Ok very quick question in terms of failover. I have two load balanced arrarys for directaccess across 2 entry points. What would happen if one of the servers lost access to the internal network but still had access to the external network and was still able to allow clients to connect. I presume this DA box will still service clients and any connected clients will fail to communicate with the internal network. Is there any way to ensure that is the client is not communication through the server it will try and reconnect somewhere else?

Hi,

From an HLB point of view, DirectAccess gateways are operational unless they can detect a failure (no ICMP response message, HTTP return code not equal to 200). But if failure occur after DirectAccess gateways, it's much more complicated to detect. The only way is to check the probes configured for your DirectAccess clients (the one to be used to validate user IPSEC tunnels establishment). One Other approach if to use DirectAccess powershll commandlets to generate a monitoring status file to be read by the HLB. If content of the monitoring status is not OK, DirectAccess Gateway cannot be considered as operational.

Hi BenoitS, Always good to have you on a thread. You have responded to some of my previous posts very well.

We are planning on doing something funky with the f5's to add further probes to the group, like you said outputing something from DA servers etc for them to check or similar that ensures the DA Servers themselves have Corp access. I just wanted to make sure that this would be the only way forward

When you say "The only way is to check the probes configured for your DirectAccess clients"

You don't mean from the client end do you? Obviously the corp probes within either NCA or DCA just are for visibility. As the client has no control which server it would hit at and entry point there would be no point in reconnecting to the same EP. I was wondering if the client would attempt the other entry point if the NCA/DCA probe failed. I totally doubt it, but wanted to ask.

Rgs

Hi,

By default F5 offer limited capabilities to validate that DirectAccess Gateway is really available. Your DirectAccess clients are using probes to test network connectivity (DCA/NCA). If clients can reach them (HTTP, HTTPS, PING), we consider that network connectivity is OK. From the HLB, you can test NLS availability. If it's OK, it proves that you can reach internal network (NLS should be near from end-users as possible). For DirectAccess. You can start with something like that.

 

Results should be stored in a text file on the DirectAccess Gateway (there also an IIS on it). F5 will be able to check content of the file. If evrything is OK, Gateway is operational. Otherwise, it's not and should be excluded from the endpoints list.

Script is just a POC and need to be completed. Not sure it's helpfull to have management servers in the results.
 

Thanks for your help, you've given me some good things to think about. Till next time my friend

You're welcome. One day I will be publishing the full solution on my blog.

Really interesting question and very useful info. Thanks Benoits and Graham!