Load Balancing
Email
Print
Forefront UAG 2010 also allows enterprise
administrators to scale both the management and performance of DirectAccess.
Whereas DirectAccess by itself requires administrators to individually
configure each DirectAccess server, UAG
allows administrators to define one UAG
DirectAccess server as an array master. This effectively replaces the
DirectAccess management snap-in with a UAG
snap-in, through which a policy created on the master will be automatically
replicated to all member servers in the array.
When I added a second UAG server to my
network, I decided to use Windows' built-in Network Load Balancing technology.
This required that I define virtual IP addresses (one on the intranet and two
on the Internet) to represent the cluster. I had to create a certificate for
the VIP, and ensure that a certificate was
exported to the store on each UAG server in
the array.
I also needed to patch each UAG server
with KB977342, as ISATAP and 6to4 tunneling do not work properly on Windows
Server 2008 R2 when Network Load Balancing is enabled.
With two servers in my UAG array, from my
remote client I initiated a connection to my Exchange server on the Intranet.
By looking at certificate information on the client, I was able to determine
which UAG server in the array was parsing
the connection. I then paused that UAG
server's virtual machine, simulating a server failure.
After about a minute, the connection failed over to the second UAG
server in the array, re-establishing the connection between remote client and
the Exchange server. The delay is due to a 60-second wait period before Windows
will break an IP Security association. This delay is put in place to avoid
excessive IPSec negotiations with clients on lossy network connections, but in
this case the wait period can mean a minute-long lack of remote connectivity
that could lead to some support calls.
Although the IPSec timeout is not configurable, Microsoft officials have
said there are programmatic workarounds that can be done on the client end to
break the connection. If this timeout becomes an issue for customers, they
said, Microsoft will look into providing a fix to do that.
Network administrators who don't want to rely on Windows' built-in load
balancing capabilities can instead turn to Microsoft partners for an external
solution allowing them to balance traffic among multiple UAG
gateways. In January, F5 Networks announced its Application Ready Solution for
Microsoft Forefront UAG 2010, a set of
configurations designed to get the F5 Big-IP Local Traffic Manager (Version 9.4
or higher) to balance UAG-supported
protocols such as HTTPS (HTTP Secure), IPSec or Teredo.
How I tested
I installed most of the nodes that made up my test network on VMs within
Hyper-V, installing separate instances of Windows Server 2008 R2 Enterprise for
the domain controller (1GB RAM), the
application/location server (1GB RAM), the
Internet DNS server (1GB RAM) and both
DirectAccess/Forefront UAG 2010 servers (2GB
RAM each), plus a Windows Server 2003
Enterprise server running Exchange 2003 Service Pack 3 (2GB RAM).
All of these systems were installed on a single Lenovo ThinkServer RD210
running Windows Server 2008 R2 Standard with the Hyper-V role enabled. The
physical server was outfitted with a pair of Intel Xeon E5540 2.53GHz processors,
12GB of DDR3 (double data rate 3) 1333MHz RAM
and four 146GB, 15K SAS drives in a RAID 10 configuration.
I installed the 32-bit Windows 7 Enterprise client on a Dell XPS M1330
laptop with 3GB of RAM.
