KEMP for Celestix SecureAccess VPN

Introduction

Celestix SecureAccess is a comprehensive remote access solution designed not only to simplify the deployment of Windows-based remote access technologies, but also enhance the manageability and features that are not found in standard Microsoft DirectAccess and Microsoft Always On VPN. Organizations that deploy Celestix SecureAccess for their remote access needs will find a solution that provides the best and most secure remote access experience by taking advantage of the unique capabilities of each supported client platform.

Always On VPN Deployment Guide

Load Balancing for VPN Servers

Eliminating single points of failure in the Always On VPN architecture is crucial to ensuring the highest level of availability for the remote access solution. VPN servers can be made highly availably using the Kemp LoadMaster load balancer. The LoadMaster can be configured to accept inbound VPN connections and intelligently distribute them to all configured real servers. Traffic can be distributed in round-robin, or optionally based on the number of connections or by a percentage as defined by the administrator.

Load Balancing for RADIUS Servers

Always On VPN makes use of user certificates for authentication. The authentication protocol of choice is the Protected Extensible Authentication Protocol (Protected EAP, or PEAP), sometimes referred to as EAP-TLS. To leverage EAP, client connection requests are authenticated using a RADIUS server, commonly the Windows Server Network Policy Server (NPS). To provide redundancy for the authentication infrastructure, multiple RADIUS/NPS servers can be deployed and load-balanced by the Kemp LoadMaster to ensure high availability and to enable flexible scalability.

Redundancy and Failover

Unlike DirectAccess, Always On VPN does not natively include support for redundancy or failover. To address this shortcoming, the Kemp LoadMaster GEO can be configured to improve availability for VPN servers located in different datacenters. The administrator can configure GEO to route all VPN connection requests to the primary datacenter and send requests to the secondary datacenter in the event the primary site is unavailable.

Geographic Load Balancing

The Kemp LoadMaster GEO can also be used to provide geographic load balancing for Always On VPN. GEO can be configured to use proximity and location-based scheduling to intelligently route VPN connection requests to the nearest VPN server based on the client’s current location. This ensures that clients will connect to the most optimal VPN server available.