UAG Direct Access Multiple ISP's, Sites and HA RRS feed

  • Question

  • Hi, I posted a thread back in July 2010 about site resilience in UAG Direct Access (Details below). I was wondering has there been any update, work around or resolution on this?

    Thanks in advance.






    UAG Direct Access Multiple ISP's, Sites and HA



    I am looking for some clarification/guidance on setting up resilience in UAG Direct Access. I am looking to achieve High availability using 2 ISP’s and 2 subnets if possible. We have 2 sites (A and B). Both A and B have independent internet connections and a separate link together. Ideally I would like to implement UAG direct access in an active passive mode with site A being the primary site and if the server goes down or the internet connection drops clients would failover to site B for the direct access connection. As both sites are on different subnets and have different internet connections I am unable to use an array (I believe anyway).

    It is a simple function that the likes of Cisco etc… have been providing for years but it does not seem possible with UAG direct access.


    Any help would be appreciated.



    Thursday, May 12, 2011 11:39 AM


All replies

  • Thursday, May 12, 2011 2:25 PM
  • Hi Ciaran,


    Must agree with Jason about no further information regarding supported scenarios/setup.
    I'm currently in the stage of testing the effects of a multi-site setup that shouldn't be a problem for you to adjust to your specific needs if you wanted.

    It is bascially editing/creating new GPO's like discussed in http://technet.microsoft.com/en-us/library/ff625682%28WS.10%29.aspx

    Let me know if you're interested in the setup notes once I'm done testing.
    I'm planning to write a little summary regarding it anyway, when I know everything works. :)


    The basic setup in my scenario is the following:

    - Only IPHTTPS is enabled

    - Native IPv6 is deployed internally

    - The DNS record for the IPHTTPS interface is used to redirect the users to the correct site. (This is of course not done by UAG)

    - IPSec tunnels are established to each site.

    - Each site has different external IP ranges.


    The reason for the requirements above is more or less that it fits the environment where I need too deploy it. :)


    Best wishes, Jonas Blom

    • Edited by Jonas Blom Thursday, May 12, 2011 3:43 PM fixed the text layout
    Thursday, May 12, 2011 3:39 PM
  • Interesting Jonas...that setup makes sense, although it has limited real world appeal and IPHTTPS will impact performance.

    Looking forward to your write up! :)



    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, May 12, 2011 3:44 PM
  • Yes, the scenario that Jonas is laying out should work just fine. Of course, per Tom's article if your multi-site goals can factor in manual distribution of your users then UAG is capable of handling that scenario now. But if you are looking for an automatic failover, there are a couple of tricks that can be used. One would be a VLAN stretch, so your UAG servers that are in different sites actually think they are sitting right next to each other and would act as normal load balanced devices, automatically failing over if one was unavailable.

    However...most companies don't have that option. If you cannot stretch a VLAN, then I have seen the situation Jonas is doing work successfully. With two sites running DirectAccess, one a primary where everyone connects (unless it goes offline), then switching over to a secondary. The catch is, and I assume this is partly why Jonas is using IP-HTTPS only, is that Teredo cannot be "swung" other than at the client level right now. Teredo points from the laptop directly at an IP address, and so unless your ISP can swing your IPs to Datacenter B for you, Teredo is not going to connect. However, IP-HTTPS contacts a DNS name, so it is still technically a manual cutover, but an easy one to accomplish in that you can simply change your external DNS host record and have your IP-HTTPS connections swing to Datacenter B.

    I don't think that moving to an "IP-HTTPS only" environment is necessary, you could allow Teredo to be utilized at Datacenter A so you have a more efficient connection, and in the case of a failure and a swing of the DNS over to Datacenter B, Teredo would simply be unable to connect and would therefore fall back on IP-HTTPS which would connect successfully through Datacenter B. Once IP-HTTPS is connected to Datacenter B, you could utilize the DirectAccess tunnels to push new Group Policy settings down to the clients and swing their Teredo connection over as well in theory, and then they would pretty quickly have a fully working Teredo connection to Datacenter B, bringing them back to their normal speed. (since Teredo is faster than IP-HTTPS)

    Thursday, May 12, 2011 6:50 PM
  • Useful comments Jordan

    I've used the stretched VLAN solution and it works well, although I don't believe it is "officially" suported by MS at this time :(

    I think the best (albeit most expensive) option is to virtualise the public IP addresses used by DA clients completely using some for of global load balancing solution. This way the connectivity "just work" in the event of data centre failvoer and the DA client needs no changes or concept of doing anything different.



    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, May 12, 2011 10:45 PM
  • Hi again,

    Yes, I knew that the IPHTTPS part would come up :)

    There's two reasons i have chosen this approach (atleast initially).

    Basically my setup has the two sites on different continents where users travel between them.
    So they should primarily use the one closest to them, but with a failover if that one goes down for some reason.

    The other reason is K-I-S-S :)
    (Once one has gotten through setting up the IPHTTPS part it's rather simple to add the source subnets for teredo and activate that to the users primary site if wanted)

    And like Jordan says, it works just fine..
    My testing right now is to determine what possible drawbacks may occur regarding the user experience (logon/logoff, fileaccess and so on). :)


    Friday, May 13, 2011 4:59 AM
  • thanks for all the responses guys. Great to see some movement in this area.

    From a personal point of view native IPv6 is a bit of an issue at present so it looks like no resilience for me L

    Stretched VLAN’s was the original design we had the telco had to back out.

    As Microsoft do not officially support this. I will have to wait.

    Thanks Again,


    Friday, May 13, 2011 9:57 AM
  • Jason, if you (or someone else) wanted to read about the setup I mentioned above, I have finally gotten the time to finish it. :)
    You can find it at http://blog.nrpt.se/multi-site-redundancy-uag-directaccess/

    Best wishes,
    Jonas Blom


    Friday, May 27, 2011 3:37 PM
  • Hi Jonas,

    I had a look about your article. I wanted to know would this can work with Teredo. what is the environment you used? single domain across all location or multiple domain? And if client is in internet how the client detect the closest location. I would like to get a clarity as I also working to get multisite UAG/DA success. How does the manualy created GPO take effect with the automated GPO created by UAG management console?

    Sorry for the multiple questions. I'm eagerly waiting to get the response and happy to see still multisite UAG/DA is possible.

    Thank you

    Thursday, July 26, 2012 3:24 AM
  • Glad to hear you liked it.

    Included the answer to the questions here with your questions in the comments to the article :)

    Best wishes,
    Jonas Blom

    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Thursday, July 26, 2012 6:21 PM