none
OnPrem Always ON VPN for BYOD and Capacity planning RRS feed

  • Question

  • Hi,

    We are planning to implement Always On VPN for Windows 10 clients for corporate and users personal Windows 10 devices. Would request your support in below points.

    1. Since personal Windows10 devices/Laptop are not domain joined and not managed by corporate. What should be the VPN authentication method and how to ensure BYOD is meeting compliance? Can we use IKEv2 with user certificate for BYOD if device certificate is not feasible?
     2. How to plan for Sizing the VPN and NPS Servers ? Could not find any matrix to calculate CPU, memory, Load Balancing capacity to calculate the server sizing with respect to number of clients. How can we plan for scalability ?

    Appreciate your support in these since there is very limited info and resource we can find today.

    Regards
    Mahesh

    Regards:Mahesh

    Tuesday, May 26, 2020 6:50 AM

Answers

  • Hi ,

    >> Since personal Windows10 devices/Laptop are not domain joined and not managed by corporate. What should be the VPN authentication method and how to ensure BYOD is meeting compliance? Can we use IKEv2 with user certificate for BYOD if device certificate is not feasible?

    User certificate for EAP-TLS, PEAP-TLS. In such case, we always use IKEv2 with user certificate for BYOD. You need to manually import certificate to non-domain devices.

    You can refer to the discussion from following article:

    Always On VPN Certificate Requirements for IKEv2

    >>How to plan for Sizing the VPN and NPS Servers ? Could not find any matrix to calculate CPU, memory, Load Balancing capacity to calculate the server sizing with respect to number of clients. How can we plan for scalability ?

    There is no documentation yet regarding hardware capacity planning for RRAS servers running VPN roles according with the amount of VPN clients. As well as NPS.

    However, you could refer to the following initial hardware recommendations for RRAS server running VPN roles:

    1. 4-8 Cores (the more the better as IPsec for can be pretty CPU heavy)

    2. 8+ GB RAM (depends on whether or not you want to use inbox accounting which usually leverages the WID)

    3. 80+ GB hard disk, inbox accounting stores the database in %windir%\DirectAccess\db. Both the mdf and ldf file can get rather large. No easy way to change the path to another disk. Limit the stored data to 3-6 months max

    4. Once inbox accounting has been enabled run this PowerShell script otherwise CPU and memory will be very high

    5. Properly configure RSS

    6. Network Adapter power management

    7. Use the “High Performance” Windows power profile 

    8. Avoid force tunneling as this will add load and increase network traffic

    You can also follow the DirectAccess Capacity Planning:

    DirectAccess Capacity Planning

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    • Marked as answer by A.Mahesh Friday, June 26, 2020 11:23 AM
    Wednesday, May 27, 2020 3:02 AM
    Moderator

All replies

  • Hi ,

    >> Since personal Windows10 devices/Laptop are not domain joined and not managed by corporate. What should be the VPN authentication method and how to ensure BYOD is meeting compliance? Can we use IKEv2 with user certificate for BYOD if device certificate is not feasible?

    User certificate for EAP-TLS, PEAP-TLS. In such case, we always use IKEv2 with user certificate for BYOD. You need to manually import certificate to non-domain devices.

    You can refer to the discussion from following article:

    Always On VPN Certificate Requirements for IKEv2

    >>How to plan for Sizing the VPN and NPS Servers ? Could not find any matrix to calculate CPU, memory, Load Balancing capacity to calculate the server sizing with respect to number of clients. How can we plan for scalability ?

    There is no documentation yet regarding hardware capacity planning for RRAS servers running VPN roles according with the amount of VPN clients. As well as NPS.

    However, you could refer to the following initial hardware recommendations for RRAS server running VPN roles:

    1. 4-8 Cores (the more the better as IPsec for can be pretty CPU heavy)

    2. 8+ GB RAM (depends on whether or not you want to use inbox accounting which usually leverages the WID)

    3. 80+ GB hard disk, inbox accounting stores the database in %windir%\DirectAccess\db. Both the mdf and ldf file can get rather large. No easy way to change the path to another disk. Limit the stored data to 3-6 months max

    4. Once inbox accounting has been enabled run this PowerShell script otherwise CPU and memory will be very high

    5. Properly configure RSS

    6. Network Adapter power management

    7. Use the “High Performance” Windows power profile 

    8. Avoid force tunneling as this will add load and increase network traffic

    You can also follow the DirectAccess Capacity Planning:

    DirectAccess Capacity Planning

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    • Marked as answer by A.Mahesh Friday, June 26, 2020 11:23 AM
    Wednesday, May 27, 2020 3:02 AM
    Moderator
  • Hi Candy,

    Thanks for your response, even though i have see this article earlier you response made me to read and think again...thanks for that.

    If we selected User certificate for BYOD, how can we install user certificate in "Current User/Personal" store? Is it possible to push this user certificate through Intune if BYOD devices are registered devices ( not Azure AD Joined)?


    Regards:Mahesh

    Wednesday, May 27, 2020 8:49 AM