I’m pleased announce that Kemp has released their Load Balancing Deployment Guide for Windows 10 Always On VPN. Authored by yours truly, this guide provides detailed, prescriptive guidance for configuring the Kemp LoadMaster load balancer to provide important scalability and eliminate critical points of failure in Always On VPN deployments.
Configuration Guidance
Included in the guide are configuration steps for load balancing VPN servers using IKEv2 and SSTP using Kemp LoadMaster. Crucial details for IKEv2 load balancing as well as SSL offload for SSTP are covered in detail. In addition, the guide includes information about load balancing important supporting infrastructure services such as the Network Policy Server (NPS). Finally, guidance is included for enabling active/passive or active/active load balancing as well as geographic load balancing for multisite Always On VPN deployments.
Download
You can download the Windows 10 Always On VPN load balancing deployment guide for Kemp LoadMaster load balancers here.
Additional Information
Windows 10 Always On VPN Load Balancing Deployment Guide for Kemp LoadMaster Load Balancers
Windows 10 Always On VPN IKEv2 Load Balancing with the Kemp LoadMaster Load Balancer
Romain
/ February 4, 2021Hey Richard,
Thanks for all the informations on your blog, it’s really THE bible ! 🙂
If we deployed two servers load balanced if a kemp or a Windows NLB (active / passive), what should be the static route to reach the vpn clients from the lan ?
Should we have two static routes with two differents vpn clients subnets ?
Richard M. Hicks
/ February 5, 2021Yes, each VPN server should be configured with it’s own distinct subnet for VPN client IP address assignment. You’ll then configure routes in your core network for each of those subnets and route them back to the VPN server that owns them.
KpR
/ February 8, 2021Great! Thanks a lot Richard ! 🙂
Abi
/ May 29, 2021Hi Richard,
Many thanks for the great resource on Always on VPN.
I am struggling with Kemp LoadMaster for IKEv2 User tunnel.
Have the following setup in summary:
1. Kemp VLM (KLM) with two NICs – one in RS subnet and other in DMZ subnet. VS IP is also in DMZ subnet NATed by the firewall to the outside world.
2. Two RRAS servers with single nic as RS. GW set to to KLM IP in their subnet. NPS is functioning fine. So KLM is inline between RS and the Firewall. Two armed.
I can get AOVPN working with load balancing fine. Two separate connections do end up in two RS.
Only problem is if one RS taken down, its connected clients would not reconnect to the other active RS.
Windows 10 enterprise clients also show the AVPN connected despite the RS being offline. I suspect KLM is not taking the client connection down after the RS is taken down. I guess if clients knew this they could re-initiate the connection and end up in the active RS. If I reboot KLM the clients seem to reconnect again to the active RS shortly after.
I can also manually reconnect the user tunnel from client side. But it would be better if this link down detection took place and reconnection happened automatically. Windows 10 clients are on the latest patch.
I have ticked, Drop connections on RS failure and Drop connections on drain end in the KLM global settings. All been setup per your guide.
Any tips and ides would be greatly appreciated.
Kind regards
Abi
Richard M. Hicks
/ June 4, 2021Which VPN protocol are you using? SSTP or IKEv2?