Load Balancing SSTP VPN with KEMP LoadMaster
5 likes2,445 views
The document discusses load balancing SSTP VPN using the Kemp LoadMaster, highlighting the benefits of the Routing and Remote Access Services (RRAS) feature in Windows Server 2016. It emphasizes the advantages of the SSTP protocol, including its scalability, firewall friendliness, and ease of implementation, while advising against the use of obsolete protocols like L2TP/IPsec and PPTP. The document also outlines steps for configuring load balancing and TLS offloading to enhance performance and resource utilization.
Load Balancing SSTP VPN with KEMP LoadMaster
- 1. Load Balancing SSTP VPN Using the KEMP LoadMaster Load Balancer
- 2. RICHARD HICKS Richard M. Hicks Consulting Founder and Principal Consultant Microsoft Most Valuable Professional (MVP) • Cloud and Datacenter • Enterprise Security 20+ Year Industry Veteran Enterprise Mobility and Security Infrastructure Expert
- 3. WINDOWS ROUTING AND REMOTE ACCESS SERVICES
- 4. WINDOWS RRAS Routing and Remote Access Services (RRAS) Feature of the Windows Server 2016 operating system Mature, robust, and stable First introduced in Windows 2000 Support for modern VPN protocols
- 5. RRAS BENEFITS Easy to deploy As a feature of the Windows Server 2016 operating system, RRAS is easy to install and configure. Cost effective RRAS and Windows 10 VPN does not require any additional per-user licensing to implement. Flexible deployment RRAS can be deployed on existing physical or virtual infrastructure. Easy to manage RRAS requires no specialized knowledge and can be implemented and supported using existing Windows administrator skill sets.
- 7. PROTOCOL SUPPORT Internet Key Exchange version 2 (IKEv2) + Secure Sockets Tunneling Protocol (SSTP) + Layer Two Tunneling Protocol over IPsec (L2TP/IPsec) + Point-to-Point Tunneling Protocol
- 8. IKEV2 Industry standard VPN protocol in wide use. Broad client support. Uses UDP for transport (ports 500 and 4500). Commonly blocked by edge firewalls. Difficult to scale out.
- 10. L2TP/IPSEC AND PPTP Requires client-side certificates for highest assurance. Can use pre- shared keys (not recommended) Difficult to implement and support. Numerous known security vulnerabilities. L2TP/IPsec PPTP L2TP/IPsec and PPTP are legacy VPN protocols and are considered obsolete. Their use should be avoided at all costs.
- 11. WHY SSTP?
- 12. FIREWALL FRIENDLY SSTP uses Transport Layer Security (TLS). Operates on standard HTTPS port 443. Commonly available. Easy to implement and support.
- 13. HIGHLY SCALABLE Easy to load balance. Includes native support for full TLS termination and offload. All encryption/decryption can be performed on dedicated appliance. • Improves performance • Reduces server resource utilization • Increases concurrent user support per server
- 15. VIRTUAL SERVICE Define Virtual IP Address (VIP) Specify TCP port 443 Enter a Service Name Choose persistence options
- 16. REAL SERVERS Provide IP address of first VPN server Specify TCP port 443 Define the weight and connection limit (optional) Repeat steps above for each additional VPN server
- 17. TLS OFFLOADING - GEO Modify existing SSTP virtual service Enable SSL Acceleration Choose an SSL certificate Select a cipher set
- 18. TLS OFFLOADING - RRAS Edit the properties of the RRAS server Open the Security tab Select the option to use HTTP Restart the RRAS service
- 19. TRY LOADMASTER AND ALWAYS-ON-VPN Always-on-VPN Free trial Try in Azure