Eliminating single points of failure is crucial to ensuring the highest levels of availability for any remote access solution. For Windows 10 Always On VPN deployments, the Windows Server 2016 Routing and Remote Access Service (RRAS) and Network Policy Server (NPS) servers can be load balanced to provide redundancy and high availability within a single datacenter. Additional RRAS and NPS servers can be deployed in another datacenter or in Azure to provide geographic redundancy if one datacenter is unavailable, or to provide access to VPN servers based on the location of the client.
Multisite Always On VPN
Unlike DirectAccess, Windows 10 Always On VPN does not natively include support for multisite. However, enabling multisite geographic redundancy can be implemented using Azure Traffic Manager.
Azure Traffic Manager
Traffic Manager is part of Microsoft’s Azure public cloud solution. It provides Global Server Load Balancing (GSLB) functionality by resolving DNS queries for the VPN public hostname to an IP address of the most optimal VPN server.
Advantages and Disadvantages
Using Azure Traffic manager has some benefits, but it is not with some drawbacks.
Advantages – Azure Traffic Manager is easy to configure and use. It requires no proprietary hardware to procure, manage, and support.
Disadvantages – Azure Traffic Manager offers only limited health check options. Today, only HTTP, HTTP, and TCP protocols can be used to perform endpoint health checks. There is no option to use UDP or PING, making monitoring for IKEv2 a challenge.
Note: This scenario assumes that RRAS with Secure Socket Tunneling Protocol (SSTP) or another third-party TLS-based VPN server is in use. If IKEv2 is to be supported exclusively, it will still be necessary to publish an HTTP or HTTPS-based service for Azure Traffic Manager to monitor site availability.
Traffic Routing Methods
Azure Traffic Manager provide four different methods for routing traffic.
Priority – Select this option to provide active/passive failover. A primary VPN server is defined to which all traffic is routed. If the primary server is unavailable, traffic will be routed to another backup server.
Weighted – Select this option to provide active/active failover. Traffic is routed to all VPN servers equally, or unequally if desired. The administrator defines the percentage of traffic routed to each server.
Performance – Select this option to route traffic to the VPN server with the lowest latency. This ensures VPN clients connect to the server that responds the quickest.
Geographic – Select this option to route traffic to a VPN server based on the VPN client’s physical location.
Multivalue – Select this option when endpoints must use IPv4 or IPv6 addresses.
Subnet – Select this option to map DNS responses to the client’s source IP address.
Configure Azure Traffic Manager
Open the Azure management portal and follow the steps below to configure Azure Traffic Manager for multisite Windows 10 Always On VPN.
Create a Traffic Manager Resource
- Click Create a resource.
- Click Networking.
- Click Traffic Manager profile.
Create a Traffic Manager Profile
- Enter a unique name for the Traffic Manager profile.
- Select an appropriate routing method (described above).
- Select a subscription.
- Create or select a resource group.
- Select a resource group location.
- Click Create.
Important Note: The name of the Traffic Manager profile cannot be used by VPN clients to connect to the VPN server, since a TLS certificate cannot be obtained for the trafficmanager.net domain. Instead, create a CNAME DNS record that points to the Traffic Manager FQDN and ensure that name matches the subject or a Subject Alternative Name (SAN) entry on the VPN server’s TLS and/or IKEv2 certificates.
Endpoint Monitoring
Open the newly created Traffic Manager profile and perform the following tasks to enable endpoint monitoring.
- Click Configuration.
- Select HTTPS from the Protocol drop-down list.
- Enter 443 in the Port field.
- Enter /sra_%7BBA195980-CD49-458b-9E23-C84EE0ADCD75%7D/ in the Path field.
- Enter 401-401 in the Expected Status Code Ranges field.
- Update any additional settings, such as DNS TTL, probing interval, tolerated number of failures, and probe timeout, as required.
- Click Save.
Endpoint Configuration
Follow the steps below to add VPN endpoints to the Traffic Manager profile.
- Click Endpoints.
- Click Add.
- Select External Endpoint from the Type drop-down list.
- Enter a descriptive name for the endpoint.
- Enter the Fully Qualified Domain Name (FQDN) or the IP address of the first VPN server.
- Select a geography from the Location drop-down list.
- Click OK.
- Repeat the steps above for any additional datacenters where VPN servers are deployed.
Summary
Implementing multisite by placing VPN servers is multiple physical locations will ensure that VPN connections can be established successfully even when an entire datacenter is offline. In addition, active/active scenarios can be implemented, where VPN client connections can be routed to the most optimal datacenter based on a variety of parameters, including current server load or the client’s current location.
DirectAccess connections are bidirectional, allowing administrators to remotely connect to clients and manage them when they are out of the office. DirectAccess clients use IPv6 exclusively, so any communication initiated from the internal network to remote DirectAccess clients must also use IPv6. If IPv6 is not deployed natively on the internal network, the Intrasite Automatic Tunnel Addressing Protocol (ISATAP) IPv6 transition technology can be used to enable manage out.
DirectAccess clients are automatically connected to the corporate network any time they have a working Internet connection. Having consistent corporate network connectivity means they receive Active Directory group policy updates on a regular basis, just as on-premises systems do. Importantly, they check in with internal management systems such as System Center Configuration Manager (SCCM) and Windows Server Update Services (WSUS) servers, enabling them to receive updates in a timely manner. Thus, DirectAccess clients are better managed, allowing administrators to more effectively maintain the configuration state and security posture for all their managed systems, including those that are predominantly field-based. This is especially crucial considering the prevalence WannaCry, Cryptolocker, and a variety of other types of ransomware.
When manage out is configured with DirectAccess, hosts on the internal network can initiate connections outbound to remote connected DirectAccess clients. SCCM Remote Control and Remote Desktop Connection (RDC) are commonly used to remotely connect to systems for troubleshooting and support. With DirectAccess manage out enabled, these and other popular administrative tools such as VNC, Windows Remote Assistance, and PowerShell remoting can also be used to manage remote DirectAccess clients in the field. In addition, enabling manage out allows for the proactive installation of agents and other software on remote clients, such as the SCCM and System Center Operation Manager (SCOM) agents, third-party management agents, antivirus and antimalware software, and more. A user does not have to be logged on to their machine for manage out to work.
