Setting up single-NIC DirectAccess servers with an External Load Balancer

After looking at common search engine referral terms, we are going to cover how to setup your DirectAccess deployment using an External Load Balancer with a single NIC this time around.  With DirectAccess in Windows 2012, we provide two load balancing options.  The first load balancing configuration is to use the built-in Windows Network Load Balancing (NLB).  I’ll cover how to setup NLB in a future posting.  This week we are going to mainly focus on how to setup DirectAccess with an external load balancer using a single NIC design.

As long as your load balancer can pass at a minimum TCP/443 traffic from the Internet to the DirectAccess server, we don’t have any specific external load balancer brand recommendations.  TCP/443 traffic is a very common protocol to pass through load balancers so this shouldn’t be anything too tricky to get configured on your external load balancer brand of choice.  Two key things you need to watch out for include making sure you turn off any type of SSL offloading on the load balancer and that you enable session affinity so traffic will maintain session to a specific DirectAccess server once established.

At this point you will want to make sure you have at least one DirectAccess node up and running.  Be sure to check that your single DirectAccess server is working successfully with some test DirectAccess clients before we add another layer in the mix, mainly your external load balancer.  It’s also critical that you install all of the DirectAccess server hotfixes referenced at the bottom of my pre-setup checklist :

I guarantee you will hit some errors that will prevent you from setting up DirectAccess successfully without having these hotfixes installed so be sure you download and install the list before moving onto the next steps.  If you are unsure if these are installed, you can run the following PowerShell cmdlet on your DirectAccess servers to verify :


Next you want to make sure you have your IP-HTTPS certificate exported and installed on the second DirectAccess server you plan to add into the array.  When you import the certificate on your new second node, double check that the certificate you import contains the private key as shown below.  If the private key is not installed, this certificate cannot be used for the IP-HTTPS listener :

Private Key!


It’s also a good idea to make sure the certificate path looks clean as well.  Click on the certificate path tab and make sure it shows a status of “OK” on the second node.

Certificate Path


Now we have the second node all ready to go and it’s now time to switch back to your first node to continue setting up DirectAccess with an external load balancer.  At this point I’ll assume you have your single DirectAccess server setup and you are ready to add an external load balancer in the mix.  First start by opening up the configuration screen and clicking on “Enable Load Balancing” as shown below :

Enable ELB


Next we get wizard that’s going to walk us through setting up load balancing :

Load Balancing


Go ahead and select “Use an external load balancer” and click next :



Now we get to a very confusing screen asking for IPv4 and IPv6 addresses.  With the single NIC configuration, we have to enter in both an IPv4 and IPv6 address.  So what are these dedicated IP addresses used for?  During the setup of the first node into the external load balancing, we have to enter in a new IPv4 address that will become the new IPv4 address of the first node.  A really common mistake is to enter in the current IPv4 and IPv6 addresses of the server into this field like this :



You will notice the wizard will throw and error if you try to hit next and you will be blocked from continuing :

ELB Error


So you have to enter another unused IPv4 address from the same subnet as the original IPv4 address.  In this case, my server already has the IPv4 address of, I’ll enter in another free IPv4 address in this address space.  This will become the new permanent IPv4 address of the DA server.  It’s important you update your load balancer to this new IPv4 address.

The next question that I frequently get asked, what about the IPv6 address?  Even if you don’t have IPv6 at all on your network, the wizard will refuse to let you continue until you enter in some type of IPv6 address.  In order to continue, you will have to enter in some type of IPv6 address.  If you don’t have an IPv6 native network space on your internal network (very uncommon), then you can enter in a fictitious IPv6 address like the exact one I have shown below of fd00::1 :

Good ELB


After you hit next, you will be presented with a screen that shows you a summary and allows you to commit the change.  Go ahead and select “commit” :



Now you would expect this operation to succeed but alas, you get a pretty stern error message as shown below :

ELB Error


Don’t hit the close button, instead right-click on the text labeled “The parameter is incorrect” and select “Copy script”

Copy Script


At this point you can cancel out of the load balancing wizards and open up a notepad on the server and paste the script results.  You are going to see a PowerShell cmdlet called Set-RemoteAccessLoadBalancer referenced with a bunch of switches.  In order to get this working, you need to remove all of the IPv6 addresses that appear in this script output.  For example I removed the following items highlighted in yellow from my script :

Old PS


After I’m done my cleanup, there are no more IPv6 addresses in the PowerShell script :

New PS


Take this script and copy this into an elevated PowerShell and execute the script.  You should get an output like this :

ELB Done


Now if you go into the Remote Access console, you will see the configuration change to reflect you have a load balanced cluster with a single node listed :

ELB DA Console


Now the final step is to add a second server into the array.  This is done on the configuration screen from the first node.  Be sure you have highlighted the “Load Balanced Cluster” on the left pane.  On the right side of the screen you can select “Add or Remove Servers” which will bring up another wizard to add the second node.  Select “Add Server” :

Add Server


Next you enter in the other machine you would like to add as a second node.  Be sure you have the Remote Access role installed and all the DirectAccess hotfixes mentioned at the top of this article on the second node.  Also be sure you have properly imported the IP-HTTPS certificate with the private key installed.  The good part about adding additional node is they will not change their IPv4 address and you can commit the changes without any PowerShell script workarounds.

Add Node


Once the second node is added, you can go to the dashboard and now see both servers and the overall cluster status :

ELB Cluster Status


At this point we now have a successful working two-node externally load balanced DirectAccess configuration.  Be sure to add both of the servers onto your load balancer for TCP/443 traffic from the Internet and you should be all set!  I’m working on some additional articles to cover setting up two-NIC DirectAccess servers with an external load balancer and how to setup NLB in the near future.  Stay tuned!

Tags: , , , , , , , , , , , , , , , , , ,

Categories: Install Tips

7 Comments on “Setting up single-NIC DirectAccess servers with an External Load Balancer”

  1. Stephen Roper
    November 1, 2013 at 10:38 #

    Tom.. Great write up your instructions were right on. You are how ever missing the last two screen shots when adding the second node. Selecting the Certificate screen, we found out it’s important to not only Bind the 3rd party URL certificate in IIS but also import the certificate in to the machine store.

  2. October 28, 2014 at 15:19 #

    Tom: Do you have a document for a two-NIC DirectAccess External Load Balancer? My DA server (W2012 R2) has a NIK in the DMZ and one in the internal network. Would the above single-NIK process work for me?


    • November 4, 2014 at 09:23 #

      Hi Ken,

      With Windows 2012 R2, it’s actually even easier since you do not need to worry about any of the errors at the bottom of my article. Just be aware both the internal and external NIC IP will have to change when you enable External Load Balancing. Please let me know if you have any more questions!


      – Tom

  3. Greyson
    March 28, 2015 at 08:19 #

    Hi Tom! Thank you for the clear and informative write-up. How do you recommend handling a situation where the external Load Balancer VIP will be on a different subnet than the server’s original IP? I’ve seen many customer environments that have dedicated load balancing VLANs, and never create VIPs on the server VLAN.


    • April 2, 2015 at 23:20 #

      Hi Greyson,

      When using an external load balancer, it does not need to be on the same subnet as your DirectAccess servers. Even the VIP address configured on the external load balancer does not even need to be on the same subnet as the DirectAccess servers. Let me know if you have any more questions!


  4. Greg
    April 16, 2015 at 03:44 #

    Hi Tom,

    Thanks for a great blog post. I have a question regarding the load balancer side of this setup. Currently we have a single DA server and have a NAT rule directing traffic from the external IP to the internal IP of the DA server. We’d like to implement load balancing through a Netscaler. If we were to run this load balancing wizard and the current server IP becomes the VIP of the cluster, does this mean we have to assign that IP as the VIP of the Netscaler (so the NAT rule stays as it is) and add the IPs of the 2 DA servers to the Netscaler?


    • April 22, 2015 at 22:43 #

      Hi Greg,

      Thanks for reading! So when you enable load balancing on the existing DirectAccess server, when you walk through the wizard it will ask you for a DIP (Dedicated IP Address). You can pick any other IPv4 free address in the same subnet. The IPv4 address of your DirectAccess server will change to this new DIP address. The original IPv4 address actually does not become a VIP address and is removed from the IP configuration. Your load balancer does not need to have this VIP address configured and can even live on a different subnet if desired.

      Let me know if you have any more questions!



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: