Configuring an External Load Balanced UAG DirectAccess Array for an IPv4 Only Network

The article Configuring external load balancing for a Forefront UAG DirectAccess array at https://technet.microsoft.com/en-us/library/ee690463.aspx describes how you would configure a UAG DirectAccess array when using external load balancers. In the example provided on that page, you will see that both internal and external load balancers are required to complete the solution. However, the requirement for internal and external load balancers only exists when you have an IPv6 capable network.

Another scenario you might want to consider is the IPv4 only network located behind the UAG DirectAccess array. In this scenario, you only need an external load balancer. In the IPv4 only network behind the UAG DirectAccess array scenario, the internal load balancer can be removed.

Figure 1 depicts the topology for external load balancing when a UAG DirectAccess array is positioned in front of an IPv4 only network.

clip_image001

Figure 1

You need to configure your external load balancer to load balance incoming connections for TCP port 443 (to support IP-HTTPS), and UDP port 3544 (to support Teredo. 6to4 will not work in an external load balancing scenario.

You also need to configure UAG to use IPv6 addresses on its internal network interfaces, as external load balancing requires this. Since IPv6 is not deployed on your IPv4 only network, you should use a 6to4 based address space and give an address from that address space to each of the UAG array members internal interfaces, as shown in Figure 1.

Suppose WWXX:YYZZ is the colon hexadecimal representation of w.x.y.z, which is the public IPv4 address you use in the external load balancer, you would use the 2002:WWXX:YYZZ:8000::/49 address space for generating addresses to the UAG machines (e.g. if the array has three servers they can get the following IPv6 addresses 2002:WWXX:YYZZ:8000::1, 2002:WWXX:YYZZ:8000::2, 2002:WWXX:YYZZ:8000::3)

Once you run to UAG wizard you would be prompted to enter the IPv6 prefixes of you organization, you should use:

  • 2002:WWXX:YYZZ:8000::/49 as the organizational prefix
  • 2002:WWXX:YYZZ:8000::/64 as the ISATAP prefix
  • 2002:WWXX:YYZZ:8001::/96 as the NAT64/DNS64 prefix
  • 2002:WWXX:YYZZ:8100::/56 as the IP-HTTPS prefix

You can use the Windows Calculator to perform the conversions if you are not familiar with Hex notation.

For example, for the IPv4 address:

192.0.2.31

W = 192

X= 0

Y= 2

Z= 30

Converting to Hex format WWXX:YYZZ:

192 = C0

0 = 0

2 = 2

31 = 1F

Put them together, and you get:

C000:021F

Which can be used to determine the organization prefix:

2002:WWXX:YYZZ:8000::/49

which is in our example:

2002:C000:021F:8000::/49

To use the Windows calculator:

1. Open the Windows Calculator from the Start menu.

2. Click the View menu, and click Programmer.

3. Select the Dec option and enter the value for W, X, Y or Z clip_image002

4. Select the Hex option. The display shows the conversion between decimal to Hex notation clip_image003

Authors:

Ben Bernstein, Senior Program Manager

Tom Shinder, Technical Writer

Comments

  • Anonymous
    October 18, 2010
    Thanks for this, but I noticed a typo, "192.0.2.31 W = 192 X= 0 Y= 2 Z= 30" Should Z=30? or 31? and does it matter which IP on the external LB is used (1st IP or the 2nd Sequential IP)

  • Anonymous
    July 17, 2012
    The comment has been removed