Windows Server 2012 Direct Access with External NLB

Hi! (Yaniv Naor and Shuresh Chandra, please reply)

I'm trying to implement this at a customer site and I'm having a hard time finding documentation and solutions. The wizard is failing:

"Required IP addresses have not been provided. Specify at least 123.123.123.123 as InternetVirtualIPAddress."

Here is what I've done:

Windows 2012 Server DA1 installed with Remote Access Role and Direct Access is working fine (tested). Two network cards, one external and one Internal. Installed in Edge mode. Internal IP 10.10.10.10 External IP 123.123.123.120

Windows 2012 Server DA2 installed with Remote Access Role installed. Not configured. Internal IP 10.10.10.10 External IP 123.123.123.121

The IP address 123.123.123.123 is an available IP address given during the wizard when it asks for External DIP.

I have several questions:

1. Why is the wizard asking for External and Internal DIP when I am using an external NLB? The server should not bother with these settings since all virtual/dedicated IPs are handled by the External NLB.

2. I have to provide an external DIP for during the wizard. It says that my current primary DIP (the one set on the external network card) will be used as the cluster VIP. Again referring to Q1. How am I going to get the wizard to leave these addresses alone? The Cluster VIP is already taken on the External NLB box with IP 123.123.123.200.

3. In my current configuration, what IPs should I input in the wizard to make this work?

I've read through the following workarounds which was necessary to make the wizard run at all:

http://gallery.technet.microsoft.com/scriptcenter/Workaround-for-DirectAccess-a8e7aa8b

Are there any ways to manually implement the external NLB through PowerShell?

Thank you for any help. It seems we are among the very first to implement this.

Emil Rakoczy

Ive found out some things by myself.

1. The wizard is asking for an internal Dedicated IP addresse because it weill asume that the IP you have set on your EXTERNAL NIC will continue to be the address you will use for the cluster. In other words, the point of contact that you have already distributed to all your clients. Not a bad idea, but in my case a huge hassle. It will save you the trouble of recreating A records in the DNS if you've used a DNS name af a point of contact, or recreating certificates for your external IP etc etc..

Anyhow. I don't understand why the wizard has to be so wizardish. It's what I hated about wizards when they first showed up in Windows 95. They take away control during configuration. I want the wizard to ask me if I want to change the external/internal IPs of the current DA box, and instead tell me that I must remember to set an external IP on my NLB box . The way it is today is just not working.

2. Haven't found any ways here to override the wizard yet. And I don't understand what the internal VIP is going to do exactly. Are they going to cluster themselves internally? Confused.

3. I'm waiting with the configuration. The Workaround broke my solution.

How to correct a broken DA solution? Go into the Remote Access console. Select Remove Configuration. It deletes all GPOs etc. Run the setup wizard again to recreate a new configuration from scratch. Takes only 4-5 minutes and leaves the rest of the installation intact (roles, certificates etc).

I have contacted MS on this matter, awaiting an answer. Will keep you posted.

Emil

Did you have any result?  Ive got the same error.  Im trying to use Windows load balancing on the internal and external nics

Nothing and nobody seems to care. :/ Had to drop putting up a second DA server.

Emil

I found this but I cant get it to work

http://gallery.technet.microsoft.com/scriptcenter/Workaround-for-DirectAccess-8af8fb1c

Basically I think you need forced tunnelling on.  I don't know if I enable it then disable it I may be able to get the config in?

What did MS come back to you with?  Do you have support?

I'm going to log a call with them if I cant get it fixed

It makes no sense to demand forced tunelling in order to get NLB to work. Force tunelling is just forcing all network traffic from the clients to go through the DA server. Ie. absolutlely all traffic, even internet surfing.

Haven't heard anything from MS no, the support case supposedly was logged by the customer itself. Don't think it was done.

To me it just looks like an unfinished feature, and they didn't need to do anything because it's seldom used. Please do log a case at MS and tell me if you find out anything :)

Emil

There have been some hotfixes for 2012 DA, one of which might be relevant to the issue described:

http://support.microsoft.com/kb/2748603

http://www.evrenbanger.com/2013/01/directaccess-hotfix-summary/

Hi,

I have Created Step by Step Video on Windows Server 2012 Direct Access in a Cluster with Windows NLB and wants
to share with all.

Windows Server 2012 Direct Access in a Cluster with Windows NLB Part 1

http://www.youtube.com/watch?v=8N8Uf_r7GPg

Windows Server 2012 Direct Access in a Cluster with Windows NLB Part 2

http://www.youtube.com/watch?v=xb8onRKZvqI

Hope this will help

Hi,

I have Created Step by Step Video on Windows Server 2012 Direct Access in a Cluster with Windows NLB and wants
to share with all.

Windows Server 2012 Direct Access in a Cluster with Windows NLB Part 1

http://www.youtube.com/watch?v=8N8Uf_r7GPg

Windows Server 2012 Direct Access in a Cluster with Windows NLB Part 2

http://www.youtube.com/watch?v=xb8onRKZvqI

Hope this will help

Hello,

I'd the same issue. First of all you need to copy the script for the NLB towards a text file for editing.

Mentioned here: http://technet.microsoft.com/en-us/library/jj134175.aspx

But additionally, you need to add the second internet address as well, in the command line.

Then it worked fine for me

These were very helpful - thanks!

I think I know the answer on your question. It's because DirectAccess wizard thinks that you have to use "TEREDO" and on your server it can't found second External IP address. So, you need to configure second IP address on your external interface. For example: FirstExtIP - 123.123.123.120 and SecondExtIP - 123.123.123.121. After that you can continue configure your server using this not very smart wizard.