1
00:00:02,040 --> 00:00:06,260
Next, we'll explore enabling high availability for our VPN infrastructure.

2
00:00:06,260 --> 00:00:10,630
Process is pretty much similar to the NPS server high availability in

3
00:00:10,630 --> 00:00:13,350
that we're going to deploy additional VPN servers,

4
00:00:13,350 --> 00:00:15,080
and then once we've done that,

5
00:00:15,080 --> 00:00:20,210
we will export the VPN configuration from our functioning first or primary

6
00:00:20,210 --> 00:00:23,740
server, and we'll import that on the remaining servers.

7
00:00:23,740 --> 00:00:26,070
We'll need to perform some additional configuration,

8
00:00:26,070 --> 00:00:26,210
though,

9
00:00:26,210 --> 00:00:28,540
because importing and exporting the configuration

10
00:00:28,540 --> 00:00:30,850
doesn't bring all of the settings over,

11
00:00:30,850 --> 00:00:34,020
so there are some optimizations that we do and some finetuning of some of

12
00:00:34,020 --> 00:00:37,000
the security settings that don't come over in that export.

13
00:00:37,000 --> 00:00:38,140
So we'll do that as well.

14
00:00:38,140 --> 00:00:41,340
And then finally, we will enable load balancing.

15
00:00:41,340 --> 00:00:45,030
Administrators have the options when it comes to load balancing VPN servers.

16
00:00:45,030 --> 00:00:48,290
You can use NLB, or the network load balancing, service.

17
00:00:48,290 --> 00:00:52,740
This is a part of Windows, it's a role or a feature built into Windows server,

18
00:00:52,740 --> 00:00:55,640
or you could use an external load balancer,

19
00:00:55,640 --> 00:00:57,830
which is really the preferred method.

20
00:00:57,830 --> 00:01:01,300
The NLB is nice because, again, it is included in Windows,

21
00:01:01,300 --> 00:01:03,270
there is no additional cost to use it,

22
00:01:03,270 --> 00:01:07,640
no additional software or hardware you have to install or configure or deploy.

23
00:01:07,640 --> 00:01:11,410
The challenge with NLB is it does provide limited functionality.

24
00:01:11,410 --> 00:01:14,840
It doesn't have quite the visibility control that you

25
00:01:14,840 --> 00:01:17,590
do with an external load balancer, and also,

26
00:01:17,590 --> 00:01:19,990
there is a fundamental flaw, I think, in NLB,

27
00:01:19,990 --> 00:01:21,720
which is that it's broadcast‑based,

28
00:01:21,720 --> 00:01:26,300
so each node in the cluster will actually perform a

29
00:01:26,300 --> 00:01:29,540
broadcast heartbeat message every second,

30
00:01:29,540 --> 00:01:32,770
so that's a lot of noise on the wire, and of course,

31
00:01:32,770 --> 00:01:36,840
that increases exponentially when you have multiple nodes in the cluster,

32
00:01:36,840 --> 00:01:41,120
so it kind of has an upward limit to it of about 8 nodes functionally speaking,

33
00:01:41,120 --> 00:01:45,500
I think you can get more, but once you get past about 8 nodes in an NLB cluster,

34
00:01:45,500 --> 00:01:47,890
you get to that point of diminishing returns.

35
00:01:47,890 --> 00:01:50,860
The broadcast traffic just becomes so overwhelming that you

36
00:01:50,860 --> 00:01:53,360
don't get a lot of advantage to going past that.

37
00:01:53,360 --> 00:01:55,560
Now, an external load balancer, of course,

38
00:01:55,560 --> 00:01:55,930
those are,

39
00:01:55,930 --> 00:01:58,600
these are available from a variety of third‑parties and

40
00:01:58,600 --> 00:02:00,300
they do come with an additional cost.

41
00:02:00,300 --> 00:02:00,660
I mean,

42
00:02:00,660 --> 00:02:04,060
there are some free versions and maybe that would

43
00:02:04,060 --> 00:02:08,430
suffice in really small deployments, but most often if you need any sort of,

44
00:02:08,430 --> 00:02:10,690
you know, measurable throughput and performance,

45
00:02:10,690 --> 00:02:13,440
you're probably going to have to end up paying for something.

46
00:02:13,440 --> 00:02:16,710
They are available in physical or virtual appliance platforms.

47
00:02:16,710 --> 00:02:18,980
I've deployed virtual appliances countless times.

48
00:02:18,980 --> 00:02:20,340
They work fantastic.

49
00:02:20,340 --> 00:02:24,130
External load balancers do provide advanced functionality.

50
00:02:24,130 --> 00:02:28,710
You do have more fine‑grained control over session persistence and

51
00:02:28,710 --> 00:02:30,950
load balancing algorithms and things like that.

52
00:02:30,950 --> 00:02:33,810
And typically, they operate at Layer 3 through 7,

53
00:02:33,810 --> 00:02:35,460
so they're not broadcast‑based,

54
00:02:35,460 --> 00:02:39,020
and so you get much better performance and so forth

55
00:02:39,020 --> 00:02:41,090
with an external load balancer,

56
00:02:41,090 --> 00:02:45,010
and it's for that reason that I wholeheartedly recommend that if

57
00:02:45,010 --> 00:02:48,490
you're going to use a load balancer for your VPN infrastructure that

58
00:02:48,490 --> 00:02:51,320
you use an external load balancer because that's going to be the

59
00:02:51,320 --> 00:02:58,000
best administrative experience, it's also going to provide you the best performance.