Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Load Balancing SSTP VPN with KEMP LoadMaster


Published on

Microsoft MVP Richard Hicks walks us through Load Balancing SSTP VPN and the advantages it brings to network security:

1. SSTP uses TLS
2. Operates on Standard HTTPS port 443
3. Commonly Available
4. Easy to Implement and support
Highly Scalable:
1. Easy to load balance
2. Native support for TLS (SSL) termination/offload
3. All encryption/decryption can be performed on a dedicated appliance.

L2TP/IPSEC and PPTP are legacy VPN protocols and are obsolete - they should be avoided at all costs.

Published in: Internet
  • Be the first to comment

Load Balancing SSTP VPN with KEMP LoadMaster

  1. 1. Load Balancing
 SSTP VPN Using the KEMP LoadMaster
 Load Balancer
  2. 2. RICHARD HICKS Richard M. Hicks Consulting Founder and Principal Consultant Microsoft Most Valuable Professional (MVP) • Cloud and Datacenter • Enterprise Security 20+ Year Industry Veteran Enterprise Mobility and Security Infrastructure Expert
  4. 4. WINDOWS RRAS Routing and Remote Access 
 Services (RRAS) Feature
 of the Windows Server 2016 operating system Mature, robust,
 stable First introduced in Windows 2000 Support for modern VPN protocols
  5. 5. RRAS BENEFITS Easy to deploy As a feature of the Windows Server 2016 operating system, RRAS is easy to install and configure. Cost effective RRAS and Windows 10 VPN
 does not require any additional
 per-user licensing to implement. Flexible deployment RRAS can be deployed 
 on existing physical or virtual infrastructure. Easy to manage RRAS requires no specialized knowledge and can be implemented and supported using existing Windows administrator skill sets.
  6. 6. PROTOCOL 
  7. 7. PROTOCOL SUPPORT Internet Key Exchange version 2 (IKEv2) + Secure Sockets Tunneling Protocol (SSTP) + Layer Two Tunneling Protocol over IPsec (L2TP/IPsec) + Point-to-Point Tunneling Protocol
  8. 8. IKEV2 Industry standard VPN protocol in wide use. Broad client support. Uses UDP for transport (ports 500 and 4500). Commonly blocked
 by edge firewalls. Difficult to scale out.
  9. 9. SSTP Microsoft proprietary VPN protocol. Supported since Windows Vista. Uses TCP for transport (port 443). Firewall friendly protocol that provides ubiquitous access. Easily scalable.
  10. 10. L2TP/IPSEC AND PPTP Requires client-side certificates for highest assurance. Can use pre- shared keys (not recommended) Difficult to implement and support. Numerous known security vulnerabilities. L2TP/IPsec PPTP L2TP/IPsec and PPTP are legacy VPN protocols and are considered obsolete. Their use should be avoided at all costs.
  11. 11. WHY SSTP?
  12. 12. FIREWALL FRIENDLY SSTP uses Transport Layer Security (TLS). Operates on standard HTTPS port 443. Commonly available. Easy to implement and support.
  13. 13. HIGHLY SCALABLE Easy to load balance. Includes native support for full TLS
 termination and offload. All encryption/decryption can be performed on
 dedicated appliance. • Improves performance • Reduces server resource utilization • Increases concurrent user support per server
  15. 15. VIRTUAL SERVICE Define Virtual IP Address (VIP) Specify TCP port 443 Enter a Service Name Choose persistence options
  16. 16. REAL SERVERS Provide IP address of first VPN server Specify TCP port 443 Define the weight
 and connection limit (optional) Repeat steps above for each additional VPN server
  17. 17. TLS OFFLOADING - GEO Modify existing SSTP virtual service Enable SSL Acceleration Choose an 
 SSL certificate Select a cipher set
  18. 18. TLS OFFLOADING - RRAS Edit the properties of the RRAS server Open the Security tab Select the option to use HTTP Restart the RRAS service
  19. 19. TRY LOADMASTER AND ALWAYS-ON-VPN Always-on-VPN Free trial Try in Azure