Always On VPN Load Balancing Deployment Guide for Kemp Load Balancers

Always On VPN Load Balancing Deployment Guide for Kemp Load BalancersI’m pleased announce that Kemp has released their Load Balancing Deployment Guide for Windows 10 Always On VPN. Authored by yours truly, this guide provides detailed, prescriptive guidance for configuring the Kemp LoadMaster load balancer to provide important scalability and eliminate critical points of failure in Always On VPN deployments.

Configuration Guidance

Included in the guide are configuration steps for load balancing VPN servers using IKEv2 and SSTP using Kemp LoadMaster. Crucial details for IKEv2 load balancing as well as SSL offload for SSTP are covered in detail. In addition, the guide includes information about load balancing important supporting infrastructure services such as the Network Policy Server (NPS). Finally, guidance is included for enabling active/passive or active/active load balancing as well as geographic load balancing for multisite Always On VPN deployments.

Always On VPN Load Balancing Deployment Guide for Kemp Load Balancers


You can download the Windows 10 Always On VPN load balancing deployment guide for Kemp LoadMaster load balancers here.

Additional Information

Windows 10 Always On VPN Load Balancing Deployment Guide for Kemp LoadMaster Load Balancers

Windows 10 Always On VPN IKEv2 Load Balancing with the Kemp LoadMaster Load Balancer



Leave a comment


  1. Romain

     /  February 4, 2021

    Hey Richard,
    Thanks for all the informations on your blog, it’s really THE bible ! 🙂
    If we deployed two servers load balanced if a kemp or a Windows NLB (active / passive), what should be the static route to reach the vpn clients from the lan ?
    Should we have two static routes with two differents vpn clients subnets ?

    • Yes, each VPN server should be configured with it’s own distinct subnet for VPN client IP address assignment. You’ll then configure routes in your core network for each of those subnets and route them back to the VPN server that owns them.

  2. Abi

     /  May 29, 2021

    Hi Richard,

    Many thanks for the great resource on Always on VPN.

    I am struggling with Kemp LoadMaster for IKEv2 User tunnel.

    Have the following setup in summary:

    1. Kemp VLM (KLM) with two NICs – one in RS subnet and other in DMZ subnet. VS IP is also in DMZ subnet NATed by the firewall to the outside world.

    2. Two RRAS servers with single nic as RS. GW set to to KLM IP in their subnet. NPS is functioning fine. So KLM is inline between RS and the Firewall. Two armed.

    I can get AOVPN working with load balancing fine. Two separate connections do end up in two RS.

    Only problem is if one RS taken down, its connected clients would not reconnect to the other active RS.
    Windows 10 enterprise clients also show the AVPN connected despite the RS being offline. I suspect KLM is not taking the client connection down after the RS is taken down. I guess if clients knew this they could re-initiate the connection and end up in the active RS. If I reboot KLM the clients seem to reconnect again to the active RS shortly after.

    I can also manually reconnect the user tunnel from client side. But it would be better if this link down detection took place and reconnection happened automatically. Windows 10 clients are on the latest patch.

    I have ticked, Drop connections on RS failure and Drop connections on drain end in the KLM global settings. All been setup per your guide.

    Any tips and ides would be greatly appreciated.

    Kind regards

  1. Always On VPN Load Balancing with Kemp in Azure | Richard M. Hicks Consulting, Inc.
  2. Always On VPN IKEv2 Load Balancing Issue with Kemp LoadMaster | Richard M. Hicks Consulting, Inc.

Leave a Reply to Romain Cancel reply

%d bloggers like this: