I have 2 DA servers, both with 2 NICs (1 in DMZ and 1 on the internal network). The second server has had the DA role installed, but not configured. I want to configure load balancing in the following manner:
- External\DMZ NIC using NLB
- Interbal NIC using a hardware load balancer
All of the GUI and PowerShell options I've seen want to use the same load balancing method for both the internal and external interface, what I don't know is how to configure load balancing to accomodate a mixed load balancing setup?
In addition, I'm looking at using manage out with limited isatap applying to a single server, this server will then be used to RDP, remote assist, etc clients. I'm planning on following the process listed here: https://www.packtpub.com/books/content/configuring-manage-out-directaccess-clients. The manage out server will be on the same VLAN as my DA servers and clients connect to the DA servers via ip-https. What I would like to know is if I need to open any additional ports between my manage out server to the DA clients? My understanding is that using limited isatap, the manage out server's ipv6 traffic is routed via the DA servers and encapsulated in ipv4 over the internet, so therefore no additional ports need to be open, other than say 3389 on the DA client?
T
Not possible by design. I strongly recommand you to forget about NLB and switch to HLB. Kemp provide a good implementation guide : http://directaccess.richardhicks.com/2015/02/05/directaccess-deployment-guide-for-kemp-loadmaster-load-balancers/ and you can even manage Kemp from DirectAccess to manage availability of the service : http://danstoncloud.com/blogs/simplebydesign/archive/2015/05/25/monitoring-directaccess-with-kemp.aspx
Manage-out : Yes you will need to open ports on the DirectAccess clients as all network trafic will be rejected because not initiated by the DirectAccess client itself. Required protocols need to be declared and NAT-Transversal need to be allowed. I've documented remote Management with Windows Remote Assistance here : http://danstoncloud.com/blogs/simplebydesign/archive/2014/07/30/windows-remote-assistance-between-directaccess-clients-made-easy-and-simple.aspx
For RDP, it's the same approach, except that the DirectAccess client need to register it's AAAA IPv6 address in internal DNS to allow you to resolve It. It's not required in Windows Remote Assistance as all IP (V4+V6) are included in the invitation file.
Hi
A single load balancer can act a front-end and back-end. Since Windows Server 2012, Public IPv4 addresses are no longer mandatory, so from a security guy point of view, it's much more acceptable. Not perfect but more acceptable.
Hi,
Do you know of any articles of how I can configure this? The DA servers have 2 NICs (1 in the DMZ and 1 in the internal network). The HLB is in the internal network. Using the method you suggested, I'm guessing there's no point in having dual NIC DA servers?
2 NIC is almost mandatory, but possible to do it with a single network card. Have a look at richard Hicks blog post : http://directaccess.richardhicks.com/2015/07/13/directaccess-single-nic-load-balancing-with-kemp-loadmaster/
IMO, even if it's possible, it's not my recommanded deployment scenarios. Remember, a HLB Appliance may have more than two network interfaces.