When deploying Microsoft enterprise mobility solutions such as Windows 10 Always On VPN and DirectAccess, more than one server may be required to meet capacity requirements or provide local and/or geographic redundancy.
NLB
Windows Server features an integrated load balancer called Network Load Balancing (NLB). It is an inexpensive way to create a cluster of servers to provide local redundancy. NLB is integrated with DirectAccess and must be configured using the Remote Access Management console. For Always On VPN it must be configured directly using the Network Load Balancing manager.
Drawbacks
NLB has some serious drawbacks and limitations and should typically be avoided for most enterprise deployments. NLB is broadcast-based and generates a tremendous amount of noise on the network. Heartbeat messages are broadcast to the subnet every second. As more nodes are added to the cluster, the broadcast traffic grows exponentially. Microsoft suggests a limit of 8 nodes per NLB cluster, practically speaking NLB clusters should be limited to no more than 4 nodes.
In addition, NLB lacks the visibility and granular control of network traffic often required by network administrators. Further, troubleshooting NLB is prohibitively difficult. There are also challenges getting NLB to work correctly in virtual environments, making NLB difficult to support.
F5 BIG-IP
A dedicated load balancing appliance such as the F5 BIG-IP is recommended whenever local redundancy or additional capacity is required for DirectAccess and Always On VPN deployments. Physical appliances provide better performance, but virtual appliances work well in most scenarios too.
F5 BIG-IP Resources
The following is a list of resources for configuring the F5 BIG-IP for Always On VPN and DirectAccess.
- Always On VPN SSTP Load Balancing with F5 BIG-IP
- Always On VPN IKEv2 Load Balancing with F5 BIG-IP
- DirectAccess IP-HTTPS Preauthentication using F5 BIG-IP
- DirectAccess Network Location Server (NLS) on F5 BIG-IP
- DirectAccess IP-HTTPS SSL/TLS Offload for Windows 7 Clients using F5 BIG-IP
Additional Information
Fill out the form below for more information about F5 BIG-IP integration with Always On VPN and DirectAccess.