How to configure Network Load Balancing (NLB) based cluster of VPN Servers
Hello All, in this blog, I will discuss how to configure a "Network Load Balancing Cluster" of vpn servers to ensure high availability and scalability of vpn service.
For information about "Network Load Balancing (NLB)" feature in "Windows Server 2008 R2" please refer the following link: https://technet.microsoft.com/en-us/library/cc725691.aspx
How network load balancing cluster enhances scalability of vpn server?
To create a NLB VPN cluster each host runs Remote Access (VPN) Service & NLB Service. NLB allows all of the computers in the cluster to be addressed by the same cluster IP address. NLB distributes incoming client requests across the vpn servers in the cluster. The load weight to be handled by each vpn server can be configured as necessary. You can also add a vpn server dynamically to the cluster to handle increased load. In addition, NLB can direct all traffic to a designated single vpn server, which is called the default host.
How network load balancing cluster ensures high availability of vpn server?
When a vpn server fails or goes offline, active connection to the failed or offline server are lost. But new connection request is automatically redistributed among the vpn servers that are still operating. However, if you bring a host down intentionally, you can use "drainstop" command to service all active connection prior to bringing the computer offline. Drainstop allows the host to continue surviving active connections but disables all new traffic to that host.
How to configure a NLB cluster?
To configure the Network Load Balancing (NLB) cluster, you must configure three types of the parameters:
- Host parameters, which are specific to each host in a NLB cluster.
- Cluster parameters, which apply to an NLB cluster as a whole.
- Port rules, which control how the cluster functions. By default, a port rule equally balances all TCP/IP traffic across all servers.
In the following section we will describe step by step guide to deploy an nlb cluster of vpn servers for test lab.
Verification step to make sure vpn server is configured properly before installing nlb:
1. Assign satic ip to vpn-server1 (say 201.0.0.1), vpn-server2 (say 201.0.0.2) [Note: NLB does not support DHCP. NLB disables DHCP on each interface that it configures, so the IP addresses must be static]
2. Ensure client is able to make vpn connection to both the servers for different tunnel types (PPTP, L2TP, SSTP or IKEv2).
Install & Configure NLB in vpn-servers:
3. Install NLB in vpn-server1 & vpn-server2.
4. Create a new cluster using the NLB manager [Open nlbmgr.msc (in Administrative tools)] of vpn-server1 according the steps mentioned below. Add host to the cluster, choose priority of the host & assign cluster IP (say 201.0.0.11).
a) Add new host to the cluster:
Give host name or ip address and select the interface of the host for configuring cluster.
b) Host parameter configuration:
c) Configuring the cluster parameter
Select cluster operation mode as unicast to specify that a unicast media access control (MAC) address should be used for cluster operation. In this mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. Unicast is the default setting for Cluster operation mode.
d) Configuring Port Rules:
· Select Affinity Single or Network to ensure that all network traffic from a particular client is directed to the same host.
· Select Filtering mode to Multiple hosts or Single host considering the following:
o The Multiple hosts parameter specifies that multiple hosts in the cluster will handle network traffic for the associated port rule. This filtering mode provides scaled performance and fault tolerance by distributing the network load among multiple hosts. You can specify that the load be equally distributed among the hosts or that each host will handle a specified load weight.
o The Single host parameter specifies that network traffic for the associated port rule be handled by a single host in the cluster according to the specified handling priority. This filtering mode provides port specific fault tolerance for handling network traffic.
5. Add vpn-server2 to the nlb cluster using nlb manager of the vpn-server1. (you can also do this step using the nlb manager of the vpn-server2 after "connecting to existing cluster" with cluster ip 201.0.0.11)
a) Add new host to the cluster
b) Host parameter configuration
c) Configuring Port Rules
d) Configuring load weight for the host
6. Ensure both the server got same MAC Address for that interface & Cluster IP. [Note: NLB automatically instructs the driver that belongs to the cluster adapter to override the adapter's unique, built-in network address and to change its MAC address to the cluster's MAC address. This is the address used on all cluster hosts.]
Verification after configuring nlb cluster for vpn server:
7. Make Connection from the client using Cluster IP. Connection should succeed & it should be connected to high priority server (vpn-sever1 in this case).
8. Give nlb drainstop on vpn-server1.
9. Drainstop allows the host to continue surviving active connections but disables all new traffic to that host. All new connections should go to vpn-server2.
10. Give nlb drainstop on the vpn-server2.
11. Now all new connections should fail since both the servers are in "drainstop" mode.
12. Give nlb start.
13. Client should be able to connect to vpn-server1.
With Regards,
Anupam Chakraborty (SDET, Windows Networking)