This topic provides information about how to configure a Network Load Balancing (NLB) array for Forefront UAG DirectAccess servers.

Forefront UAG integrates NLB functionality provided by Windows Server 2008 R2, with additional functionality that enables load balancing of Forefront UAG DirectAccess servers. Forefront UAG NLB provides load balancing for up to 8 Forefront UAG DirectAccess array members.

Forefront UAG enables load balancing of SSL-based traffic in addition to Forefront UAG DirectAccess based traffic. To load balance all Forefront UAG DirectAccess traffic, which is IPv6 based, Forefront UAG NLB must examine the IPv4 tunneling for all transition technologies. Because IP-HTTPS traffic is encrypted, examining the content of the IPv4 tunnel is not possible (for information about IP-HTTPS, see Connectivity). To enable load balancing on IP-HTTPS traffic, you must allocate a wide enough IPv6 prefix to enable the Forefront UAG to assign a different IPv6 /64 prefix to each of the nodes. For example, 2 array members require a /63 prefix (which enables Forefront UAG to define a /64 address for each array member); 8 array members require a /61 prefix (which enables Forefront UAG to define a /64 address for each array member). This prefix must be routable to the Forefront UAG DirectAccess array, and is configured during the Forefront UAG DirectAccess configuration. For more information, see Configuring IPv6 prefix addresses.

Note:
Manual configuration of an IP-HTTPS prefix is only required in scenarios in which ISATAP is not deployed on the Forefront UAG DirectAccess server. When ISATAP is deployed on the Forefront UAG DirectAccess server, IPv6 prefixes are automatically configured. For more information about scenarios, see Assigning IP addresses to the server interfaces. Scenarios 3 and 6 are the scenarios where IPv6 is not deployed on the internal network.

You can migrate from a single-node Forefront UAG DirectAccess server to a Forefront UAG DirectAccess NLB array, without changing the Internet-facing and internal facing IPv4 addresses. This results in the following:

When configuring a Forefront UAG DirectAccess NLB array, you must configure the dedicated IP (DIP) addresses and static virtual IP (VIP) addresses on the array manager:

The following sections describe:

Examples of IP configuration in a single server deployment, and DIP and VIP address configuration in an array

These examples have fictitious DIP and VIP addresses, and are used in the following section that describes how to set up a Forefront UAG DirectAccess network load balanced array from a single server Forefront UAG DirectAccess deployment.



Single node and array

Creating a Forefront UAG DirectAccess network load balanced array from a single server Forefront UAG DirectAccess deployment

The following procedures describe how to set up a Forefront UAG DirectAccess network load balanced array from a single server Forefront UAG DirectAccess deployment.

Before you begin, make sure that:

  • You have a fully working single server Forefront UAG DirectAccess deployment.

  • The deployed Forefront UAG DirectAccess server was configured as a single server when configuring the Forefront UAG Getting Started Wizard.

  • You install the Windows NLB Hotfix (KB977342) (http://go.microsoft.com/fwlink/?LinkId=178582) on all Forefront UAG DirectAccess array members, when you intend using an ISATAP interface on the Forefront UAG DirectAccess server (as described in scenarios 3 and 6, in Assigning IP addresses to the server interfaces).

  • You import the certificate that is used for IP-HTTPS authentication to the computer personal store on any new array members.

Note:
DirectAccess clients may lose connectivity to the Forefront UAG DirectAccess server during the creation of the network load balanced array from a single server Forefront UAG DirectAccess deployment.
Note:
If you are running Forefront UAG in a virtual machine on a server that is running Hyper-V, and you want to configure NLB, on the properties of the virtual network adapter, select the Enable spoofing of MAC addresses check box. If you do not enable the setting, no warning is issued, but the behavior of the server after you configure NLB may be unpredictable. For more information, see How to Configure Network Adapters for a Virtual Machine (http://go.microsoft.com/fwlink/?LinkId=180395).

You complete the creation of a Forefront UAG DirectAccess network load balanced array from a Forefront UAG DirectAccess single server deployment, by doing the following steps:

  1. Updating the ISATAP record in the DNS server to include future VIPs and DIPs

  2. Changing the single server IP configuration

  3. Changing the single server to an array manager

  4. Adding a node to the array

  5. Configuring NLB on the array manager

  6. Reconfiguring and applying the new configuration settings for Forefront UAG DirectAccess

  7. Starting NLB

  8. Adding a new member to a working NLB array

Updating the ISATAP record in the DNS server to include future VIPs and DIPs

  1. Change the ISATAP record in the DNS server to include the new VIPs and DIPs: 10.0.0.18, 10.0.0.19, and 10.0.0.30.

    Note:
    Skip this step if you have IPv6 deployed on your internal network.
  2. If you are using an ISATAP interface on the Forefront UAG DirectAccess server (as described in scenarios 3 and 6, in Assigning IP addresses to the server interfaces), make sure that you install the Windows NLB Hotfix (KB977342) (http://go.microsoft.com/fwlink/?LinkId=178582) on all Forefront UAG DirectAccess array members.

Changing the single server IP configuration

  1. Change the current IP addresses on the Forefront UAG DirectAccess single server to DIPs, as follows:

    1. Current IPv4 address: 192.0.2.30 TO new DIP address: 192.0.2.18.

    2. Remove the 192.0.2.31 IPv4 address.

    3. Current IPv4 address: 10.0.0.30 TO new DIP address: 10.0.0.18.

    4. Current IPv6 address: 2001:db8::30 TO new DIP address: 2001:db8::18 (to be configured when IPv6 is deployed on your internal network).

Changing the single server to an array manager

  1. Make sure that the Internet-facing and internal network facing DIPs on the standalone Forefront UAG DirectAccess server are configured.

  2. In the Forefront UAG Management console, on the Admin menu, click Network Interfaces to start the Network Configuration Wizard.

  3. Configure the network settings, as follows:

    1. From the Define Network Adapters screen, specify to which networks the network adapters are connected by assigning them to the Internal and External networks.

    2. From the Define Internal Network IP Address Range screen, configure the internal network IP address range, if it is required, and complete the Network configuration Wizard.

  4. On the Admin menu, click Array Management to start the Array Management Wizard.

    Define your server topology, as follows:

    1. From the Configure Array settings screen, click Set this server as the array manager.

    2. From the Specify Array Credentials screen, enter the credentials required to access the array manager.

    3. From the Defining Managed Server Computers screen, add the Forefront UAG servers that will be configured as array members, and complete the wizard.

      Note:
      Managed server computers are identified by their internal facing IPv4 DIP. You should enter the internal facing IPv4 DIP for each server that will be a member of the array. If you add another server to the array, you must add it to the list of managed server computers.
  5. Close the Forefront UAG Management console on the array manager. Click Yes to save the changes before exiting.

Adding a node to the array

  1. Configure DIPs on the new node that is joining the array (if not previously configured). These include an Internet-facing static IPv4 address (DIP)—192.0.2.19, an internal network facing static IPv4 address (DIP)—10.0.0.19, and 2001:db8::19 (if you have IPv6 deployed on the internal network).

    Note:
    • Make sure that you have added the server to the managed server computers list on the array manager (see step 4c above).

    • Make sure that the certificate that is used for IP-HTTPS authentication has been imported to the computer personal store on the new node.

  2. Install Forefront UAG on the new node. The Getting Started Wizard starts. For more information, see Running the Getting Started Wizard.

  3. Configure the network settings, as follows:

    1. From the Define Network Adapters screen, specify to which networks the network adapters are connected by assigning them to the Internal and External networks.

    2. From the Define Internal Network IP Address Range screen, configure the internal network IP address range if it is required, and complete the Network configuration Wizard.

  4. Define your server topology, as follows:

    1. From the Select Configuration screen, click Array member, click Next two times, and then from the Configure Array Settings screen, click Add this server to an array.

    2. From the Select Server screen, enter the IP address or FQDN of the array manager, and the credentials required to access the array manager.

      Note:
      The credentials must be those of a user who belongs to a Forefront UAG group that has the correct permissions to add array members.
    3. Complete the wizard, make sure that the server successfully joined the array, and exit the Forefront UAG Management console (this is the default option).

      Note:
      After the Forefront UAG array is created, you must perform all Forefront UAG Management console configuration from the array manager.

Configuring NLB on the array manager

  1. On the array manager, open the Forefront UAG Management console, click the Admin menu, and then click Network Load Balancing.

    Warning:
    If the Forefront UAG Management console was open when the new node was joined to the array, restart the Forefront UAG Management console.
  2. Configure the following VIPs:

    Note:
    Forefront UAG DirectAccess supports NLB only in Unicast mode; multicast modes are not supported.
    • An Internet-facing IPv4 VIP—192.0.2.30.

    • An Internet-facing IPv4 VIP—192.0.2.31.

    • An internal network facing IPv4 VIP—10.0.0.30.

    • An internal network facing IPv6 VIP—2001:db8::30 (to be configured when IPv6 is deployed on your internal network).

Reconfiguring and applying the new configuration settings for Forefront UAG DirectAccess

  1. On the array manager, open the Forefront UAG Management console, and then click DirectAccess to start the Forefront UAG DirectAccess Configuration Wizard.

  2. From the Forefront UAG DirectAccess Configuration Wizard, in the DirectAccess Server box, click Edit, click Windows Network Load Balancing, and then click Next.

  3. On the Connectivity page, make the following changes:

    1. Assign a new First Internet-facing IPv4 address. The new IP address should be the address of the first address of the sequential Internet-facing IPv4 VIPs configured in NLB (192.0.2.30).

    2. If IPv6 is not deployed on your internal network, assign a new Internal IPv4 address. The new IPv4 address should be the internal network facing IPv4 VIP address configured in NLB: 10.0.0.30. If IPv6 is deployed on the internal network, assign an Internal IPv6 interface: 2001:db8::30.

  4. Click Next two times, and then click Finish.

  5. From the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

    Important:
    If you receive the error message "The UAG DirectAccess configuration cannot be activated. The selected internal IPv6 address cannot be found on this server", repeat the Activation in step 5.
  6. Wait for all of the array members to synchronize. You can confirm synchronization, as follows:

    1. On the taskbar, click Start, click All Programs, click Microsoft Forefront UAG, and then click Forefront UAG Activation Monitor.

    2. On the console, in the left pane, click each array member and confirm in the right pane, that the UAG DirectAccess configuration was activated successfully message appears for each array member.

  7. On the taskbar, click Start, point to Administrative Tools, click Group Policy Management, open the Domain tree, click the domain in which Forefront UAG DirectAccess is deployed, and then click the UAG DirectAccess: DA server object. In Security Filtering, Add the computer name of the new node, click OK, and then exit the Group Policy Management.

    Note:
    Alternatively, you can click Generate Policies from the Forefront UAG DirectAccess Configuration Wizard, and reapply them. For more information, see Applying or exporting the Forefront UAG DirectAccess configuration.
  8. On the new node, from the Windows command prompt, run the command: gpupdate /force.

    Note:
    Before starting NLB on the new node, confirm that the IPsec configuration of the Forefront UAG DirectAccess server is in effect, as follows:
    1. On the taskbar, click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security.

    2. On the console, click Connection Security Rules.

    3. Forefront UAG DirectAccess rules should appear in the list of Connection Security Rules and show Yes in the Enabled column.

Starting NLB

  1. On the array manager, open the Forefront UAG Management console, then, on the Admin menu, click Web Monitor.

  2. In the left pane, under Array Monitor node, click Current Status.

  3. In the Array Monitor – Current Status pane, select the nodes that will be part of the array, and then in the Action list, select Start, and then click Apply. When completed successfully, the Array Status for the node should be synched and converged. For more information, see Managing load balanced array members.

Adding a new member to a working NLB array

  1. If you are using an ISATAP interface on the Forefront UAG DirectAccess server, (as described in scenarios 3 and 6, in Assigning IP addresses to the server interfaces), make sure that you install the Windows NLB Hotfix (KB977342) (http://go.microsoft.com/fwlink/?LinkId=178582) on all Forefront UAG DirectAccess array members.

  2. Configure DIP addresses on the new node that is joining the array (if not previously configured). These include an Internet-facing static IPv4 DIP address, an internal network facing static IPv4 DIP address, and an internal network facing static IPv6 DIP address (to be configured when IPv6 is deployed on your internal network).

    Note:
    • Add the DIP address of the new node to the ISATAP record on the DNS server, if not previously added.

    • Make sure that you have added the server to the managed server computers list on the array manager (see step 4c in Changing the single server to an array manager).

    • Make sure that the certificate that is used for IP-HTTPS authentication has been imported to the computer personal store on the new node.

  3. Install Forefront UAG on the new node. The Getting Started Wizard starts. For more information, see Running the Getting Started Wizard.

  4. Configure the network settings, as follows:

    1. From the Define Network Adapters screen, specify to which networks the network adapters are connected by assigning them to the Internal and External networks.

    2. From the Define Internal Network IP Address Range screen, configure the internal network IP address range if it is required, and complete the Network configuration Wizard.

  5. Define your server topology, as follows:

    1. From the Select Configuration screen, click Array member, click Next two times, and then from the Configure Array Settings screen, click Add this server to an array.

    2. From Select Server screen, enter the IP address or FQDN of the array manager, and the credentials required to access the array manager.

      Note:
      The credentials must be those of a user who belongs to a Forefront UAG group that has the correct permissions to add an array member.
    3. Complete the wizard, make sure that the server successfully joined the array, and exit the Forefront UAG Management console (this is the default option).

  6. On the array manager:

    Warning:
    If the Forefront UAG Management console was open when the new node was joined to the array, restart the Forefront UAG Management console.
    1. From the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

    2. Wait for all the array members to synchronize. You can confirm synchronization, as follows:

      1. On the taskbar, click Start, click All Programs, click Microsoft Forefront UAG, and then click Forefront UAG Activation Monitor.

      2. On the console, in the left pane, click each array member and confirm in the right pane, that the UAG DirectAccess configuration was activated successfully message appears for each array member.

  7. On the taskbar, click Start, point to Administrative Tools, click Group Policy Management, open the Domain tree, and then click the UAG DirectAccess server object. In Security Filtering, Add the computer name of the new node, click OK, and then exit the Group Policy Management.

    Note:
    Alternatively, you can click Generate Policies from the Forefront UAG DirectAccess Configuration Wizard, and reapply them.
  8. On the new array member, from the Windows command prompt, run the command: gpupdate /force.

  9. On the array manager, open the Forefront UAG Management console:

    1. On the Admin menu, click Web Monitor.

    2. In the left pane, under Array Monitor, click Current Status.

    3. In the Array Monitor – Current Status pane, select the new node that will be part of the array, and then in the Action list, select Start, and then click Apply. When completed successfully, the Array Status for the nodes should be synched and converged. For more information, see Managing load balanced array members.