Hi,
From an HLB point of view, DirectAccess gateways are operational unless they can detect a failure (no ICMP response message, HTTP return code not equal to 200). But if failure occur after DirectAccess gateways, it's much more complicated to detect. The only way is to check the probes configured for your DirectAccess clients (the one to be used to validate user IPSEC tunnels establishment). One Other approach if to use DirectAccess powershll commandlets to generate a monitoring status file to be read by the HLB. If content of the monitoring status is not OK, DirectAccess Gateway cannot be considered as operational.
Hi BenoitS, Always good to have you on a thread. You have responded to some of my previous posts very well.
We are planning on doing something funky with the f5's to add further probes to the group, like you said outputing something from DA servers etc for them to check or similar that ensures the DA Servers themselves have Corp access. I just wanted to make sure that this would be the only way forward
When you say "The only way is to check the probes configured for your DirectAccess clients"
You don't mean from the client end do you? Obviously the corp probes within either NCA or DCA just are for visibility. As the client has no control which server it would hit at and entry point there would be no point in reconnecting to the same EP. I was wondering if the client would attempt the other entry point if the NCA/DCA probe failed. I totally doubt it, but wanted to ask.
Rgs
Hi,
By default F5 offer limited capabilities to validate that DirectAccess Gateway is really available. Your DirectAccess clients are using probes to test network connectivity (DCA/NCA). If clients can reach them (HTTP, HTTPS, PING), we consider that network connectivity is OK. From the HLB, you can test NLS availability. If it's OK, it proves that you can reach internal network (NLS should be near from end-users as possible). For DirectAccess. You can start with something like that.
Results should be stored in a text file on the DirectAccess Gateway (there also an IIS on it). F5 will be able to check content of the file. If evrything is OK, Gateway is operational. Otherwise, it's not and should be excluded from the endpoints list.
Script is just a POC and need to be completed. Not sure it's helpfull to have management servers in the results.