Hi,

We are planning an external load balanced 2012 DA array with Manage Out capability.  One external load balancer will be placed outside the DA Gateways (internet facing), the other inside (corpnet facing).  Our internal network is IPv4 with no plans to upgrade to IPv6.  My question relates to where to place the ISATAP router role.  The choice is: on one DA Gateway, on all the DA Gateways, or on a separate dedicated server?

Davies' Understanding IPv6 (3rd Ed) p.321 says:

"A Windows Server 2012-based ISATAP router can now use virtual IP addresses (VIPs). This allows you to configure ISATAP router to use Windows Network Load Balancing (NLB) in a cluster."

Does this mean we can make all DA Gateway servers ISATAP routers and add a VIP to the inner hardware load balancer and it will split ISATAP traffic to the multiple ISATAP routers?

Many thanks,

Calliper

• Edited by Calliper Monday, January 20, 2014 12:50 PM

Hi,

That's an interesting subject.

Yes ISATAP can rely on NLB for high availability scenarios. But i'm not sure you can colocate DA Gateway with ISATAP routers.

Moreover, the real challenge is how a client computer located on your LAN will be able to initiate IPv6 communication throught the DirectAccess Gateway to witch targeted DirectAccess client connected to (NLB does not have information about this). From a NLB point of view all nodes can provide IPv6 connectivity as they are up and running but witch DirectAccess Gateway is the good endpoint? That's a tricky question. 

My two cents : For thoses scenarios I have another answer. Why do not initiate remote control from a DirectAccess client connected to Internel. We just need to secure communication between both clients with additional IPv6 tunnels. From a support point of view, if DirectAccess client used by the support team is able to operate in DirectAccess, DirectAccess Gateway may not be the root cause of user problems. That close many troubleshooting hypothesis.

Hope my two cents can help.

Hi,

Thanks for your response.  Yes this blog:

http://blogs.technet.com/b/mspfe/archive/2013/01/24/how-to-configure-directaccess-in-windows-server-2012-to-work-with-an-external-hardware-load-balancer.aspx

says "In this scenario, there are two options: place an external load balancer that supports ISATAP on the internal network and enable ISATAP on either DirectAccess servers"

So since we are using a load balancer on the internal network (as well as outside the DA servers), we should enable ISATAP on one ("either"), but not all DA servers?  Can someone confirm?

According to F5, a record of the DA Gateway a DA Client is connected to can be stored in a table on the inner load balancer device through the use of iRules.  Are you saying that instead of using Manage Out, your support teams use a DirectAccess Client themselves and initiate a connection (eg RDP) DA Client --> DA Client?

Many thanks.

Hi,

Yes that's another approach. The only point to consider is to create connection security rules to protect protocols (Windows remote Assistance, SCCM remote control, RDP). With this scenario you dont need to have ISATAP on your LAN.