Forefront Unified Access Gateway (UAG) supports the use of external network load balancer functionality. This topic provides information about how to configure an external Network Load Balancing (NLB) array for Forefront UAG DirectAccess servers.
When configuring an external load balancer, the following elements must be configured:
- The external load balancer.
- The internal load balancer.
- The perimeter network Internet-facing side of
the Forefront UAG DirectAccess server.
- The perimeter network intranet facing side of
the Forefront UAG DirectAccess server.
Configuring an external load balanced Forefront UAG DirectAccess server array
Before you begin, make sure that:
- You have a working Forefront UAG array. For more information
see, Implementing an array
and load balancing design.
- Forefront UAG DirectAccess is installed on the array manager.
For more information see, Implementing a Forefront
UAG DirectAccess deployment.
- If the Forefront UAG DirectAccess server is currently
configured as an ISATAP router and you want to continue using
ISATAP, move the ISATAP router function to a separate computer.
Note: When an external ISATAP router is configured, the Forefront UAG DirectAccess server must have a native IPv6 address on its internal facing interface. - The external load balancer supports load balanced Forefront UAG
DirectAccess. For a list of load balancing devices that support
Forefront UAG DirectAccess, see Partners
(http://go.microsoft.com/fwlink/?LinkId=166184).
You complete the creation of an external Network Load Balancing (NLB) array for Forefront UAG DirectAccess servers by doing the following:
- Configuring DIPs and VIPs for an external
load balanced Forefront UAG DirectAccess server array
- Reconfiguring and applying the new
configuration settings for an external load balanced Forefront UAG
DirectAccess server array
The examples in the following sections are based on fictitious DIPs and VIPs, as shown in the following figure.
Note: |
---|
A DIP is the existing per node unique IP address and is configured by using the Change adapter settings in the Windows Networking and Sharing Center. DIPs must be configured on all members of the array. VIPs are configured on the external and internal load balancers. |
To configure DIPs and VIPs for an external load balanced Forefront UAG DirectAccess server array
-
On the perimeter network Internet-facing side of each Forefront UAG DirectAccess server in the array, configure the following DIPs:
- Two consecutive Internet-facing IPv4 DIPs;
for example:
- On DA1: 157.60.0.40, 157.60.0.41
- On DA2: 157.60.0.50, 157.60.0.51
- On DA3: 157.60.0.60, 157.60.0.61
- On DA1: 157.60.0.40, 157.60.0.41
- Two consecutive Internet-facing IPv4 DIPs;
for example:
-
On the perimeter network Internal facing side of each Forefront UAG DirectAccess server in the array, configure the following DIPs:
- An internal facing IPv4 DIP; for example:
- On DA1: 192.168.0.20
- On DA2: 192.168.0.21
- On DA3: 192.168.0.22
- On DA1: 192.168.0.20
- An internal facing IPv6 DIP; for example:
- On DA1: 2001:db8:1::20
- On DA2: 2001:db8:1::21
- On DA3: 2001:db8:1::22
- On DA1: 2001:db8:1::20
- An internal facing IPv4 DIP; for example:
-
On the external load balancer, configure two consecutive Internet-facing public IPv4 VIPs; for example: 192.0.2.30 and 192.0.2.31.
-
On the internal load balancer configure a router VIP; for example: 2001:db8:2::30.
To configure and apply the new configuration settings for an external load balanced Forefront UAG DirectAccess server array
-
On the array manager, open the Forefront UAG Management console, and then click DirectAccess to start the Forefront UAG DirectAccess Configuration Wizard.
-
From the Forefront UAG DirectAccess Configuration Wizard, in the DirectAccess Server box, click Edit, and then on the Load Balancing page, click External Load Balancing. After you have successfully met all the requirements, the All prerequisites were met message appears. Click Next.
-
On the Connectivity page, make the following changes:
- Enter a new First Internet-facing IPv4 address. This VIP
is the first of the consecutive VIPs you configured on the external
load balancer; for example 192.0.2.30. The second Internet-facing
IPv4 address is automatically assigned.
- Enter a new First Internet-facing IPv4 address. This VIP
is the first of the consecutive VIPs you configured on the external
load balancer; for example 192.0.2.30. The second Internet-facing
IPv4 address is automatically assigned.
-
Click Next three times, click Finish, click Generate Policies, and then click Apply Now or Export Script. For more information, see Applying or exporting the Forefront UAG DirectAccess configuration.
-
From the Windows command prompt, run the command: gpupdate /force.
Note: Before activating the configuration in the Forefront UAG Management console, confirm that the IPsec configuration of the Forefront UAG DirectAccess server is in effect, as follows: - On the taskbar, click Start, point to Administrative
Tools, and then click Windows Firewall with Advanced
Security.
- On the console, click Connection Security Rules.
- Forefront UAG DirectAccess rules should appear in the list of
Connection Security Rules and show Yes in the Enabled
column.
- On the taskbar, click Start, point to Administrative
Tools, and then click Windows Firewall with Advanced
Security.
-
From the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.
-
Wait for all of the array members to synchronize. You can confirm synchronization, as follows:
- On the taskbar, click Start, click All Programs,
click Microsoft Forefront UAG, and then click Forefront
UAG Activation Monitor.
- On the console, in the left pane, click each array member and
confirm that in the right pane, the UAG DirectAccess
configuration was activated successfully message appears for
each array member.
- On the taskbar, click Start, click All Programs,
click Microsoft Forefront UAG, and then click Forefront
UAG Activation Monitor.