To design a scalable DirectAccess infrastructure, you must analyze the elements of a Forefront UAG DirectAccess deployment, and develop an implementation plan that considers the following factors:
- Performance—Which types of resources
are most used by each server role in your Forefront UAG
DirectAccess deployment? How will you monitor performance?
- Roles—Do servers in your Forefront UAG
DirectAccess deployment perform multiple functions? How does this
affect performance?
- Availability—Do you require 100
percent availability for all server roles in your deployment?
- Access profile—When and where does
your network experience peak activity? Is the activity consistent
or does it change over time?
The following provides information on:
- Capacity planning for
Forefront UAG DirectAccess servers
- Capacity planning for
network location servers
- Capacity planning for
CRL distribution points
Capacity planning for Forefront UAG DirectAccess servers
You can perform capacity planning for Forefront UAG DirectAccess servers by:
- Increasing the number of concurrent
authentications—If not previously configured, you can increase
the number of concurrent authentication calls in progress at one
time between the Forefront UAG DirectAccess server and the domain
controller, set the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\
MaxConcurrentApi (REG_DWORD) registry value on the Forefront
UAG DirectAccess servers to 5, and then restart the NETLOGON
service.
- Using a Forefront UAG DirectAccess array
with load balancing—You can expand the capacity of a single
Forefront UAG DirectAccess server deployment by creating a
load-balanced Forefront UAG array that provides high availability
and scalability. For more information, see Configuring NLB for a
Forefront UAG DirectAccess array.
- Using an external load balancer—You
can expand the capacity of a single Forefront UAG DirectAccess
server deployment by creating an external load-balanced Forefront
UAG array that provides high availability and scalability. For more
information, see Configuring external
load balancing for a Forefront UAG DirectAccess array.
Capacity planning for network location servers
The network location function for DirectAccess should be placed on an intranet Web server. You must plan the capacity of the network location server so that it can handle the DirectAccess clients on your intranet performing intranet detection.To provide capacity for an Internet Information Services (IIS) 7.0-based Web server, see the documentation for the Web Server (IIS) role (http://go.microsoft.com/fwlink/?LinkId=169495) on Windows Server 2008 R2 or Windows Server 2008, for recommendations on scaling IIS capacity.
Capacity planning for CRL distribution points
The certificate revocation list (CRL) distribution points on the Internet for the IP-HTTPS certificate, and on the intranet for the network location certificate, can be located on Web or file servers. You must plan for the capacity of CRL distribution points so that your Internet and intranet-connected DirectAccess clients can perform certificate revocation checking for the IP-HTTPS connection and for network location detection.
For an Internet Information Services (IIS)-based Web server or a Windows-based file server, see the documentation for the Web Server (IIS) role (http://go.microsoft.com/fwlink/?LinkId=169495), and File Services roles on Windows Server 2008 R2 or Windows Server 2008 for recommendations on scaling capacity.