Forefront UAG 2010 also allows enterprise administrators to scale both the management and performance of DirectAccess. Whereas DirectAccess by itself requires administrators to individually configure each DirectAccess server, UAG allows administrators to define one UAG DirectAccess server as an array master. This effectively replaces the DirectAccess management snap-in with a UAG snap-in, through which a policy created on the master will be automatically replicated to all member servers in the array. When I added a second UAG server to my network, I decided to use Windows' built-in Network Load Balancing technology. This required that I define virtual IP addresses (one on the intranet and two on the Internet) to represent the cluster. I had to create a certificate for the VIP, and ensure that a certificate was exported to the store on each UAG server in the array.With two servers in my UAG array, from my remote client I initiated a connection to my Exchange server on the Intranet. By looking at certificate information on the client, I was able to determine which UAG server in the array was parsing the connection. I then paused that UAG server's virtual machine, simulating a server failure. After about a minute, the connection failed over to the second UAG server in the array, re-establishing the connection between remote client and the Exchange server. The delay is due to a 60-second wait period before Windows will break an IP Security association. This delay is put in place to avoid excessive IPSec negotiations with clients on lossy network connections, but in this case the wait period can mean a minute-long lack of remote connectivity that could lead to some support calls. Although the IPSec timeout is not configurable, Microsoft officials have said there are programmatic workarounds that can be done on the client end to break the connection. If this timeout becomes an issue for customers, they said, Microsoft will look into providing a fix to do that. Network administrators who don't want to rely on Windows' built-in load balancing capabilities can instead turn to Microsoft partners for an external solution allowing them to balance traffic among multiple UAG gateways. In January, F5 Networks announced its Application Ready Solution for Microsoft Forefront UAG 2010, a set of configurations designed to get the F5 Big-IP Local Traffic Manager (Version 9.4 or higher) to balance UAG-supported protocols such as HTTPS (HTTP Secure), IPSec or Teredo. How I tested I installed most of the nodes that made up my test network on VMs within Hyper-V, installing separate instances of Windows Server 2008 R2 Enterprise for the domain controller (1GB RAM), the application/location server (1GB RAM), the Internet DNS server (1GB RAM) and both DirectAccess/Forefront UAG 2010 servers (2GB RAM each), plus a Windows Server 2003 Enterprise server running Exchange 2003 Service Pack 3 (2GB RAM). All of these systems were installed on a single Lenovo ThinkServer RD210 running Windows Server 2008 R2 Standard with the Hyper-V role enabled. The physical server was outfitted with a pair of Intel Xeon E5540 2.53GHz processors, 12GB of DDR3 (double data rate 3) 1333MHz RAM and four 146GB, 15K SAS drives in a RAID 10 configuration. I installed the 32-bit Windows 7 Enterprise client on a Dell XPS M1330 laptop with 3GB of RAM.
I also needed to patch each UAG server with KB977342, as ISATAP and 6to4 tunneling do not work properly on Windows Server 2008 R2 when Network Load Balancing is enabled.