Thursday, 21 August 2014

Direct Access: Move NLS to remote web server

Back to Direct Access main menu

Previously we implemented Direct Access in five easy steps using a single server. In production additional configuration is required to implement a best practice solution.

The Network Location Server is a key component of DirectAccess. Its purpose is to detect whether computers configured as DirectAccess clients are located in the corporate network. When clients are in the corporate network, DirectAccess is not used to reach internal resources. Instead, clients connect to internal resources directly.

The network location server is simply a Web site with an HTTPS server certificate. It should be located on a remote web server (not the DirectAccess server - which has the Remote Access role). It is also good practice to have multiple NLS servers in a Highly Available configuration.

This blog post demonstrates how to move the NLS configuration to a remote web server.

First you need a web server. Install IIS as normal.

Next you will need an SSL certificate. Note that you can use a self-signed certificate when the NLS is co-located with the DirectAccess server. However you can't on a remote web server. 

In my example I used my Internal CA and requested a certificate using the Web Server template (using the Certificates Snap-In).

See that further information is required.

The Common Name is the FQDN of the web server (eg nlsweb.contoso.local).

Web Server certificate has been installed.

Add https to site binding and configure to use the new certificate.

Now, back at the DirectAccess server, open the Remote Access Management console.

Edit the Infrastructure Servers section (Step 3).

Enter the URL of the remote server (in the format https://nlsweb.contoso.local) and click to Validate. You will not be able to continue if the URL is incorrect and you cannot validate.

Apply the new settings.

Close the wizard.

Now test your configuration. DirectAccess clients should still be able to connect as normal.


  1. I'm looking for some documentation/arguments as to why you need to avoid installing NLS on your DA servers. You don't happen to have any links/arguments?


    1. It mentions it in the official documentation

  2. Hi Gerry,
    You're saying that a Self-Signed cert is not working on a remote NLS: "However you can't on a remote web server.". If the Clients have the Cert installed in trusted root it should actually work, or not?