1
00:00:02,040 --> 00:00:05,310
Implementing high availability for NPS is pretty straightforward.

2
00:00:05,310 --> 00:00:05,770
Essentially,

3
00:00:05,770 --> 00:00:09,300
what's involved is deploying additional Windows servers joined to the

4
00:00:09,300 --> 00:00:13,100
domain and then installing the NPS role and making sure any

5
00:00:13,100 --> 00:00:16,160
certificates are in place to support authentication.

6
00:00:16,160 --> 00:00:20,430
Next, we'll export the NPS policy from an existing NPS server.

7
00:00:20,430 --> 00:00:23,090
So we have a functioning NPS server to our environment,

8
00:00:23,090 --> 00:00:28,020
we'll grab the policy from there, and you can export the policy using the UI,

9
00:00:28,020 --> 00:00:30,850
you can do that right in the NPS Management console or

10
00:00:30,850 --> 00:00:32,150
you can use PowerShell if you like.

11
00:00:32,150 --> 00:00:32,770
Next,

12
00:00:32,770 --> 00:00:35,130
we'll go and take this policy over to our

13
00:00:35,130 --> 00:00:37,920
newly‑provisioned NPS server and we'll import it,

14
00:00:37,920 --> 00:00:40,530
and again, you can use the UI to do that or,

15
00:00:40,530 --> 00:00:42,510
once again, you can use PowerShell.

16
00:00:42,510 --> 00:00:46,680
Next, we'll need to update the server configuration on the VPN server.

17
00:00:46,680 --> 00:00:49,540
Specifically, we need to tell the VPN server,

18
00:00:49,540 --> 00:00:52,540
we have a new NPS server that supports authentication

19
00:00:52,540 --> 00:00:56,230
requests, and so we will add the servers FQDN,

20
00:00:56,230 --> 00:00:58,560
its shared secret, and so forth.

21
00:00:58,560 --> 00:00:59,760
Once that's done,

22
00:00:59,760 --> 00:01:03,240
we can also finetune the policy to determine how our

23
00:01:03,240 --> 00:01:05,710
authentication requests are routed.

24
00:01:05,710 --> 00:01:11,310
So it's recommended that an NPS server be local to the VPN

25
00:01:11,310 --> 00:01:13,860
server to support prompt authentication requests.

26
00:01:13,860 --> 00:01:16,580
We want high throughput, low latency between them.

27
00:01:16,580 --> 00:01:20,790
However, you might have a failover NPS server in a remote data center,

28
00:01:20,790 --> 00:01:26,490
and so you might prefer the locally connected NPS server until it's unavailable

29
00:01:26,490 --> 00:01:30,320
and then failover to a remote VPN server in that scenario,

30
00:01:30,320 --> 00:01:33,710
and the idea there is that it's obviously better to have

31
00:01:33,710 --> 00:01:36,190
slow authentication than no authentication.

32
00:01:36,190 --> 00:01:39,390
Finally, we need to update the client configuration as well.

33
00:01:39,390 --> 00:01:42,830
We need to tell the VPN client that there are additional NPS

34
00:01:42,830 --> 00:01:45,320
servers that are authorized for authentication.

35
00:01:45,320 --> 00:01:48,440
Recall that when we set up our EAP configuration initially,

36
00:01:48,440 --> 00:01:53,120
we actually put the host name of the NPS server in the EAP configuration.

37
00:01:53,120 --> 00:01:57,240
This is the only NPS server that it's allowed to talk to in this scenario.

38
00:01:57,240 --> 00:01:59,010
It would fail if we added another one.

39
00:01:59,010 --> 00:02:00,100
So here,

40
00:02:00,100 --> 00:02:03,060
we just need to simply update the client configuration to let it

41
00:02:03,060 --> 00:02:10,000
know that there are additional authorized NPS servers that are available to support authentication.