Join me this Thursday, April 9 at 10:00AM EDT for a Remote Access Q&A session hosted by Kemp Technologies. During this free live webinar, I’ll be answering all your questions as they relate to enterprise mobility, remote access, scalability and performance, security, and much more. Topics are not limited to Kemp products at all, so feel free to join and ask me anything you like! Register now and submit your questions!
All posts in category Load Balancing
Remote Access Questions and Answers Webinar Hosted by Kemp
Posted by Richard M. Hicks on April 7, 2020
https://directaccess.richardhicks.com/2020/04/07/remote-access-qa-webinar-hosted-by-kemp/
Always On VPN IKEv2 Load Balancing with Citrix NetScaler ADC
The Internet Key Exchange version 2 (IKEv2) VPN protocol is the protocol of choice when the highest level of security is required for Always On VPN connections. It uses IPsec and features configurable security parameters that allow administrators to adjust policies to meet their specific security requirements. IKEv2 is not without some important limitations, but organizations may insist on the use of IKEv2 to provide the greatest protection possible for remote connected clients. Due to complexities of the IKEv2 transport, special configuration on the Citrix ADC (formerly NetScaler) is required when load balancing this workload.
Special Note: In December 2019 a serious security vulnerability was discovered on the Citrix ADC that gives an unauthenticated attacker the ability to arbitrarily execute code on the appliance. As of this writing a fix is not available (due end of January 2020) but a temporary workaround can be found here.
Load Balancing IKEv2
When an Always On VPN client establishes a connection using IKEv2, communication begins on UDP port 500, but switches to UDP port 4500 if Network Address Translation (NAT) is detected in the communication path between the client and the server. Because UDP is connectionless, custom configuration is required to ensure that VPN clients maintain connectivity to the same backend VPN server during this transition.
Initial Configuration
Load balancing IKEv2 using the Citrix ADC is similar to other workloads. Below are specific settings and parameters required to load balance IKEv2 using the Citrix ADC.
Note: This article is not a comprehensive configuration guide for the Citrix ADC. It assumes the administrator is familiar with basic load balancing concepts and has experience configuring the Citrix ADC.
Service Settings
The load balancing services for IKEv2 VPN will use UDP ports 500 and 4500. Create the service group and assign group members for UDP 500 as follows.
Repeat the steps above to create the service group for UDP port 4500.
Virtual Server Settings
Two virtual servers are required, one for UDP port 500 and one for UDP port 4500. Ensure that the service group using UDP port 500 is bound to the virtual server using the same port.
Repeat the steps above to create the virtual service for UDP port 4500.
Service Monitoring
Since IKEv2 uses the UDP protocol, the only option for service monitoring is to use PING, which is configured by default. Ensure that the firewall on the VPN server allows inbound ICMPv4 and ICMPv6 Echo Request. The default PING monitor on the Citrix ADC will ping the resource every 5 seconds. If a different interval is required, the administrator can edit the PING monitor and bind that to the service or service group as necessary.
Persistency Group
A Persistency Group on the Citrix ADC will be configured to ensure that IKEv2 VPN client requests from the same client are always routed to the same backend server. Follow the steps below to create a Persistency Group and assign it to both IKEv2 virtual servers created previously.
- In the Citrix ADC management console expand Traffic Management > Load Balancing > Persistency Groups.
- Click Add.
- Enter a descriptive name for the Persistency Group.
- Select SOURCEIP from the Persistence drop-down list.
- Next to the Virtual Server Name section click the Add button.
- Add both previously configured IKEv2 virtual servers for UDP 500 and 4500.
- Click Create.
Use Client IP
To ensure reliable connectivity for IKEv2 VPN connections it is necessary for the VPN server to see the client’s original source IP address. Follow the steps below to configure the Service Group to forward the client’s IP address to the VPN server.
- In the Citrix ADC management console expand System, click Settings, and then click Configure Modes.
- Select Use Subnet IP.
- Click Ok.
- Expand Traffic Management, click Load Balancing, and then click Service Groups.
- Select the IKEv2 UDP 500 Service Group.
- Click Edit in the Settings section.
- Select Use Client IP.
- Repeat these steps on the IKEv2 UDP 4500 Service Group.
Note: Making the above changes will require configuring the VPN server to use the Citrix ADC as its default gateway.
Additional Information
Windows 10 Always On VPN IKEv2 Load Balancing and NAT
Windows 10 Always On VPN SSTP Load Balancing with Citrix NetScaler ADC
Windows 10 Always On VPN IKEv2 Features and Limitations
Windows 10 AlWAYS On VPN and IKEv2 Fragmentation
Posted by Richard M. Hicks on January 20, 2020
https://directaccess.richardhicks.com/2020/01/20/always-on-vpn-ikev2-load-balancing-with-citrix-netscaler-adc/
Always On VPN SSTP Load Balancing with Citrix NetScaler ADC
One of the many advantages of using Windows Server Routing and Remote Access Service (RRAS) as the VPN server to support Windows 10 Always On VPN connections is that it includes support for the Secure Socket Tunneling Protocol (SSTP). SSTP is a TLS-based VPN protocol that is easy to configure and deploy and is very firewall friendly. This ensures consistent and reliable connectivity even behind restrictive firewalls. The Citrix ADC (formerly NetScaler) is a popular platform for load balancing Always On VPN connections. In this article I’ll describe how to configure load balancing on the Citrix ADC for RRAS VPN connections using the SSTP VPN protocol.
Special Note: In December 2019 a serious security vulnerability was discovered on the Citrix ADC that gives an unauthenticated attacker the ability to arbitrarily execute code on the appliance. As of this writing a fix is not available (due end of January 2020) but a temporary workaround can be found here.
Load Balancing SSTP
Previously I’ve written about some of the use cases and benefits of SSTP load balancing as well as the options for offloading TLS for SSTP VPN connections. Load balancing SSTP eliminates single points of failure and enables support for multiple RRAS VPN servers to increase scalability. It is generally recommended that the Citrix ADC be configured to pass through encrypted SSTP VPN connections. However, TLS offloading can be configured to improve performance and reduce resource utilization on VPN servers, if required.
Configuration
Load balancing SSTP on the Citrix ADC is straightforward and not unlike load balancing a common HTTPS web server. Below are specific settings and parameters required to load balance SSTP using the Citrix ADC.
Note: This article is not a comprehensive configuration guide for the Citrix ADC. It assumes the administrator is familiar with basic load balancing concepts and has experience configuring the Citrix ADC.
Service Settings
The load balancing service for SSTP VPN should be configured to use TCP port 443 and the SSL_BRIDGE protocol. If TLS offload is required, TCP port 80 and the HTTP protocol can be configured. Additional configuration is required on the RRAS server when TLS offload is enabled, however. Detailed information for configuring RRAS and SSTP for TLS offload can be found here.
Virtual Server Settings
The virtual server is configured to use TCP port 443. It is recommended to use SSLSESSION persistence.
The LEASTCONNECTION load balancing method is the recommend option for load balancing method.
Service Monitoring
Using the default TCP monitor (tcp-default) is not recommended for monitoring SSTP, as a simple TCP port check does not accurately reflect the health of the SSTP service running on the RRAS server. To more precisely monitor the SSTP service status, a new custom monitor must be created and bound to the load balancing services. Follow the steps below to configure a custom SSTP VPN monitor on the Citrix ADC.
- Open the Citrix ADC management console and expand Traffic Management.
- Select Monitors.
- Click Add.
- Enter a descriptive name in the Name field.
- Select HTTP form the Type drop-down list and click Select.
- Adjust the Interval and Response Time-out values according to your requirements.
- Enter 401 in the Response Codes field and click the “+” button.
- In the Response Codes field click the “x” next to 200.
- In the HTTP Request field enter HEAD /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/.
- Check the box next to Secure (not required if TLS offload is enabled).
- Select ns_default_ssl_profile_backend from the SSL profile drop-down list (not required if TLS offload is enabled).
- Click Create.
Once complete, bind the new service monitor to the load balancing services or service groups accordingly.
TLS Offload
It is generally recommended that TLS offload not be enabled for SSTP VPN. However, if TLS offload is desired, it is configured in much the same way as a common HTTPS web server. Specific guidance for enabling TLS offload on the Citrix ADC can be found here. Details for configuring RRAS and SSTP to support TLS offload can be found here.
Certificates
When enabling TLS offload for SSTP VPN connections it is recommended that the public SSL certificate be installed on the RRAS server, even though TLS processing will be handled on the Citrix ADC and HTTP will be used between the Citrix ADC and the RRAS server. If installing the public SSL certificate on the RRAS server is not an option, additional configuration will be required. Specifically, TLS offload for SSTP must be configured using the Enable-SSTPOffload.ps1 PowerShell script, which can be found here.
Once the script has been downloaded, open an elevated PowerShell command window and enter the following command.
.\Enable-SSTPOffload.ps1 -CertificateHash [SHA256 Certificate Hash of Public SSL Certificate] -Restart
Example:
.\Enable-SSTPOffload.ps1 -CertificateHash ‘C3AB8FF13720E8AD9047DD39466B3C8974E592C2FA383D4A3960714CAEF0C4F2’ -Restart
Re-Encryption
When offloading TLS for SSTP VPN connections, all traffic between the Citrix ADC and the RRAS server will be sent in the clear using HTTP. In some instances, TLS offload is required only for traffic inspection, not performance gain. In this scenario the Citrix ADC will be configured to terminate and then re-encrypt connections to the RRAS server. When terminating TLS on the Citrix ADC and re-encrypting connections to the RRAS server is required, the same certificate must be used on both the Citrix ADC and the RRAS server. Using different certificates on the RRAS server and the load balancer is not supported.
Additional Information
Windows 10 Always On VPN Load Balancing and SSL Offload
SSL Offload Configuration for Citrix ADC (NetScaler)
Windows 10 Always On VPN SSTP Load Balancing with Kemp LoadMaster
Windows 10 Always On VPN SSTP Load Balancing with F5 BIG-IP
Windows 10 Always On VPN Connects then Disconnects
Windows 10 Always On VPN SSL Certificate Requirements for SSTP
Posted by Richard M. Hicks on January 13, 2020
https://directaccess.richardhicks.com/2020/01/13/always-on-vpn-sstp-load-balancing-with-citrix-netscaler-adc/