Application Experience for Remote Workers using Always On VPN
Windows 10 Always On VPN is the replacement for Microsoft’s DirectAccess remote access solution. Always On VPN provides seamless, transparent, always-on remote access, and uses traditional client-based VPN protocols like IKEv2 and SSTP. Information on the features of Always On VPN and the benefits to enterprise IT organizations looking for a better remote access solution are available here.
Eliminating single points of failure in the Always On VPN architecture means you can ensure the highest level of availability for the remote access solution. VPN servers can be made highly available using Kemp LoadMaster load balancer. LoadMaster can be configured to accept inbound VPN connections and intelligently distribute them to all configured VPN servers. Traffic can be distributed in round-robin, or optionally based on the number of connections or by a percentage as defined by the administrator.
LoadMaster delivers site availability for geographic scalability and disaster recovery (DR) scenarios. Global server load balancing (GSLB) technology is available within the Loadmaster GEO solution to provide a comprehensive load balancing solution.
Major advantages of LoadMaster for Always On VPN include:
- Load balancing for RADIUS servers
- Redundancy and failover with LoadMaster GEO
- Geographic load balancing with LoadMaster GEO
Kemp has released a Load Balancing Deployment Guide for Windows 10 Always On VPN written by Richard Hicks a MCP, MCSE, MCTS, and MCITP Enterprise Administrator. Richard is a Southern California based network and information security consultant specializing in Microsoft technologies, and helps enterprises implement and support edge security and remote access solutions.
Load Balancing Deployment Guide for Windows 10 Always On VPN provides step-by-step advice on configuring the Kemp LoadMaster load balancer to provide important scalability and eliminate critical points of failure in Always On VPN deployments.
The guide starts with a short introduction to Always On VPN, including the necessary prerequisites. It links to a template containing recommended settings for this workload, which simplifies the installation and creation of Virtual Services. Before setting up Virtual Services it is advisable to follow the steps outlined in the section on LoadMaster Global Settings to enable Subnet Originating Requests globally, and Check Persist globally.
Get all the information you need to create:
- IKEv2 UDP 500 and IKEv2 UDP 4500 Virtual Services using a template, recommended API settings, and steps to configure Port Following.
- SSTP Passthrough and SSTP Offloaded Virtual Services, with steps to configure TLS Offloading on the RRAS Server.
- NPS UDP 1812 and NPS UDP 1813 Virtual Services, with recommended API settings, and steps to configure Port Following. See advice and steps for configuring NPS server certificates as well as NPS server RADIUS configuration.
The reference section links to excellent Always On VPN resources such as:
- Information on LoadMaster GEO, which allows for multi data center High Availability (HA). When a primary site is down, GEO diverts traffic to the disaster recovery site. GEO also ensures clients connect to their fastest performing and geographically closest data center.
- Microsoft’s own resources on Always On VPN where you can learn about deploying Remote Access as a single tenant VPN RAS Gateway for point-to-site VPN connections, using a number of scenarios, for remote client computers that are running Windows 10.
- The Microsoft Windows 10 Always On VPN Deployment Guide.
- Richard Hicks Enterprise Mobility and Security Infrastructure Blog with tons of great advice on Always On VPN, DirectAccess, NetMotion Mobility, Firewall and Edge Security, PKI.
Watch this video of Richard Hicks presenting Windows 10 Always On VPN load balancing strategies here.