Windows 10 Always On VPN is the replacement for Microsoft’s DirectAccess remote access solution. Always On VPN works in much the same way as DirectAccess, providing seamless, transparent, and always-on remote access. Under the covers it uses traditional client-based VPN protocols like the Internet Key Exchange version 2 (IKEv2) and Secure Sockets Tunneling Protocol (SSTP).
Always On VPN Deployment Guide
Eliminating single points of failure in the Always On VPN architecture is crucial to ensuring the highest level of availability for the remote access solution thus the need for a load balancer. VPN servers can be made highly availably using the Kemp LoadMaster load balancer. The LoadMaster can be configured to accept inbound VPN connections and intelligently distribute them to all configured real servers. Traffic can be distributed in round-robin, or optionally based on the number of connections or by a percentage as defined by the administrator.
Always On VPN makes use of user certificates for authentication. The authentication protocol of choice is the Protected Extensible Authentication Protocol (Protected EAP, or PEAP), sometimes referred to as EAP-TLS. To leverage EAP, client connection requests are authenticated using a RADIUS server, commonly the Windows Server Network Policy Server (NPS). To provide redundancy for the authentication infrastructure, multiple RADIUS/NPS servers can be deployed and load-balanced by the Kemp LoadMaster to ensure high availability and to enable flexible scalability.
Unlike DirectAccess, Always On VPN does not natively include support for redundancy or failover. To address this shortcoming, the Kemp LoadMaster GEO can be configured to improve availability for VPN servers located in different datacenters. The administrator can configure GEO to route all VPN connection requests to the primary datacenter and send requests to the secondary datacenter in the event the primary site is unavailable.
The Kemp LoadMaster GEO can also be used to provide geographic load balancing for Always On VPN. GEO can be configured to use proximity and location-based scheduling to intelligently route VPN connection requests to the nearest VPN server based on the client’s current location. This ensures that clients will connect to the most optimal VPN server available.