The document discusses load balancing SSTP VPN using the Kemp LoadMaster, highlighting the benefits of the Routing and Remote Access Services (RRAS) feature in Windows Server 2016. It emphasizes the advantages of the SSTP protocol, including its scalability, firewall friendliness, and ease of implementation, while advising against the use of obsolete protocols like L2TP/IPsec and PPTP. The document also outlines steps for configuring load balancing and TLS offloading to enhance performance and resource utilization.

1. Load Balancing
SSTP VPN
Using the KEMP LoadMaster
Load Balancer

2. RICHARD
HICKS
Richard M.
Hicks
Consulting
Founder and Principal Consultant
Microsoft Most Valuable
Professional (MVP)
• Cloud and Datacenter
• Enterprise Security
20+ Year Industry Veteran
Enterprise Mobility and Security
Infrastructure Expert

3. WINDOWS ROUTING
AND REMOTE ACCESS
SERVICES

4. WINDOWS RRAS
Routing
and
Remote
Access
Services
(RRAS)
Feature
of the
Windows
Server 2016
operating
system
Mature,
robust,
and
stable
First
introduced
in
Windows
2000
Support for
modern
VPN
protocols

5. RRAS BENEFITS
Easy to deploy
As a feature of the Windows Server
2016 operating system, RRAS is easy
to install and configure.
Cost effective
RRAS and Windows 10 VPN
does not require any additional
per-user licensing to implement.
Flexible deployment
RRAS can be deployed
on existing physical or virtual
infrastructure.
Easy to manage
RRAS requires no specialized
knowledge and can be implemented
and supported using existing
Windows administrator skill sets.

6. PROTOCOL
SUPPORT

7. PROTOCOL SUPPORT
Internet Key Exchange version 2 (IKEv2)
+
Secure Sockets Tunneling Protocol (SSTP)
+
Layer Two Tunneling Protocol over IPsec (L2TP/IPsec)
+
Point-to-Point Tunneling Protocol

8. IKEV2
Industry
standard
VPN
protocol in
wide use.
Broad
client
support.
Uses UDP
for
transport
(ports 500
and 4500).
Commonly
blocked
by edge
firewalls.
Difficult
to scale
out.

9. SSTP
Microsoft
proprietary
VPN
protocol.
Supported
since
Windows
Vista.
Uses TCP
for
transport
(port 443).
Firewall
friendly
protocol
that
provides
ubiquitous
access.
Easily
scalable.

10. L2TP/IPSEC AND PPTP
Requires
client-side
certificates for
highest
assurance.
Can use pre-
shared keys
(not
recommended)
Difficult to
implement
and support.
Numerous
known security
vulnerabilities.
L2TP/IPsec PPTP
L2TP/IPsec and PPTP are legacy VPN protocols and are
considered obsolete. Their use should be avoided at all costs.

11. WHY SSTP?

12. FIREWALL FRIENDLY
SSTP uses
Transport
Layer Security
(TLS).
Operates
on
standard
HTTPS port
443.
Commonly
available.
Easy to
implement
and
support.

13. HIGHLY SCALABLE
Easy to load balance.
Includes native support for full TLS
termination and offload.
All encryption/decryption can be performed on
dedicated appliance.
• Improves performance
• Reduces server resource utilization
• Increases concurrent user support per server

14. LOAD BALANCING SSTP

15. VIRTUAL SERVICE
Define Virtual IP
Address (VIP)
Specify TCP port 443
Enter a Service Name
Choose persistence
options

16. REAL SERVERS
Provide IP address of
first VPN server
Specify TCP port 443
Define the weight
and connection limit (optional)
Repeat steps above for each
additional VPN server

17. TLS OFFLOADING - GEO
Modify existing SSTP
virtual service
Enable SSL Acceleration
Choose an
SSL certificate
Select a cipher set

18. TLS OFFLOADING - RRAS
Edit the properties of
the RRAS server
Open the Security tab
Select the option to use
HTTP
Restart the RRAS
service

19. TRY LOADMASTER AND ALWAYS-ON-VPN
Always-on-VPN Free trial Try in Azure