Tuesday, 2 April 2013

Useful Guide: Troubleshooting DirectAccess Manage Out Connections

I’ve discussed the concept of ‘Manage Out’ for Forefront UAG DirectAccess and also more recently for Windows Server 2012 DirectAccess; both of which can be a cause of pain when implementing and supporting a DirectAccess solution using either platform. One of my MCS colleagues in NYC, Colin Brown has written an excellent troubleshooting guide which provides a shining beacon of light in the darkness of ‘Where do I even start??!!’

Enjoy and great work Colin, I wish I had written it! :)

You can find the guide hosted on Tom’s ‘Building Clouds’ blog here: Troubleshooting DirectAccess Manage Out Connections

9 comments:

  1. Did you able to set up manage out connection using external hardware load balancer? Or any Idea how to do this?

    ReplyDelete
  2. ISATAP is complicated and difficult with HLBs, therefore going Native IPv6 is the better and more recommended way to go

    ReplyDelete
    Replies
    1. In case of native Ipv6 do we have to configure a IPv6 address on HLB as internal VIP? And then do we have to make sure manage out clients are sending their outgoing traffic thru that ipv6 ip (gateway), so HLB can route to DA Clients as per session table?

      Delete
    2. Yes, the following two articles are a good reference here: http://technet.microsoft.com/en-us/library/jj134166.aspx and http://technet.microsoft.com/en-us/library/ee690463.aspx

      The key requirement is finding load balancers that can support Native IPv6 and also share affinity such that outbound manage out connections can be routed to the appropriate DA server which is the IPsec tunnel endpoint for the DA client being managed. IP-HTTPS routing will generally be ok since each DA server has its own IPv6 prefix but doing routing for Teredo becomes much trickier since they share the same 2001::/32 prefix. In my experience, F5 is the main player that has this configuration in a documented form. These docs explain how to configure their load balancers on both the external and internal side of the DA servers to make this work properly by routing Teredo connections to the correct DA server. More info here: http://www.f5.com/pdf/deployment-guides/f5-uag-dg.pdf and here: http://www.f5.com/pdf/white-papers/windows-server-direct-access-tb.pdf

      With other vendors, it is a case of having to try and determine what they can do to work with DA in the right way for your needs...this isn't always that easy I'm afraid :( You will need to check to see if they even support Teredo in the first place along with manage-out for Teredo. IP-HTTPS load balancing and manage-out should would (since it’s just TCP/443) with just about any load balancer but always check with the vendor to be sure. As DirectAccess becomes more popular with WS2012 I would hope my HLB vendors begin supporting and documenting integration guides.

      You can potentially achieve what you need with ISATAP but you still need to solve the above problems and you add the ISATAP complexities into the mix. You also need to ensure that the HLB vendor supports ISATAP as this isn't always the case. With a HLB, you will also need to move the ISATAP routing function to an external device (router that supports IPv6) or a different Windows host configured as an ISATAP router, and not use the ISATAP router functionality on the DA servers themselves.

      Overall, manage-out with HLBs is a non-trivial deployment and most likely to succeed if you go with F5 as they seemt to have the best integration solution I believe...

      Hope this helps!

      Cheers

      JJ

      Delete
  3. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. Nice - thank you. Looks like I am on same track. I will reach out in case any confusions. Old UAG F5 doc is really help full.

      Delete
    2. Cool - yeah, I thought the references would be handy as they are still conceptually useful.

      Delete
  4. Hi - I've got a problem with my DA 2012 R2 Load Balanced cluster... Should each node get a different Client IPv6 prefix? Each node has an internal IPv6 address of fd11:1:1:246::/64. In the DA console when I create the first DA server I get the option for the network which is set to fd11:1:1::/48, the prefix to use for clients is fd11:1:1:1000::/59. When I add a second node I don't get the option to add a different prefix for that server?? If I use the Set-DAServer cmdlet to change the prefix it amends the GPO for all nodes, not just the second node. Any ideas??

    Thanks
    Ryan

    ReplyDelete
  5. Hi - I'm having an issue with my 2012 R2 DA Load Balanced cluster... Each node is using the prefix for client IPv6 addresses.

    There is a dual stacked IPv6 network. When I ran this as a single DA server config everything worked fine, clients could access as required, whether that be using Ipv6 native or NAT64 and manage out worked perfectly. When I added a second node it didn't get a new Client IP6 Prefix and as such uses the same as the first node, this has subsequently broken everything.

    The next hop from the DA servers on the IPv6 network is to a router that is hooked up to the other IPv6 networks. The IPv4 network uses a different gateway.

    The internal side uses the IPv6 range fd11:1:1::/48, the prefix ID that was declared in the DA console was fd11:1:1:1000::/59. Each DA server has an IPv6 address in the fd11:1:1:246::/64 subnet.

    I've tried changing the second node's IPv6 client prefix with "Set-DAServer -ComputerName -ClientIPv6Prefix fd11:1:1:1020::/59" but this changes the entire Load Balanced cluster to use this via the GPO.

    You said that each DA server should have its own IPv6 client prefix? How can I change the client prefix on each of these servers but keep them load balanced?

    Any help is much appreciated!!

    Ryan

    ReplyDelete