none
DirectAccess 2012 (VMWare) NLB Setup Help RRS feed

  • Question

  • Hi All,

    A bit of background on our current setup.

    2 X Physical servers (server 2012 r2) hosting DA 2012 in NLB Cluster (Unicast)

    All working fine.

    I wish to virtualise the DA solution using VMWare. I've built two virtual machines with a view of evicting one of the physical nodes from the existing cluster and introducing the virtual machine.

    However I’ve come across on this forum various posts in relation to unicast/multicast setup and has let me somewhat confused.

    The current servers are plugged into a layer 2 switch going directly out to the inet. Saying that I’ve read something about layer 3 arp entries? i suppose the layer 3 switch would be our ISP? we have no layer 3 switches in between DA and the inet here at the office (sorry i am not a networking guy, so this might sound stupid... but I’ve been informed it's  layer 2 switch only)

    On the virtual machines i've added an internal nic and and external nic (the external nic is dedicated on the VMware host and not shared with other port groups)  what do i need to do to ensure i will have no problems when it comes to introducing the virtual machine into the existing cluster please?

    I know a couple of you have setup NLB on VMWare for DA, can someone kindly point me in the direction of some documentation specifically for this kind of setup or what be more helpful is if you could kindly explain what i need to do step by step.

    I've read VMWare's documentation but wanted to get some feedback from someone who has done a real world install.

    Do i need to set anything on the VSwitch for example notify switches, allow mac address changes etc?

    • Edited by gsm_2013 Wednesday, November 26, 2014 12:51 PM typo's
    Wednesday, November 26, 2014 12:49 PM

Answers

  • Hi All,

    I've managed to virtualize DA fully with Teredo/6to4/IP-Https all working. *** Operating in Multicast mode ****

    I have 6 hosts part of a VMWare cluster, i allocated 1 port per host which is connected to the internet directly (no fw in between, expect a switch)

    I then created a vSphere distributed switch/port group with the following settings

    Promiscuous mode: Reject

    Mac Address Changes: Accept

    Forged Transmits: Accept

    Notify Switches: Yes

    Once this had been all setup, next step was to talk to our ISP to add the NLB Cluster MAC address to their ARP table as a static entry pointing back to the external VIP’s

    because I already had DA in place on two physical servers, I changed the NLB settings from unicast to multicast, and yes when I did this on the internal network I lost the IPV6 address from the NLB settings (so make sure you make a note of it to put it back)

    Changing to multicast might cause the servers to become unresponsive (did in my case) I waited a while and one came back, whilst the other needed a reset.

    Next step was to introduce a 3<sup>rd</sup> node and evict one of the physical servers, so I built a virtual machine

    Basic spec (4GB 1Vcpu 4cores) 2012 R2

    Two network cards

    Internal (on the same vlan as the physical servers)

    External (connected to the new port group I created above)

    I also (probably didn’t need to) set a static mac address on the VM for both network cards.

    Allocated an external IP address to the external nic on the VM made sure I can ping google etc

    Copied the settings from the physical servers i.e removed GW from internal nic on VM added static route etc etc

    Installed the SSL certificate on the 3<sup>rd</sup> node

    Introduced the 3<sup>rd</sup> node into the existing DA cluster and made sure to move the VM into the DA servers OU so it gets the DA server policy

    In NLB manager 3<sup>rd</sup> host showing as “misconfigured”

    Logged onto 3<sup>rd</sup> node (VM) launched NLB manager, noticed was set to unicast – changed to multicast, brought node online.

    Once everything was showing green and I could see connections to the 3<sup>rd</sup> host, I removed one of the physical servers from the cluster using the DA console.

    So back down to two nodes.

    Waited 24 hours

    Introduced 2<sup>nd</sup> VM or 3<sup>rd</sup> node again in this case following same steps as above.

    Removed remaining physical host from DA cluster.



    • Marked as answer by gsm_2013 Monday, December 8, 2014 9:02 AM
    • Edited by gsm_2013 Monday, December 8, 2014 9:05 AM
    Monday, December 8, 2014 9:01 AM

All replies

  • I do not claim to be 100% right, but I got DA NLB Unicast cluster (1vNIC each VM) working on VMWare by changing port group settings: notify switches - no; allow mac address changes - yes; forged transmit - yes.

    I had no luck finding documentation for NLB DA cluster on VMWare as well, so I just experimented and this setup works without problems (at least for now).


    Janis Berzins / Senior Infrastructure Solutions Consultant

    Thursday, November 27, 2014 3:48 PM
  • Hi There - i have done quite a few installs / configs on VMware using both Unicast and Multicast and works as expected.

    A link the the relevant articles (which you probably have already) are here - http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006558

    http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1006525

    http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006778

    Dependent on which config / unicast or multicast will determine which vmware config you go for. If it is multicast the first physical switch your external vmware nic is plugged into will be where you configure the ARP entries. I have also been in situations where if using a NAT0 (no inspection rule on a firewall) an additional arp entry for the VIP / DIPS are required. If using multicast and WLNB also be aware that when you switch from unicast you will lose your IPv6 Address from WNLB so make sure you have a copy in notepad to paste it back in. In terms of deployment / performance i have seen no visible difference between the two.

    Kr


    John Davies

    • Proposed as answer by Icon8000 Monday, December 8, 2014 12:00 PM
    Tuesday, December 2, 2014 1:36 PM
  • I will also refer you to this thread which also covers the similar issues

    https://social.technet.microsoft.com/Forums/forefront/en-US/f92ef335-6a3c-4fd8-8c25-393f3dd53b21/direct-access-nlb-setup-question?forum=forefrontedgeiag

    Kr


    John Davies

    • Proposed as answer by Icon8000 Monday, December 8, 2014 12:00 PM
    Tuesday, December 2, 2014 1:39 PM
  • Hi All,

    I've managed to virtualize DA fully with Teredo/6to4/IP-Https all working. *** Operating in Multicast mode ****

    I have 6 hosts part of a VMWare cluster, i allocated 1 port per host which is connected to the internet directly (no fw in between, expect a switch)

    I then created a vSphere distributed switch/port group with the following settings

    Promiscuous mode: Reject

    Mac Address Changes: Accept

    Forged Transmits: Accept

    Notify Switches: Yes

    Once this had been all setup, next step was to talk to our ISP to add the NLB Cluster MAC address to their ARP table as a static entry pointing back to the external VIP’s

    because I already had DA in place on two physical servers, I changed the NLB settings from unicast to multicast, and yes when I did this on the internal network I lost the IPV6 address from the NLB settings (so make sure you make a note of it to put it back)

    Changing to multicast might cause the servers to become unresponsive (did in my case) I waited a while and one came back, whilst the other needed a reset.

    Next step was to introduce a 3<sup>rd</sup> node and evict one of the physical servers, so I built a virtual machine

    Basic spec (4GB 1Vcpu 4cores) 2012 R2

    Two network cards

    Internal (on the same vlan as the physical servers)

    External (connected to the new port group I created above)

    I also (probably didn’t need to) set a static mac address on the VM for both network cards.

    Allocated an external IP address to the external nic on the VM made sure I can ping google etc

    Copied the settings from the physical servers i.e removed GW from internal nic on VM added static route etc etc

    Installed the SSL certificate on the 3<sup>rd</sup> node

    Introduced the 3<sup>rd</sup> node into the existing DA cluster and made sure to move the VM into the DA servers OU so it gets the DA server policy

    In NLB manager 3<sup>rd</sup> host showing as “misconfigured”

    Logged onto 3<sup>rd</sup> node (VM) launched NLB manager, noticed was set to unicast – changed to multicast, brought node online.

    Once everything was showing green and I could see connections to the 3<sup>rd</sup> host, I removed one of the physical servers from the cluster using the DA console.

    So back down to two nodes.

    Waited 24 hours

    Introduced 2<sup>nd</sup> VM or 3<sup>rd</sup> node again in this case following same steps as above.

    Removed remaining physical host from DA cluster.



    • Marked as answer by gsm_2013 Monday, December 8, 2014 9:02 AM
    • Edited by gsm_2013 Monday, December 8, 2014 9:05 AM
    Monday, December 8, 2014 9:01 AM
  • Good work - hope the links helped a little

    Kr


    John Davies

    • Proposed as answer by Icon8000 Monday, December 8, 2014 12:00 PM
    Monday, December 8, 2014 12:00 PM