Configuring external load balancing for a Forefront UAG DirectAccess array
Updated: February 1, 2011
Applies To: Unified Access Gateway
Forefront Unified Access Gateway (UAG) supports the use of external network load balancer functionality. This topic provides information about how to configure an external Network Load Balancing (NLB) array for Forefront UAG DirectAccess servers.
When configuring an external load balancer, the following elements must be configured:
The external load balancer.
The internal load balancer.
The perimeter network Internet-facing side of the Forefront UAG DirectAccess server.
The perimeter network intranet facing side of the Forefront UAG DirectAccess server.
Configuring an external load balanced Forefront UAG DirectAccess server array
Before you begin, make sure that:
You have a working Forefront UAG array. For more information see, Implementing an array and load balancing design.
Forefront UAG DirectAccess is installed on the array manager. For more information see, Implementing a Forefront UAG DirectAccess deployment.
If the Forefront UAG DirectAccess server is currently configured as an ISATAP router and you want to continue using ISATAP, move the ISATAP router function to a separate computer.
Note
When an external ISATAP router is configured, the Forefront UAG DirectAccess server must have a native IPv6 address on its internal facing interface.
The external load balancer supports load balanced Forefront UAG DirectAccess. For a list of load balancing devices that support Forefront UAG DirectAccess, see Partners (https://go.microsoft.com/fwlink/?LinkId=166184).
You complete the creation of an external Network Load Balancing (NLB) array for Forefront UAG DirectAccess servers by doing the following:
To configure DIPs and VIPs for an external load balanced Forefront UAG DirectAccess server array
To configure and apply the new configuration settings for an external load balanced Forefront UAG DirectAccess server array
The examples in the following sections are based on fictitious DIPs and VIPs, as shown in the following figure.
Note
A DIP is the existing per node unique IP address and is configured by using the Change adapter settings in the Windows Networking and Sharing Center. DIPs must be configured on all members of the array. VIPs are configured on the external and internal load balancers.
To configure DIPs and VIPs for an external load balanced Forefront UAG DirectAccess server array
On the perimeter network Internet-facing side of each Forefront UAG DirectAccess server in the array, configure the following DIPs:
Two consecutive Internet-facing IPv4 DIPs; for example:
On DA1: 157.60.0.40, 157.60.0.41
On DA2: 157.60.0.50, 157.60.0.51
On DA3: 157.60.0.60, 157.60.0.61
On the perimeter network Internal facing side of each Forefront UAG DirectAccess server in the array, configure the following DIPs:
An internal facing IPv4 DIP; for example:
On DA1: 192.168.0.20
On DA2: 192.168.0.21
On DA3: 192.168.0.22
An internal facing IPv6 DIP; for example:
On DA1: 2001:db8:1::20
On DA2: 2001:db8:1::21
On DA3: 2001:db8:1::22
On the external load balancer, configure two consecutive Internet-facing public IPv4 VIPs; for example: 192.0.2.30 and 192.0.2.31.
On the internal load balancer configure a router VIP; for example: 2001:db8:2::30.
To configure and apply the new configuration settings for an external load balanced Forefront UAG DirectAccess server array
On the array manager, open the Forefront UAG Management console, and then click DirectAccess to start the Forefront UAG DirectAccess Configuration Wizard.
From the Forefront UAG DirectAccess Configuration Wizard, in the DirectAccess Server box, click Edit, and then on the Load Balancing page, click External Load Balancing. After you have successfully met all the requirements, the All prerequisites were met message appears. Click Next.
On the Connectivity page, make the following changes:
- Enter a new First Internet-facing IPv4 address. This VIP is the first of the consecutive VIPs you configured on the external load balancer; for example 192.0.2.30. The second Internet-facing IPv4 address is automatically assigned.
Click Next three times, click Finish, click Generate Policies, and then click Apply Now or Export Script. For more information, see Applying or exporting the Forefront UAG DirectAccess configuration.
From the Windows command prompt, run the command: gpupdate /force.
Note
Before activating the configuration in the Forefront UAG Management console, confirm that the IPsec configuration of the Forefront UAG DirectAccess server is in effect, as follows:
- On the taskbar, click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security.
- On the console, click Connection Security Rules.
- Forefront UAG DirectAccess rules should appear in the list of Connection Security Rules and show Yes in the Enabled column.
- On the taskbar, click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security.
From the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.
Wait for all of the array members to synchronize. You can confirm synchronization, as follows:
On the taskbar, click Start, click All Programs, click Microsoft Forefront UAG, and then click Forefront UAG Activation Monitor.
On the console, in the left pane, click each array member and confirm that in the right pane, the UAG DirectAccess configuration was activated successfully message appears for each array member.