locked
High Availability for Always On VPN RRS feed

  • Question

  • Hi, so I am looking at options to make a (currently) single Windows 2019 RRAS virtual server, Highly Available by adding a second.

    We've been running an Always On VPN setup for over a year now (after migrating from Direct Access) and it works perfectly, but it's now becoming a more critical service so need to be able to make it HA, as well as be able to split the load with another server.

    The VPN server is configured with the Remote Access role installed and the tole is configured as VPN Only (Not Direct Access) and users connect using IKE v2 using a mix of user-based certificates and others (Win 10 Ent. users) with device-based certificates.
    It has 2 NIC's, one with an external IP and one with an internal IP.  The NPS server is separate and all clients have a certificate from an internal CA.

    I know with Direct Access, there is the option within the Remote Access Management Console to make a NLB Cluster, but this options does not exist for VPN only deployments.

    I've tried building a second, identically configured server and installing the NLB feature on both, and configuring with Unicast etc. that way but I get mixed results - mainly errors such as 'Invalid Payload received'.  Occasionally clients can connect, but not always.

    The second server also works stand alone if I point clients at that, it's only when they are clustered together with NLB I get issues.

    Is there a better way of achieving this?  HArdware load balancers are unfortunately, not possible.

    Many thanks.

    Tuesday, March 10, 2020 1:23 PM

Answers

  • Although NLB is supported and should work for load balancing VPN connections, I typically avoid it. I've found that often NLB causes more problems than it solves. ;)

    Best practice is to use a load balancing appliance. They are available in virtual form factor from many vendors, and some are even free. I've deployed Always On VPN in load-balanced configurations numerous times and from experience I can tell you it will be much better with a dedicated and purpose built load balancer.


    Richard M. Hicks
    Founder and Principal Consultant - Richard M. Hicks Consulting, Inc.
    directaccess.richardicks.com

    Tuesday, March 10, 2020 11:25 PM

All replies

  • Although NLB is supported and should work for load balancing VPN connections, I typically avoid it. I've found that often NLB causes more problems than it solves. ;)

    Best practice is to use a load balancing appliance. They are available in virtual form factor from many vendors, and some are even free. I've deployed Always On VPN in load-balanced configurations numerous times and from experience I can tell you it will be much better with a dedicated and purpose built load balancer.


    Richard M. Hicks
    Founder and Principal Consultant - Richard M. Hicks Consulting, Inc.
    directaccess.richardicks.com

    Tuesday, March 10, 2020 11:25 PM
  • Hi,

     

    About the High Availability for Always on VPN, please refer the following link:

     

    https://kemptechnologies.com/microsoft-load-balancing/always-on-vpn/

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information

     

    Hope this can help you, if you have anything unclear, please let me know.

    Have a nice day!

    Ellen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 11, 2020 3:18 AM
  • Here's some additional information about using the Kemp LoadMaster load balancer with Always On VPN.

    https://directaccess.richardhicks.com/2019/05/13/always-on-vpn-load-balancing-deployment-guide-for-kemp-load-balancers/


    Richard M. Hicks
    Founder and Principal Consultant - Richard M. Hicks Consulting, Inc.
    directaccess.richardicks.com

    Wednesday, March 11, 2020 3:24 AM
  • Thanks so much Richard for your Answer,

    I'm actually have a confusion in the documentation for Always On VPN, related to ELB,

    For an Always On VPN Cluster it says that if I'm using an External Load Balancing (ELB) product like Kemp, FortiGate, etc..., I don't need to install NLB, that's ok.

    We have a RRAS Server configured as Jonathan Springham said "The VPN server is configured with the Remote Access role installed and the tole is configured as VPN Only (Not Direct Access)".

    In https://docs.microsoft.com/en-us/windows-server/remote/remote-access/ras/cluster/configure/step-3-configure-a-load-balanced-cluster#BKMK_NLB, Step 2 specifies "In the Remote Access Management console, in the left pane, click Configuration, and then in the Tasks pane, click Enable Load Balancing.", But unfortunately this option isn't available unless you have DirectAccess And VPN Enabled.

    Is there an option that allows to configure this "Enable Load Balancing" without enabling DirectAccess?

    Thanks so much in advanced.

    • Edited by JRLOPS Tuesday, April 7, 2020 6:54 PM
    Tuesday, April 7, 2020 6:02 PM
  • Unlike DirectAccess, RRAS VPN servers are completely unaware of each other. To enable load balancing in DirectAccess you had to use the Remote Access Management console. When enable load balancing for RRAS and Always On VPN you don't have to do anything in the management console. You simply prepare another separate server and then configure your load balancer to use it.


    Richard M. Hicks
    Founder and Principal Consultant - Richard M. Hicks Consulting, Inc.
    directaccess.richardicks.com

    • Proposed as answer by JRLOPS Tuesday, April 7, 2020 6:58 PM
    • Unproposed as answer by JRLOPS Tuesday, April 7, 2020 8:38 PM
    Tuesday, April 7, 2020 6:10 PM
  • Sorry Richard I don't get it yet. Indeed I don't described the actual situation well. So sorry about that.

    We want to configure an RRAS Always On VPN Server Cluster with External Load Balancing (ELB).

    So we're proceeding according to https://docs.microsoft.com/en-us/windows-server/remote/remote-access/ras/cluster/configure/configure-a-remote-access-cluster.

    We skip the step to install NLB feature because we'll use ELB.

    In Step 3 Configure a Load-Balanced Cluster -> 3.2 Enable load balancing, We want to configure ELB but Microsoft says "In the Remote Access Management console, in the left pane, click Configuration, and then in the Tasks pane, click Enable Load Balancing." Then "Depending on what you chose in planning steps: External load balancer: On the Load Balancing Method page, click Use an external load balancer, and then click Next.".

    Turns out that to allow the option Enable Load Balancing, DirectAccess needs to be enable, but We don't want to do it, because We're only using VPN Access.

    So my first question is How can I create a cluster and add a Node to the cluster without enable DirectAccess?

    Additionally, according to what you said "When enable load balancing for RRAS and Always On VPN you don't have to do anything in the management console. You simply prepare another separate server and then configure your load balancer to use it.", I understood that there's not option for FailOver High Availability or Clustering Always On VPN over RRAS but instead two or more stand-alone RRAS Servers configured indepently and exposed to an External Load Balancer; that's how HA is achieved, Am I Right?

    Finally, because is not an option to do HA FailOver Cluster Do we need to mimic or replicate the configuration of one node to the other ELB Cluster RRAS Servers?

    I really appreciate you time and effort to help us, Thanks so much again.


    • Edited by JRLOPS Tuesday, April 7, 2020 9:49 PM
    Tuesday, April 7, 2020 9:19 PM
  • I think the confusion here is that you are using the Remote Access Management console (ramgmtui.exe) to configure RRAS. That's not recommended. You should be using the Routing and Remote Access management console (rrasmgmt.msc) to configure RRAS for Always On VPN. To build a load-balanced cluster of RRAS servers you'll configure each separately using rrasmgmt.msc. You'll then configure your external load balancer to route incoming requests between the two.

    To configure the VPN server you can right-click the server in the Routing and Remote Access console and choose "Configure and Enable Routing and Remote Access", or you can simply run the following PowerShell command.

    Install-RemoteAccess -VpnType VPN -Legacy -Passthru

    Once that's done you can complete the configuration using rrasmgmt.msc.


    Richard M. Hicks
    Founder and Principal Consultant - Richard M. Hicks Consulting, Inc.
    directaccess.richardicks.com

    Tuesday, April 7, 2020 9:58 PM
  • Thanks Richard,

    Yes, I enabled Always On VPN just like you and documentation said, using rrasmgmt.msc -> RRAS Server -> Properties -> Security -> Authentication Provider: RADIUS Authentication: NPS Server.

     

    According to Always On VPN load balancing cluster, I think there's no a cluster indeed as Microsoft Mention "Deploy Remote Access in a Cluster", because I don't have an unique IP that encapsulates the cluster, and when we made changes to a configuration it doesn't replicate to others nodes, Instead I'll have two or more stand-alone RRAS Server with Always On VPN enabled that have a Virtual IP each one, and then we're going to include those in a Load-Balancer, And if a change occurs we'd have to configure each of them for separately according to the configuration of the original, and that's how we can get HA. Am I right?.

    • Edited by JRLOPS Tuesday, April 7, 2020 11:32 PM
    Tuesday, April 7, 2020 11:31 PM
  • That's correct. Where DirectAccess was built with the concept of clustering included, and had some awareness that it was indeed clustered, RRAS VPN does not. Each VPN server is complete standalone and has no idea the other exists. You configure them independently but with common settings like authentication, routing, etc. so clients can access either server and have the same experience. The only setting that will be unique per server is the IP address pool. Other than that, if you make changes to one (for example changing the authentication method) then you have to make that change on all other servers in the cluster individually.

    Richard M. Hicks
    Founder and Principal Consultant - Richard M. Hicks Consulting, Inc.
    directaccess.richardicks.com

    • Proposed as answer by JRLOPS Wednesday, April 8, 2020 12:13 AM
    Tuesday, April 7, 2020 11:47 PM
  • Thank you so much Richard, now It's clear to me and I think for anyone that are looking around for this same question.

    Appreciate so much your time and help.

    In Summary, for anyone who's looking and reading over the internet confused about Always On VPN HA, We can concluded about Always On VPN FailOver Cluster and HA:

    1. Actually there's no a FailOver Cluster solution for Always On VPN. Yes it has HA but as an stand-alone RRAS VPN Server architecture, either by external load balancing (ELB) or NLB.

    Thanks so much again.

    Wednesday, April 8, 2020 1:21 AM