Forum Discussion

Josh_41258's avatar
Josh_41258
Icon for Nimbostratus rankNimbostratus
Jan 24, 2013

DirectAccess 2012?

I'm wondering if anyone here has successfully deployed DirectAccess 2012 behind BIG-IP?

 

http://www.f5.com/pdf/white-papers/microsoft-direct-access-white-paper.pdf

 

We are trying to configure IP-HTTPS (no manage-out) simple load balancing with no success at all. The remote tunnel just fails to connect. When hitting the DA server directly, the connection is successful. All that the load balancing is is a L4 virtual server which passes SSL directly through. Nothing else fancy.

 

Any ideas?

 

10 Replies

  • OK, so you've just got a single Virtual Server with a FastL4 profile configured and a Pool of servers and not much else. It doesn't get much simpler. I don't think this is an issue with the F5, rather it's with the server routing. You need to ensure that the servers route back to the clients via the F5 when your load balancing with the F5. Can you confirm that's the case?
  • OK, thanks. So, can you do a quick tcpdump on the server-side VLAN to confirm that a three way handshake is being completed at least?

     

     

    Also, can you post the VS configuration please? Suitably redacted of course.
  • Hi, I am using the exact configuration. Unfortunately, the Clients stop connecting when I enable ELB. The Servers are pointing the internal IP of F5 as DG. Also, one thing that I am confused about is where to use the VIP which is created at the time of DA ELB Wizard. I have four Servers with 10.20.4.41, 42,43,44 and when I run the Load Balancing Wizard, it upgrades the 41 IP as VIP and I have to use 45 as the DIP but since F5 only requires the Self IP, where exactly do I use this IP. Also, I am trying to search for http://www.f5.com/pdf/white-papers/microsoft-direct-access-white-paper.pdf but it is not available anywhere. I am using Performance L4 profile.

     

    • Martijn_65080's avatar
      Martijn_65080
      Icon for Cirrus rankCirrus
      Internal VIP does not need to be configured on the Internal side on the F5. If you don't do managed out, 6to4 will be used from client to internal resources if you have an IPv4 internal network. So client traffic will get NATted behind the DA servers internal IPv4 addresses. If you use Native V6 in your internal network then a VIP is also not required. If you choose a /59 IPHTTPS client prefix in your config all DA servers will get their own ipv6 subnet applied for IPHTTPS clients. You can then use native routing for the IPV6 subnets to the DA servers. What scenario did you pick when running the wizard ? Single Interface behind edge device ? Martijn Strange part about all this is that the Loadbalancing wizard requires you to set DIP and VIP addresses. The only VIP i know off that is used is the Internal IPv6 address. This address is used as the 6to4 DNS server address. You can find it in the local FW config on the servers. Rule Domain Name Server TCP and UDP in. This adress will also be sent to the clients to do their DNS64 resloving.
  • I am using Behind NAT Device with two Interfaces scenario. The external Interface is load Balanced using the F5. Internal Interface has no F5 so I am more concerned about the VIP is created on the external Interface of F5.

     

    Eg. DA Servers External Network is 10.20.2.41, 10.20.2.41 and internal as 10.20.4.41, 10.20.4.42. After the Wizard, the first Server is 10.20.2.45, 10.20.2.42 on external with the VIP as 10.20.2.41 and Internal is 10.20.4.45, 10.20.4.42 and VIP as 10.20.4.41 which I am NOT really concerned about. My main concern is the DirectAccess's external interface where the IPHTTPS Tunnel terminates. I am using Performance L4 Profile. You can follow the question here...I do not want to bother the main guy who started this thread.. :)

     

    https://devcentral.f5.com/questions/iphttps-with-directaccess-not-working-with-f5

     

  • Josh, Did you eve3r find a solution, I find myself in the same situation as you described above.

     

    • Josh_41258's avatar
      Josh_41258
      Icon for Nimbostratus rankNimbostratus
      No, sorry. We didn't end up moving forward with DirectAccess.
    • Adel_N_114257's avatar
      Adel_N_114257
      Icon for Nimbostratus rankNimbostratus
      Just in case any one visits this response again I foudn the PDF in question but it has been renamed: http://www.f5.com/pdf/white-papers/windows-server-direct-access-tb.pdf this links may also be usefull: http://www.f5.com/pdf/deployment-guides/f5-uag-dg.pdf