Always On VPN and Network Policy Server (NPS) Load Balancing

Always On VPN and Network Policy Server (NPS) Load BalancingLoad balancing Windows Server Network Policy Servers (NPS) is straightforward in most deployment scenarios. Most VPN servers, including Windows Server Routing and Remote Access Service (RRAS) servers allow the administrator to configure multiple NPS servers for redundancy and scalability. In addition, most solutions support weighted distribution, allowing administrators to distribute requests evenly between multiple NPS servers (round robin load balancing) or to distribute them in order of priority (active/passive failover).

The Case for NPS Load Balancing

Placing NPS servers behind a dedicated network load balancing appliance is not typically required. However, there are some deployment scenarios where doing so can provide important advantages.

Deployment Flexibility

Having NPS servers fronted by a network load balancer allows the administrator to configure a single, virtual IP address and hostname for the NPS service. This provides deployment flexibility by allowing administrators to add or remove NPS servers without having to reconfigure VPN servers, network firewalls, or VPN clients. This can be beneficial when deploying Windows updates, migrating NPS servers to different subnets, adding more NPS servers to increase capacity, or performing rolling upgrades of NPS servers.

Traffic Shaping

Dedicated network load balancers allow for more granular control and of NPS traffic. For example, NPS routing decisions can be based on real server availability, ensuring that authentication requests are never sent to an NPS server that is offline or unavailable for any reason. In addition, NPS traffic can be distributed based on server load, ensuring the most efficient use of NPS resources. Finally, most load balancers also support fixed or weighted distribution, enabling active/passive failover scenarios if required.

Traffic Visibility

Using a network load balancer for NPS also provides better visibility for NPS authentication traffic. Most load balancers feature robust graphical displays of network utilization for the virtual server/service as well as backend servers. This information can be used to ensure enough capacity is provided and to monitor and plan for additional resources when network traffic increases.

Configuration

Before placing NPS servers behind a network load balancer, the NPS server certificate must be specially prepared to support this unique deployment scenario. Specifically, the NPS server certificate must be configured with the Subject name of the cluster, and the Subject Alternative Name field must include both the cluster name and the individual server’s hostname.

Always On VPN and Network Policy Server (NPS) Load Balancing

Always On VPN and Network Policy Server (NPS) Load Balancing

Create Certificate Template

Perform the following steps to create a certificate template in AD CS to support NPS load balancing.

  1. Open the Certificate Templates management console (certtmpl.msc) on the certification authority (CA) server or a management workstation with remote administration tool installed.
  2. Right-click the RAS and IAS Servers default certificate template and choose Duplicate.
  3. Select the Compatibility tab.
    1. Select Windows Server 2008 or a later version from the Certification Authority drop-down list.
    2. Select Windows Vista/Server 2008 or a later version from the Certificate recipient drop-down list.
  4. Select the General tab.
    1. Enter a descriptive name in the Template display name field.
    2. Choose an appropriate Validity period and Renewal period.
    3. Do NOT select the option to Publish certificate in Active Directory.
  5. Select the Cryptography tab.
    1. Chose Key Storage Provider from the Provider Category drop-down list.
    2. Enter 2048 in the Minimum key size field.
    3. Select SHA256 from the Request hash drop-down list.
  6. Select the Subject Name tab.
    1. Select the option to Supply in the request.
  7. Select the Security tab.
    1. Highlight RAS and IAS Servers and click Remove.
    2. Click Add.
    3. Enter the security group name containing all NPS servers.
    4. Check the Read and Enroll boxes in the Allow column in the Permissions for [group name] field.
  8. Click Ok.

Perform the steps below to publish the new certificate template in AD CS.

  1. Open the Certification Authority management console (certsrv.msc) on the certification authority (CA) server or a management workstation with remote administration tool installed.
  2. Expand Certification Authority (hostname).
  3. Right-click Certificate Templates and choose New and Certificate Template to Issue.
  4. Select the certificate template created previously.
  5. Click Ok.

Request Certificate on NPS Server

Perform the following steps to request a certificate for the NPS server.

  1. Open the Certificates management console (certlm.msc) on the NPS server.
  2. Expand the Personal folder.
  3. Right-click Certificates and choose All Tasks and Request New Certificate.
  4. Click Next.
  5. Click Next.
  6. Select the NPS server certificate template and click More information is required to enroll for this certificate link.
  7. Select the Subject tab.
    1.  Select Common name from the Type drop-down list in the Subject name section.
    2. Enter the cluster fully-qualified hostname (FQDN) in the Value field.
    3. Click Add.
    4. Select DNS from the Type drop-down list in the Alternative name section.
    5. Enter the cluster FQDN in the Value field.
    6. Click Add.
    7. Enter the NPS server’s FQDN in the Value field.
    8. Click Add.
      Always On VPN and Network Policy Server (NPS) Load Balancing
  8. Select the General tab.
    1. Enter a descriptive name in the Friendly name field.
  9. Click Ok.
  10. Click Enroll.

Load Balancer Configuration

Configure the load balancer to load balance UDP ports 1812 (authentication) and 1813 (accounting). Optionally, to ensure that authentication and accounting requests go to the same NPS server, enable source IP persistence according to the vendor’s guidance. For the KEMP LoadMaster load balancer, the feature is called “port following”. On the F5 BIG-IP it is called a “persistence profile”, and on the Citrix NetScaler it is called a “persistency group”.

Additional Information

Always On VPN IKEv2 Load Balancing with KEMP LoadMaster

Always On VPN Hands-On Training Classes in U.S. and Europe

15 Comments
by Richard M. Hicks on January 28, 2019  •  Permalink
Posted in ADC, Always On VPN, AOVPN, application delivery controller, authentication, certificates, Enterprise, enterprise mobility, F5, High Availability, Kemp, Load Balancing, LoadMaster, Mobility, Netscaler, network policy server, NPS, PKI, Remote Access, routing and remote access service, RRAS, Security, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 28, 2019

https://directaccess.richardhicks.com/2019/01/28/always-on-vpn-and-network-policy-server-nps-load-balancing/

Previous Post
Next Post
Leave a comment

15 Comments

  1. Justin

     /  September 28, 2019

    Thank you for another great post Richard, How will this be setup in Azure as I’m battling to get this working with Azure internal LB.

    Reply

    • Richard M. Hicks

       /  October 7, 2019

      I’ve not used the Azure load balancer to load balance NPS myserlf. It may not support some of the advanced features required to ensure proper operation though. I’ll have to test this sometime and see if that’s the case.

      Reply

  2. trotterd

     /  April 21, 2020

    Hi Richard, I hope you are well.

    I am testing this setup for a new deployment. One thing I think I am seeing is the traffic hitting the NPS servers is the IP Addresses of the F5 as if its being NATed and not the source IP Addresses of the RRAS-VPN servers. This would possibly mean I need to create RADIUS clients on the NPS servers of the F5 load balances NAT addresses and have a common shared secret. Or could a setting on the F5 be configured to route the traffic from RRAS?

    Thanks in advance

    Dave

    Reply

    • Richard M. Hicks

       /  April 22, 2020

      The best way to resolve this is to configure the F5 not to perform NAT. That will allow the NPS server to see the VPN servers original IP address. If you can’t do that though you’ll have to configure the IP address of the F5 as the RADIUS client on the NPS server. I don’t necessarily think that’s bad, it’s just non-standard. 🙂

      Reply

      • trotterd

         /  April 23, 2020

        Hi Richard, thanks for the swift reply and advice.

        I spoke to our comms guy who manages the F5 and he advised that he couldn’t configure it to not perform NAT unless we had dual network cards in the NPS servers and configured them in a DMZ style network. He advised that if we didn’t configure the dual NICs and tried to disable NAT, this would result in Asymmetric routing.

        So we have decided to remove the F5 from load balancing the NPS connection and go with multiple NPS configuration on each RAS server and alternate the scoring across them. I feel we need this more for resilience rather than load.

        Thanks again,

        Dave

      • Richard M. Hicks

         /  April 23, 2020

        Indeed making this change (removing NAT from the F5) can introduce routing issues. As I mentioned in the post you will likely have to change the VPN server’s default gateway to use the load balancer. If you only have a single network interface this is more of a challenge than it is with two interfaces.

  3. Peter

     /  January 26, 2022

    Hello! Question on the NPS load balancing in relation to the VPN Server.

    Do you then put the CN of the new VIP of the NPS, nps.domain.net, in the VPN -> Properties -> Security -> RADIUS Authentication -> Configure -> Add ? When I remove the Real NPS servers and just have the nps.domain.net, I get errors. To make it work I have to put both NPS servers in there with 30 Initial Score.

    Reply

    • Richard M. Hicks

       /  January 27, 2022

      If you have your NPS servers behind a load balancer virtual IP address, then you can use the cluster name in the RRAS configuration. Just make sure it is able to resolve correctly. If you are getting an error, you might need to configure the load balancer as a RADIUS client on your RADIUS server. The RADIUS server is probably seeing the source IP address of the authentication request as the load balancer, not the VPN server.

      Reply
  1. Always On VPN and Windows Server 2019 NPS Bug | Richard M. Hicks Consulting, Inc.
  2. Always On VPN and Azure MFA ESTS Token Error | Richard M. Hicks Consulting, Inc.
  3. Always On VPN with Azure Gateway | Richard M. Hicks Consulting, Inc.
  4. Troubleshooting Always On VPN Error Code 864 | Richard M. Hicks Consulting, Inc.
  5. Always On VPN Error Code 858 | Richard M. Hicks Consulting, Inc.
  6. Always On VPN Continue Connecting Prompt | Richard M. Hicks Consulting, Inc.
  7. Always On VPN and NPS AD Registration | Richard M. Hicks Consulting, Inc.

Leave a Reply to PeterCancel reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading