Direct Access Issues after enabling Load Balancing

Recently I have been working on a Direct Access configuration in Load Balanced setup, and I wish to share my experience.

The setup consists of NetScaler and two Windows Server 2012 R2.

As any normal Direct Access installation, you will start by configuring the first Direct Access Server, and that did work just fine. The issues started when Load Balancing was enabled in Direct Access.

When Load Balancing is enabled in Direct Access, the wizard tells that you need to provide a new DIP for the Internal and External interface, as the current configured IP addresses are going to be used for VIP’s – That means the current configured IP addresses are being “moved” to the Netscaler.
When the wizard completes, the Remote session towards the server will end as the Direct Access server are being reconfigured with new IP addresses.

Reconnecting to the new IP address, and the LB Wizards tells “All Good” 🙂
Wuhuu – Enabling of Load Balancing Direct Access wasn’t that hard. 😉

NetScaler configuration was done, and it all showed up as “green” inside NetScaler.

Then it was time to test with some client, even if there was only one Direct Access server configured.

Testing started and from a client side it was all working.
DCA on Windows 7 said “Corporate Connectivity is working” and Windows 10 said “Connected”
– All good.

Looked in Direct Access Console – Remote Client Status.
Hmm, no client was connected and no client had ever been reported…
Strange – Both DA Clients are showing as connected.

Back to the client, and trying to access internal resources.
– No Access !!

TroubleShooting Time:
Started with all known Direct Access troubleshooting tips, but noone worked..
Starting to suspect the server….

I then decided to add the second Direct Access Server to the Load Balanced Cluster.
The second DA Server was added, and both servers showed up av “All Functional” in Direct Access Console.

Back to the client again.
Same status on both clients, but this time one of the clients showed up in Direct Access Console.
– Did that client work ?

Back to the client, and trying ta access internal resources.
– It works 🙂

Reconnected the Direct Access clients several times, and as long as they ended up on the second server it worked.

Additional troubleshooting:

  • Changed the Netscaler config, so just the second server was enabled
    • Direct Access clients worked every time
  • Changed the Netscaler config, so just the first server was enabled
    • Direct Access cleints did not work.
  • Changed the Netscaler config, so both servers was enabled
    • Direct Access clients worked as long as they was assigned to the second server.

Then I decided to remove the first server from the Direct Access Load Balanced Cluster, and reinstall the server.
After the server was reinstalled and added into the Direct Access Load Balanced cluster, both Direct Access Servers stared to work……


Looks like there are some issues with the Direct Access routines when enabling Load Balancing.
It seems like there are something that isn’t completed when the server changes it’s IP Addresses.

My solution was:

  • Establish Direct Access on one server
  • Enable Load Balancing
  • Add second server to Load Balancing
  • Remove first server from Load Balancing
    • Reinstall server
  • Add the server back to Load Balancing

Maybe this is fixed in Windows Server 2016, but I don’t know..