DirectAccess high availability with UAG 2010 : part 1

It’s my first post fully written in English, so i want to apologize at first. The goal of this series is to describe how to configure DirectAccess on a UAG farm, so a high availability scenario. Let’s start with the basics, that is to say the architecture and a little Visio of my DirectAccess Lab.


I won’t describe all components in this architecture except the Internet server that provides me DNS/DHCP and most important a fake “Public PKI infrastructure“. This server also provides me a NAT private network to simulate a home network. Others components are basic Windows 2008 servers that are reachable through their ISATAP interfaces.

High availability considerations

As a Teredo requirement, DirectAccess requires two public IPv4. These addresses must be in a row (A stupid Microsoft requirement, this is not a mandatory when reading RFC?). In a Network Microsoft Network Load Balancing scenario, this is also a requirement. These two IPv4 public addresses will be used as VIP NLB addresses for the external interface. An additional internal interface will also be configured with a VIP for the internal address.

For these reasons, a high availability DirectAccess scenario using UAG 2010 require :

  • Two public IPv4 addresses in a row for External NLB (for External VIP)
  • One public IPv4 address for each node joined to the External NLB
  • One private IPv4 address for each node joined to the internal NLB
  • One private IPV4 address for the Internal NLB VIP (Will be used for ISATAP)


UAG provides high availability for DirectAccess by tweaking the Network Load Balancing feature of Windows. For this reason, it is not possible to directly configure the Windows NLB feature. UAG rely on it’s array feature to provide scale-in and scale-out.


UAG array considerations

Deploying UAG in array require a common storage for configuration data. This service will be provided by the array manager that will be hosted on my first UAG server. Access to this array require a service account that must have administrator level privileges on all array nodes.


Web console consideration

Because the UAG web console rely on Java. Please to not forget to install a java Runtime Environment on all array members.


What next :


BenoîtS – Simple and Secure by Design (I emphasize on “Secure”)


Simple, yes, Secure Maybe, by design for sure, Business compliant always!

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.