Always On VPN administrators troubleshooting connectivity issues may find the Internal network interface in the Routing and Remote Access management console (rrasmgmt.msc) administrative status indicates ‘Unknown’. They will also notice the Operational Status shows Non-operational.
Internal Interface
For clarification, the ‘Internal’ network interface in the Routing and Remote Access management console, as shown above, is not a physical network adapter on the server. Instead, it is a virtual network interface used only for incoming VPN connections.
Non-Operational
The Internal virtual network interface will not be created until the VPN server accepts its first VPN connection. Because of this, the Internal interface will have an operational status of non-operational until the first client attempts to connect. When this occurs, RRAS creates the interface, then assigns it the first IP address from the static IPv4 address pool. Alternatively, if DHCP is configured, it will assign the first IP address returned by the DHCP server.
Interface Names
While discussing network interfaces, I typically recommend renaming them in Windows to identify their function, especially when using two NIC configurations. However, be careful not to name the server’s internal network adapter ‘Internal’, as this can be confusing in the future. In my example above, I use the name ‘LAN’ to identify the internal adapter to distinguish it from the server’s ‘Internal’ virtual interface.
I’m pleased to announce that I’ll be delivering two technical training sessions at this year’s TechMentor Redmond event. This event takes place on the Microsoft campus in Redmond, WA August 5-9, 2019. I’ll be presenting two sessions on Thursday, August 8. They are:
During this session you will learn essential techniques for optimizing packet analysis using Wireshark. Topics will include filter and display tips, workspace oganization, using shortcuts for common tools, and configuring Wireshark profiles. I’ll also touch upon some advanced techniques such as graphing and geography database integration.
During this session you will gain a full understanding of Always On VPN including and how it compares with its predecessor, DirectAccess. I’ll share detailed information about this new technology, and how it best fits in to your organizations mobility strategy. Always On VPN has some important advantages over DirectAccess, and some challenging drawbacks. I’ll explain everything good, bad, and even the ugly.
Don’t miss out on this fantastic event. Register now to take advantage of early bird savings, which end June 7. Hope to see you there!
Load balancing Windows Server Network Policy Servers (NPS) is straightforward in most deployment scenarios. Most VPN servers, including Windows Server Routing and Remote Access Service (RRAS) servers allow the administrator to configure multiple NPS servers for redundancy and scalability. In addition, most solutions support weighted distribution, allowing administrators to distribute requests evenly between multiple NPS servers (round robin load balancing) or to distribute them in order of priority (active/passive failover).
The Case for NPS Load Balancing
Placing NPS servers behind a dedicated network load balancing appliance is not typically required. However, there are some deployment scenarios where doing so can provide important advantages.
Deployment Flexibility
Having NPS servers fronted by a network load balancer allows the administrator to configure a single, virtual IP address and hostname for the NPS service. This provides deployment flexibility by allowing administrators to add or remove NPS servers without having to reconfigure VPN servers, network firewalls, or VPN clients. This can be beneficial when deploying Windows updates, migrating NPS servers to different subnets, adding more NPS servers to increase capacity, or performing rolling upgrades of NPS servers.
Traffic Shaping
Dedicated network load balancers allow for more granular control and of NPS traffic. For example, NPS routing decisions can be based on real server availability, ensuring that authentication requests are never sent to an NPS server that is offline or unavailable for any reason. In addition, NPS traffic can be distributed based on server load, ensuring the most efficient use of NPS resources. Finally, most load balancers also support fixed or weighted distribution, enabling active/passive failover scenarios if required.
Traffic Visibility
Using a network load balancer for NPS also provides better visibility for NPS authentication traffic. Most load balancers feature robust graphical displays of network utilization for the virtual server/service as well as backend servers. This information can be used to ensure enough capacity is provided and to monitor and plan for additional resources when network traffic increases.
Configuration
Before placing NPS servers behind a network load balancer, the NPS server certificate must be specially prepared to support this unique deployment scenario. Specifically, the NPS server certificate must be configured with the Subject name of the cluster, and the Subject Alternative Name field must include both the cluster name and the individual server’s hostname.
Create Certificate Template
Perform the following steps to create a certificate template in AD CS to support NPS load balancing.
Open the Certificate Templates management console (certtmpl.msc) on the certification authority (CA) server or a management workstation with remote administration tool installed.
Right-click the RAS and IAS Servers default certificate template and choose Duplicate.
Select the Compatibility tab.
Select Windows Server 2008 or a later version from the Certification Authority drop-down list.
Select Windows Vista/Server 2008 or a later version from the Certificate recipient drop-down list.
Select the General tab.
Enter a descriptive name in the Template display name field.
Choose an appropriate Validity period and Renewal period.
Do NOTselect the option to Publish certificate in Active Directory.
Select the Cryptography tab.
Chose Key Storage Provider from the Provider Category drop-down list.
Enter 2048 in the Minimum key size field.
Select SHA256 from the Request hash drop-down list.
Select the Subject Name tab.
Select the option to Supply in the request.
Select the Security tab.
Highlight RAS and IAS Servers and click Remove.
Click Add.
Enter the security group name containing all NPS servers.
Check the Read and Enroll boxes in the Allow column in the Permissions for [group name] field.
Click Ok.
Perform the steps below to publish the new certificate template in AD CS.
Open the Certification Authority management console (certsrv.msc) on the certification authority (CA) server or a management workstation with remote administration tool installed.
Expand Certification Authority (hostname).
Right-click Certificate Templates and choose New and Certificate Template to Issue.
Select the certificate template created previously.
Click Ok.
Request Certificate on NPS Server
Perform the following steps to request a certificate for the NPS server.
Open the Certificates management console (certlm.msc) on the NPS server.
Expand the Personal folder.
Right-click Certificates and choose All Tasks and Request New Certificate.
Click Next.
Click Next.
Select the NPS server certificate template and click More information is required to enroll for this certificate link.
Select the Subject tab.
Select Common name from the Type drop-down list in the Subject name section.
Enter the cluster fully-qualified hostname (FQDN) in the Value field.
Click Add.
Select DNS from the Type drop-down list in the Alternative name section.
Enter the cluster FQDN in the Value field.
Click Add.
Enter the NPS server’s FQDN in the Value field.
Click Add.
Select the General tab.
Enter a descriptive name in the Friendly name field.
Click Ok.
Click Enroll.
Load Balancer Configuration
Configure the load balancer to load balance UDP ports 1812 (authentication) and 1813 (accounting). Optionally, to ensure that authentication and accounting requests go to the same NPS server, enable source IP persistence according to the vendor’s guidance. For the KEMP LoadMaster load balancer, the feature is called “port following”. On the F5 BIG-IP it is called a “persistence profile”, and on the Citrix NetScaler it is called a “persistency group”.
I’m pleased to announce that I’ll be delivering two technical training sessions at this year’s TechMentor Redmond event. This event takes place on the Microsoft campus in Redmond, WA August 5-9, 2019. I’ll be presenting two sessions on Thursday, August 8. They are:
Load balancing Windows Server Network Policy Servers (NPS) is straightforward in most deployment scenarios. Most VPN servers, including Windows Server Routing and Remote Access Service (RRAS) servers allow the administrator to configure multiple NPS servers for redundancy and scalability. In addition, most solutions support weighted distribution, allowing administrators to distribute requests evenly between multiple NPS servers (round robin load balancing) or to distribute them in order of priority (active/passive failover).
