Loadbalancer Guide
LoadBalancer
Load Balancer Enterprise ADC1 Primary
Physical Management IP 192.168.1.6 eth0
Eth1 10.0.0.101/24 DMZ Adapter
SSTP_VIP 192.168.1.222
NPS_VIP 192.168.0.238
Virtual IVEv2_VIP 10.0.0.103
Physical IKEv2_VIP 10.0.0.101/24 eth1
Load Balancer Enterprise ADC2 Secondary
Physical Management IP 192.168.0.180 eth0
Eth1 10.0.0.102/24 DMZ Adapter
SSTP_VIP 192.168.1.222
NPS_VIP 192.168.0.238
Virtual IVEv2_VIP 10.0.0.103
Physical IKEv2_VIP 10.0.0.102/24 eth1
Sophos Firewall
NAT Rule
MAO-RAS01 DMZ EXT to LoadBalancer Any
WAN to DMZ Rules
MAO-RAS01 DMZ EXT - NAT 52
IKE (Key Exchange) to MAO-RAS01 DMZ EXT
IKE (Traversal) to MAO-RAS01 DMZ EXT
ESP (IPSec) to MAO-RAS01 DMZ EXT
Traffic from the WAN is sent to the loadbalancer ADC1 IKEv2_VIP 10.0.0.103 in the DMZ and routed internally to its LAN adapter 192.168.1.6. This adapter is used to pass traffic to the RAS and NPS servers on the LAN. When a connection is made the loadbalancer will decide which RAS server to pass the connection to depending on their load.
To view who and how many users are connected to the VPN use Routing and Remote Access on MAO-RAS01 or MAO-RAS02
Selecting an entry here will show the users current IP address assigned from the associated RAS Server and you can disconnect a user if required
MAO-RAS01 has a static address pool of 192.168.80.2 to 192.168.81.253 and is configured for a maximum of 500 IP addresses
MAO-RAS02 has a static address pool of 192.168.82.2 to 192.168.83.253 and is configured for a maximum of 500 IP addresses
On the LoadBalancer, Reports – Layer 4 Current Connections shows IPVS connection entries to the IKEv2_VIP 10.0.0.103 for pots 500 and 4500 from a clients WAN IP Address being connected to either RAS server. MAO-RAS01 192.168.0.50 or MAO-RAS02 192.168.0.92
Both MAO-RAS01 and MAO-RAS02 have an extra network interface called a loopback adapter which is used to prevent a problem when requests for connections use ARP, the servers are configured to receive packets that have their destination set as the IKEv2_VIP address 10.0.0.103
Both MAO-NPS01 and MAO-NPS have an extra network interface called a loopback adapter which is used to prevent a problem when requests for connections use ARP, the servers are configured to receive packets that have their destination set as the NPS_VIP address 192.168.0.238
Both loadbalancers are configured using a Host Affinity Rule in VMware VSphere to ensure that they run on separate hosts in case of a host failure and are configured in a cluster. One is the active server and the other the passive so if one fails the other takes over the tasks.
VM-Cluster – VM/Host Rules – Load Balancers host Affinity
The RAS servers are configured as an HA cluster that the NPS servers are aware of in case of a single RAS server failure.
Screenshot of Network Policy Server on an NPS Server
The NPS servers are set in active directory so both RAS servers are aware of their existence and can use either in case of a server failure
Backups
On both appliances – Maintenance – backup & restore – there is an option to backup the configuration. Enter the backup encryption password then click Backup. The file is downloaded to your laptop and the current backups are stored in the loadbalancer folder in the helpdesk folder
Licensing
To apply a new license, navigate to Local Configuration – License Key – choose file and browse the file, then select Install License Key. If more than one file exists, follow the same steps again. You will need to install the license keys on both primary and secondary appliance.
References
Load balancing Microsoft Always-On VPN
https://www.loadbalancer.org/applications/load-balancing-microsoft-always-on-vpn/
Setup always on VPN infrastructure Tutorial - Set up infrastructure for Always On VPN | Microsoft Learn
Prepare Cluster Servers Step 2 Prepare Cluster Servers | Microsoft Learn
Load balancer free trial Free Trial - Loadbalancer.org
Load balancer always on VPN deployment guide Load Balancing Microsoft Always On VPN (loadbalancer.org)