I'm wondering if anyone here has successfully deployed DirectAccess 2012 behind BIG-IP? http://www.f5.com/pdf/white-papers/microsoft-direct-access-white-paper.pdf We are trying to configure IP-HTTPS (no manage-out) simple load balancing with no success at all. The remote tunnel just fails to connect. When hitting the DA server directly, the connection is successful. All that the load balancing is is a L4 virtual server which passes SSL directly through. Nothing else fancy. Any ideas?

OK, so you've just got a single Virtual Server with a FastL4 profile configured and a Pool of servers and not much else. It doesn't get much simpler. I don't think this is an issue with the F5, rather it's with the server routing. You need to ensure that the servers route back to the clients via the F5 when your load balancing with the F5. Can you confirm that's the case?

OK, thanks. So, can you do a quick tcpdump on the server-side VLAN to confirm that a three way handshake is being completed at least? Also, can you post the VS configuration please? Suitably redacted of course.

Hi, I am using the exact configuration. Unfortunately, the Clients stop connecting when I enable ELB. The Servers are pointing the internal IP of F5 as DG. Also, one thing that I am confused about is where to use the VIP which is created at the time of DA ELB Wizard. I have four Servers with 10.20.4.41, 42,43,44 and when I run the Load Balancing Wizard, it upgrades the 41 IP as VIP and I have to use 45 as the DIP but since F5 only requires the Self IP, where exactly do I use this IP. Also, I am trying to search for http://www.f5.com/pdf/white-papers/microsoft-direct-access-white-paper.pdf but it is not available anywhere. I am using Performance L4 profile.

Internal VIP does not need to be configured on the Internal side on the F5. If you don't do managed out, 6to4 will be used from client to internal resources if you have an IPv4 internal network. So client traffic will get NATted behind the DA servers internal IPv4 addresses. If you use Native V6 in your internal network then a VIP is also not required. If you choose a /59 IPHTTPS client prefix in your config all DA servers will get their own ipv6 subnet applied for IPHTTPS clients. You can then use native routing for the IPV6 subnets to the DA servers. What scenario did you pick when running the wizard ? Single Interface behind edge device ? Martijn Strange part about all this is that the Loadbalancing wizard requires you to set DIP and VIP addresses. The only VIP i know off that is used is the Internal IPv6 address. This address is used as the 6to4 DNS server address. You can find it in the local FW config on the servers. Rule Domain Name Server TCP and UDP in. This adress will also be sent to the clients to do their DNS64 resloving.

DirectAccess 2012? | DevCentral

10 Replies

What_Lies_Bene1
Cirrostratus
Jan 25, 2013
OK, so you've just got a single Virtual Server with a FastL4 profile configured and a Pool of servers and not much else. It doesn't get much simpler. I don't think this is an issue with the F5, rather it's with the server routing. You need to ensure that the servers route back to the clients via the F5 when your load balancing with the F5. Can you confirm that's the case?
Josh_41258
Nimbostratus
Jan 25, 2013
Yes, via Auto Snat.
What_Lies_Bene1
Cirrostratus
Jan 25, 2013
OK, thanks. So, can you do a quick tcpdump on the server-side VLAN to confirm that a three way handshake is being completed at least?

Also, can you post the VS configuration please? Suitably redacted of course.
Amit_Bhatnagar_
Nimbostratus
Aug 19, 2013
Hi, I am using the exact configuration. Unfortunately, the Clients stop connecting when I enable ELB. The Servers are pointing the internal IP of F5 as DG. Also, one thing that I am confused about is where to use the VIP which is created at the time of DA ELB Wizard. I have four Servers with 10.20.4.41, 42,43,44 and when I run the Load Balancing Wizard, it upgrades the 41 IP as VIP and I have to use 45 as the DIP but since F5 only requires the Self IP, where exactly do I use this IP. Also, I am trying to search for http://www.f5.com/pdf/white-papers/microsoft-direct-access-white-paper.pdf but it is not available anywhere. I am using Performance L4 profile.
- Martijn_65080
  Cirrus
  Aug 19, 2013
  Internal VIP does not need to be configured on the Internal side on the F5. If you don't do managed out, 6to4 will be used from client to internal resources if you have an IPv4 internal network. So client traffic will get NATted behind the DA servers internal IPv4 addresses. If you use Native V6 in your internal network then a VIP is also not required. If you choose a /59 IPHTTPS client prefix in your config all DA servers will get their own ipv6 subnet applied for IPHTTPS clients. You can then use native routing for the IPV6 subnets to the DA servers. What scenario did you pick when running the wizard ? Single Interface behind edge device ? Martijn Strange part about all this is that the Loadbalancing wizard requires you to set DIP and VIP addresses. The only VIP i know off that is used is the Internal IPv6 address. This address is used as the 6to4 DNS server address. You can find it in the local FW config on the servers. Rule Domain Name Server TCP and UDP in. This adress will also be sent to the clients to do their DNS64 resloving.
Amit_Bhatnagar_
Nimbostratus
Aug 19, 2013
I am using Behind NAT Device with two Interfaces scenario. The external Interface is load Balanced using the F5. Internal Interface has no F5 so I am more concerned about the VIP is created on the external Interface of F5.

Eg. DA Servers External Network is 10.20.2.41, 10.20.2.41 and internal as 10.20.4.41, 10.20.4.42. After the Wizard, the first Server is 10.20.2.45, 10.20.2.42 on external with the VIP as 10.20.2.41 and Internal is 10.20.4.45, 10.20.4.42 and VIP as 10.20.4.41 which I am NOT really concerned about. My main concern is the DirectAccess's external interface where the IPHTTPS Tunnel terminates. I am using Performance L4 Profile. You can follow the question here...I do not want to bother the main guy who started this thread.. :)

https://devcentral.f5.com/questions/iphttps-with-directaccess-not-working-with-f5
tolinrome_13817
Nimbostratus
Feb 27, 2014
Josh, Did you eve3r find a solution, I find myself in the same situation as you described above.
- Josh_41258
  Nimbostratus
  Feb 27, 2014
  No, sorry. We didn't end up moving forward with DirectAccess.
- tolinrome_13817
  Nimbostratus
  Feb 27, 2014
  ok, thanks for the reply, all the best.
- Adel_N_114257
  Nimbostratus
  Mar 19, 2014
  Just in case any one visits this response again I foudn the PDF in question but it has been renamed: http://www.f5.com/pdf/white-papers/windows-server-direct-access-tb.pdf this links may also be usefull: http://www.f5.com/pdf/deployment-guides/f5-uag-dg.pdf