Load balancing Microsoft DirectAccess
About Microsoft DirectAccess
Microsoft DirectAccess is a feature of Windows that allows connectivity to organizations network resources without the need for traditional Virtual Private Network (VPN) connections. With DirectAccess, client computers are always connected to your organization – there is no need for remote users to start and stop connections as is required with traditional VPN connections. From a user’s perspective DirectAccess is a completely automatic VPN connection that simplifies accessing corporate LAN services from wherever they are located.
Key benefits of load balancing
Here are a few key benefits:
- Ensures the application is always available
- Provides a stable, optimal performance
- Ability to isolate servers which reduces risk when performing upgrades/maintenance
Microsoft’s Enterprise solutions are at the heart of businesses everywhere. Loadbalancer.org is officially certified for all of Microsoft’s key applications which you can find here. More details on the DirectAccess components, how it works, and prerequisites for load balancing can be found in our deployment guide, available to view below.
How to load balance Microsoft DirectAccess
DirectAccess is part of the Remote Access server role and is comprised of the following key components:
DirectAccess Server – This is the server that clients establish a tunnel with in order to access the corporate network. Client and server settings are configured via Group Policy to enable the IPsec tunnels to be established.
Network Location Server – The network location server is used to detect whether computers configured as DirectAccess clients are located in the corporate network. When clients are on the corporate network, DirectAccess is not used to reach internal resources. Instead, clients connect to these resources directly. If the client cannot reach the network location server, the client is considered to be outside the corporate network and a connection is established via the DirectAccess server.
Example deployment utilizing an HA pair to load balance the Direct Access Servers and the Network Location Servers.
|Client Transition Protocol||Comments|
|6to4||– Uses protocol 41 to encapsulate IPv6 packets in IPv4 packets
– Does NOT work when the client or the server are behind a NAT device
– Both client and server must be assigned public IPv4 addresses
|Teredo||– Uses UDP on port 3544 to encapsulate IPv6 packets in IPv4 packets
– Supports client behind a NAT device but not server behind NAT
– Server must be configured with 2 consecutive public IPv4 addresses
|IP-HTTPS||– Uses standard port and protocol
– Earlier clients/servers caused double encryption (IPsec & SSL/TLS)
– Windows 8 and later use null encryption to solve the double encryption