none
Always on VPN Failover Cluster RRS feed

  • Question

  • Hello Everyone, 

    i can't find anything related to setting up an always on VPN Failover Cluster!

    i'd like to use my fortigate as a load balancing hardware so that my AOV clients can switch to the second RRAS server if the connection to the first is interrupted.

    pretty simple setup really but i can't make it work...

    i have 2 RRAS servers setup as AOV servers. i can connect to each one individually but the switch has to be manual, i have to disconnect the client manually and reconnect it so that i switch to the second server. disconnecting the network card does't even disconnect the AOV connection it just stays connected to nothing basically

    anyone have any ideas on how to set this up ?

    thanks!


    Hitch Bardawil

    lundi 9 juillet 2018 14:33

Toutes les réponses

  • Hi,

    Thanks for your question.

    Please check my understanding about this issue if it is correct. You have set up two RRASs for VPN failover, and need to perform connecting to each VPN manually within a switch.

    1) May I know now can you connect VPN when changing to another?  

    2) Would the switch configure VLAN in your environment and if the VPN servers in different VLAN?

    3) The VPN servers only have a NIC card behind NAT Router or 2 NICs as the Routers at the same time?

    4) Please any other network device functions between VPN servers and the switch in your environment like Radius server.

    Furthermore, regarding the deployment of VPN failover, we could check the following overview which provides an introduction to the configuration steps required to deploy Remote Access servers in a load-balanced cluster. Please refer to the following article to check the configuration of VPN server cluster.  

    https://docs.microsoft.com/en-us/windows-server/remote/remote-access/ras/cluster/configure/configure-a-remote-access-cluster

    Step 1: Deploy an Always on VPN server with Advanced options.

    Step 2: Prepare cluster servers.

    Step 3: Configure a load-balanced cluster.

    Step 4: Verify the cluster.

    Here’s another blog discussed about configuring NLB based on cluster of VPN servers for your reference.

    https://blogs.technet.microsoft.com/rrasblog/2009/07/02/how-to-configure-network-load-balancing-nlb-based-cluster-of-vpn-servers/

    Hope above information can help you. If I misunderstand your situations, please don’t hesitate to let me know.

    Highly appreciate your effort and time.

    Have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    mardi 10 juillet 2018 03:08
  • Hello Michael, 

    thanks for you answer!

    check out this small sketch that will answer some of you questions

    1) May I know now can you connect VPN when changing to another?  

    Currently i have to cut off the internet connection and reconnect to switch from RRAS 1 to RRAS 2 but the idea is to have AOV switch automatically (which it is not doing)

    2) Would the switch configure VLAN in your environment and if the VPN servers in different VLAN?

    both RRAS servers are in the same VLAN 

    3) The VPN servers only have a NIC card behind NAT Router or 2 NICs as the Routers at the same time?

    the sketch answers that

    4) Please any other network device functions between VPN servers and the switch in your environment like Radius server.

    RADIUS or NPS server in the LAN but thats independent 

    thanks!


    Hitch Bardawil

    mardi 10 juillet 2018 12:38
  • Also about the Articles,

    Come on Microsoft half the articles are still about Direct Access...

    all that is related to Load Balancing is about Direct Access..

    Cheers


    Hitch Bardawil

    mardi 10 juillet 2018 14:25
  • Hi,

    Thanks for your reply. 

    We can first deploy the two VPN servers and test clients working. Then we deploy NLB both on the servers, create the NLB cluster and add the two nodes as the following article,

    How to configure Network Load Balancing (NLB) based cluster of VPN Servers

    Reference link:

    https://itdvds.com/Training/DeployingServer2016HighlyAvailableVPN.aspx

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. 

    Network Load Balancing

    Hope this helps.

    Highly appreciate your effort and time. If you have any question or concern, please feel free to let me know.

    Best regards,

    Michael 


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    mercredi 11 juillet 2018 09:48
  • Btw, does Fail-Over Cluster role support RAS? Or is just NLB which supports it?

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    vendredi 13 juillet 2018 07:03
  • Hi,

    How are thing going on?

    Please feel free to let us know if you need further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    samedi 21 juillet 2018 03:43
  • Hello Michael,

    thanks for asking!

    Unfortunately none those articles refer to setting up failover with an external load balancer.

    clients can connect to one server or the other, but no way until now to failover the second RRAS server automatically...


    Hitch Bardawil

    mercredi 25 juillet 2018 12:03
  • Hi Hitch,

    Did you get any thing resolved? Im looking at a similar setup to yourself but using an F5 instead.

    Microsoft Documentation is unhelpful, and referred to DA in every post. it mentions Clustering and being able to Select "Enable Load balancing" within the Remote access console but that option doe not exist in my setup.

    https://docs.microsoft.com/en-gb/windows-server/remote/remote-access/ras/cluster/plan/step-2-plan-cluster-servers

    Have you had much luck?

    jeudi 16 août 2018 14:13
  • Hey Tim, 

    Nothing New here!

    How about on your side ?


    Hitch Bardawil

    lundi 17 septembre 2018 10:08
  • There is bunch deployments for IIS running on 3rd party HA like F5. I believe the LB must be monitoring some Win Server's service. In IIS, it would the the www service, in VPN, it would be RAS service. The LB must recognize, then the service is up or down.

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    • Proposé comme réponse scerazy mardi 5 mars 2019 15:48
    lundi 17 septembre 2018 13:48
  • Anything more? MS makes all this technology half-a**ed It is there, but always something missing in the end And we have to just use the bits that are there, even if it feels unfinished
    mardi 5 mars 2019 15:50
  • nop still nothing on my side, my support engineer told me to wait till march 2019 for an updated version so i'm waiting :)

    Hitch Bardawil

    mercredi 6 mars 2019 10:06
  • Wait for WHAT update?

    jeudi 7 mars 2019 19:26
  • Are we any further with it?

    One can do it with Kemp Load Balancing and also now there is page on MS Docs

    Deploy Remote Access in a Cluster

    but it does not mention Server 2019

    Seb

    jeudi 30 mai 2019 07:56
  • Hey Guys, 

    this is nuts, many months later, the documentation still refers to Direct Access....

    i had a support guy who told me that some bugs would be resolved by april/may 2019 but i cannot see anything new... 

    has anyone deployed this solution to production ? 


    Hitch Bardawil

    mercredi 3 juillet 2019 09:28
  • What solution are you asking about?

    I see no solution (that supports 2019 & does NOT involve hardware: For the External Load Balancer scenario, dedicated hardware is required (i.e. F5 BigIP) )

    Seb

    samedi 5 octobre 2019 15:10