Forefront UAG DirectAccess load balancing

Updated: February 1, 2010

Applies To: Unified Access Gateway

Forefront UAG integrates NLB functionality, provided by Windows Server 2008 R2, with additional functionality that enables the load balancing of Forefront UAG DirectAccess servers. Forefront UAG NLB provides load balancing for up to 8 Forefront UAG DirectAccess array members.

When using NLB with a Forefront UAG array, each array member runs a separate copy of Forefront UAG DirectAccess. NLB distributes incoming client requests across the hosts in the Forefront UAG array. In a Forefront UAG NLB array, computers in the array are addressed by the same set of array IP addresses, and Forefront UAG NLB maintains a set of unique, dedicated IP addresses, for each array member. For load-balanced applications, when an array member fails or goes offline, the load is automatically redistributed among the array members that are still operating.

Forefront UAG enables load balancing of SSL-based traffic in addition to Forefront UAG DirectAccess-based traffic. To load balance all Forefront UAG DirectAccess traffic, which is IPv6-based, Forefront UAG NLB must examine the IPv4 tunneling for all transition technologies. Because IP-HTTPS traffic is encrypted, examining the content of the IPv4 tunnel is not possible (for information on IP-HTTPS, see Connectivity). To enable load balancing on IP-HTTPS traffic, you must allocate a wide enough IP-HTTPS IPv6 prefix to enable the Forefront UAG to assign a different IPv6 /64 prefix to each of the nodes. For example, 2 array members require a /63 prefix (which enables Forefront UAG to define a /64 address for each array member); 8 array members require a /61 prefix (which enables Forefront UAG to define a /64 address for each array member). This prefix must be routable in the organization network to the Forefront UAG DirectAccess array's virtual IPv6 address.