when you wish to use external load balancers, do you:

    A) Except the fact that you can’t use UAG as a ISATAP router and you do indeed need two devices and deploy it as described here (http://technet.microsoft.com/en-us/library/ee690463.aspx)

    B) Except the fact that that you can’t use UAG as a ISATAP router and any internal outbound traffic travels via the one UAG server only.

    Apologies for the long post, but I wanted to make sure that I get my thoughts down concisely so that it may help others who come up with the same questions J

    Thanks for your time everyone


    Tuesday, February 7, 2012 5:19 PM

All replies

  • I would say option A.

    Don't think I have seen any documentation to really explain the reasons for the limitations imposed when moving to HLBs.

    I assume you have seen this:http://www.f5.com/pdf/deployment-guides/f5-uag-dg.pdf



    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Thursday, February 9, 2012 12:19 AM
  • Hi Gary,

    I'm facing the same questions as you when designing a UAG DA array with Netscaler HLB on the internet facing NICs and looking at how to set up the internal side: whether I need to set up a HLB there too.

    Did you find a working solution in your scanario that you could share?

    I did find this from the Schinder house which explains how to set up an ISATAP router on another server:


    Friday, March 30, 2012 10:05 PM
  • I am also facing the same issue.  I have UAG1 and UAG2, which are in an array, and externally load balanced.  I've configured an external ISATAP router according to:  http://www.windowsnetworking.com/articles_tutorials/Configuring-ISATAP-Router-Windows-Server-2008-R2-Part2.html.  However, as mentioned by others, the ISATAP router has to have either UAG1 or UAG2 as the next hop for IP-HTTPS traffic.  As a result, communication between the DirectAccess client and management devices will only work if the client is tunneling through the same UAG server that the ISATAP router has as the next hop for the IP-HTTPS prefix.  From what I can tell, my configuration is supported, but I can't figure out how to have the ISATAP router determine which UAG server a client is tunneling through.  I thought about having two separate IP-HTTPS prefixes for each UAG server, but this would get overwritten when activating the DirectAccess configuration.  Maybe some type of internal load balancing?

    Friday, August 24, 2012 3:31 PM
  • I'm curious if you found a way to make this work. I'm looking at a similar problem when planning a Server 2012 DA solution. I will be setting up an ISATAP router (on the same device that is the only device that needs "manage out" capabilities), so the ISATAP router service itself does not need to be highly available, but from what I see the router will only be capable of forwarding traffic to one of the DA servers.

    I've read the f5 stuff, and they don't mention how "manage out" scenarios work.

    Friday, October 26, 2012 1:54 PM
  • F5's documented method of providing Manage Out doesn't work.  Not without an entirely IPv6 internal network.  How can F5 possibly capture DA Clients' IPv6 address (for the persistence table) if they are connecting to IPv4 internal resources?  The virtual server is IPv4 and has no visibility of DA Clients' IPv6 address.  We got MO working through writing our own custom iRule and Powershell.  Been functioning well in production for 6000 concurrent DA users for the past four months.  Am working with F5, hopefully we'll get these papers updated shortly. 

    Tuesday, March 10, 2015 5:56 PM