Load Balancing Windows 10 Always On VPN

Introduction

Windows 10 Always On VPN is the replacement for Microsoft’s DirectAccess remote access solution. Always On VPN works in much the same way as DirectAccess, providing seamless, transparent, and always-on remote access. Under the covers it uses traditional client-based VPN protocols like the Internet Key Exchange version 2 (IKEv2) and Secure Sockets Tunneling Protocol (SSTP).

Always On VPN Features and Benefits

Always On VPN provides many advantages over DirectAccess. Always On VPN includes support for granular traffic filtering, allowing administrators to restrict access to internal resources. It supports both IPv4 and IPv6 and can be implemented using third-party VPN servers. Clients can be Windows 10 Professional or Enterprise, and can be joined to an Active Directory domain, Azure Active Directory, or not joined to a domain at all. When clients are joined to Azure Active Directory, features such as conditional access can be used. Windows Information Protection and Windows Hello for Business can also be integrated with Windows 10 Always On VPN.

Always-on-VPN deployment diagram

 

Load Balancing for VPN Servers

Eliminating single points of failure in the Always On VPN architecture is crucial to ensuring the highest level of availability for the remote access solution. VPN servers can be made highly availably using the KEMP LoadMaster load balancer. The LoadMaster can be configured to accept inbound VPN connections and intelligently distribute them to all configured real servers. Traffic can be distributed in round-robin, or optionally based on the number of connections or by a percentage as defined by the administrator.

Load Balancing for RADIUS Servers

Always On VPN makes use of user certificates for authentication. The authentication protocol of choice is the Protected Extensible Authentication Protocol (Protected EAP, or PEAP), sometimes referred to as EAP-TLS. To leverage EAP, client connection requests are authenticated using a RADIUS server, commonly the Windows Server Network Policy Server (NPS). To provide redundancy for the authentication infrastructure, multiple RADIUS/NPS servers can be deployed and load-balanced by the KEMP LoadMaster to ensure high availability and to enable flexible scalability.

Redundancy and Failover

Unlike DirectAccess, Always On VPN does not natively include support for redundancy or failover. To address this shortcoming, the KEMP LoadMaster GEO can be configured to improve availability for VPN servers located in different datacenters. The administrator can configure GEO to route all VPN connection requests to the primary datacenter and send requests to the secondary datacenter in the event the primary site is unavailable.

Geographic Load Balancing

The KEMP LoadMaster GEO can also be used to provide geographic load balancing for Always On VPN. GEO can be configured to use proximity and location-based scheduling to intelligently route VPN connection requests to the nearest VPN server based on the client’s current location. This ensures that clients will connect to the most optimal VPN server available.