DirectAccess Scaling and High Availability


I was asked at today’s TechNet Unleashed event in Malvern, PA what the scalability and high availability options were with DirectAccess in Windows Server 2008 R2. I wasn’t certain, but thought that NLB was an option, so I said I would find out. Well here’s the results of my research. I found a detailed description on Configuring a network load balanced array for Forefront UAG DirectAccess. (Click here for more information). 

What’s Forefront UAG you ask?

Forefront Unified Access Gateway (UAG) provides remote access to applications, networks, and internal resources from diverse client endpoints through a single point of entry.

Forefront Unified Access Gateway (UAG) is a remote access solution that provides a gateway for managed and non-managed endpoints to access corporate applications and resources, as follows:

  • Remote access─Remote users can access internal applications and resources from a diverse range of endpoints and locations. Users can access Web and non-Web applications, gain full VPN access to corporate networks, and access internal file shares and structures. Forefront UAG can act as a consolidated gateway providing access to multiple internal applications via a single portal, or provide access to a single Web application.
  • Application intelligence─Broad application support is provided for a wide range of Microsoft and third-party applications. Customizable application optimizer modules are predefined for specific applications. Optimizers consist of predefined settings and values that provide optimum settings for accessing a specific application via a Forefront UAG site. Default values and settings are based on in-depth research into application behavior, browser-server interactions, and endpoint requirements.
  • Security and access control─Forefront UAG enhances security and increases corporate compliance with granular remote access control. Control mechanisms include policy-based access controls, user authentication, and authorization for portal applications.
  • Frontend and backend authentication─Forefront UAG allows you to preauthenticate clients for session and application access, before requests are passed to backend servers published via Forefront UAG. Forefront UAG also provides a single sign-on authentication experience by delegating credentials to backend applications that require authentication.

From the Configuring a network load balanced array for Forefront UAG DirectAccess page linked above:

This topic provides information about how to configure a Network Load Balancing (NLB) array for Forefront UAG DirectAccess.

Forefront UAG integrates NLB functionality provided by Windows Server 2008 R2 with additional functionality that enables load balancing of Forefront UAG DirectAccess servers. Forefront UAG NLB provides load balancing for up to 8 Forefront UAG DirectAccess array members.

Forefront UAG enables load balancing of SSL based traffic in addition to Forefront UAG DirectAccess based traffic. In order to do load balancing for all Forefront UAG DirectAccess traffic, which is IPv6 based, Forefront UAG NLB must examine the IPv4 tunneling for all transition technologies. Because IP-HTTPS traffic is encrypted, examining the content of the IPv4 tunnel is not possible (for more information, see Connectivity). To enable IP-HTTPS traffic to be load balanced, you must allocate a wide enough IPv6 prefix to enable the Forefront UAG to assign a different IPv6 /64 prefix to each of the nodes. For example, 2 array members require a /63 prefix (which enables Forefront UAG to define a /64 address for each array member); 8 array members require a /61 prefix (which enables Forefront UAG to define a /64 address for each array member). This prefix must be routable to the Forefront UAG DirectAccess array, and is configured during the Forefront UAG DirectAccess Configuration. For more information, see Configuring IPv6 prefix addresses.