10.8 Setting Up a Large Scale Remote Access VPN Service
If you expect a large number of simultaneous connections to your VPN
Server based remote access VPN system like the one described in section
「10.4 Setting Up a Generic Remote Access VPN」, you can use the clustering capability of PacketiX VPN Server 2.0
Enterprise Edition to perform load balancing across multiple VPN
Servers. This allows you to decrease the load on each VPN Server and
increase overall throughput. It also allows you to automatically
introduce fault-tolerance into your network design.
10.8.1 VPN Server's Processing Limit
A single VPN Server can theoretically handle up to 4,096 sessions at
once. So, a VPN Server being used for a remote access VPN could handle
approximately 4,000 VPN Client connections simultaneously.
However, the problem in reality is not software limitations but
hardware limitations such as limited memory capacity or CPU processing
speed. That being said, if 4,000 VPN sessions were handled by a single
VPN Server there would be issues such as significant transmission speed
loss or insufficient memory on the VPN Server resulting in memory swap
access that would drastically limit the usability of the VPN as a whole.
In the future it is predicted that hardware will advance to a point
where it will be able to handle such a load. Unfortunately, that
technology is not yet available to us. So, in order to handle these high
number of connections we have to design software in such a way so that
it can decrease the load on the hardware.
When a large corporation's IT department wants to provide a remote
access VPN service to all of its employees, they have to try and predict
how many connections might possibly be made to the server at the same
time. For example, if your VPN server machine is a Pentium 4 2.8 GHz
with 1 GB of RAM we recommend having one server for every 200 to 500
sessions. (Keep in mind that the actual number of VPN Servers required
can vary greatly according to network traffic and other factors.)
10.8.2 Increase Network Scalability By Using Clustering
By using the clustering capability built in to PacketiX VPN Server
2.0 Enterprise Edition you create a cluster of servers to handle a large
number of remote access VPN connections.
By increasing the number of computers in the cluster you can achieve
a system that can handle even more than 4,096 simultaneous sessions at
once.
This section will give an example layout of this type of remote
access VPN service and inform you of important points to keep in mind
when designing a cluster network. Please refer to section 「3.9 Clustering」 for more
detailed information about the clustering capability.
10.8.3 Using Static Virtual HUBs
You can create one or more Virtual HUBs within the cluster. When
dealing with clusters, there are two types of Virtual HUBs: static
Virtual HUBs and dynamic Virtual HUBs.
The best one to use for a remote access VPN is the static Virtual
HUB. (See section 「3.9.7 Static Virtual HUBs」.)
10.8.4 Network Layout
This section will explain the following type of network layout as an
example.
Fig. 10-8-1 Network Layout |
The network example above assumes that there is an existing company
LAN to which the VPN Clients make a remote VPN connection to.
In this case there are many VPN Clients that need to connect to the
VPN Server. To handle the load, you can install multiple VPN Servers and
initiate clustering between them.
In the example above, three VPN Servers are being operated as a
cluster. When VPN Clients connect to the cluster they will be
re-directed to the VPN Server with the lowest load as calculated by the
cluster controller. VPN Clients will not know which static Virtual HUB
instance they are connected to. However, all Virtual HUBs are connected
via a local bridge to the remote access VPN's destination network
segment, so the user will be able to communicate over the remote network
without having to know which VPN Server they were assigned to via the
load balancing algorithm.
In this example there are three VPN Servers installed for a predicted
total of 300 VPN Clients. However, determining how many VPN Servers to
install is not only based on the number of VPN Clients, but can change
dramatically based on the VPN Server computer's hardware, or the
bandwidth available from the backbone it is connected to. The method we
recommend of finding the optimal number of VPN Servers is to first set
up a small test VPN of two VPN Servers using clustering. Test to see how
many sessions can be active at once before performance starts being
affected. From there you can tell about how many sessions a single VPN
Server can handle in your network environment, and you can add more VPN
Servers as needed. By using this method you can eliminate any wasted
costs and build the smallest, most efficient VPN to suit your needs.
| This network example assumes that the
remote LAN is made up of a single layer 2 segment. However, in
most situations where clustering is needed such as in a large
corporation, the internal network is most likely separated into
multiple segments with IP routing taking place between them.
Therefore, when setting up a remote access VPN for this type of
network you will need to install a static Virtual HUB on each of
the remote networks. Then, you must also connect each VPN Server
with each Ethernet segment containing a Virtual HUB with a local
bridge connection. |
10.8.5 Calculating the Number of Required Licenses
Let's calculate how many licenses will be needed for this network
layout. You will need three VPN Server product licenses to receive
incoming connections from VPN Clients. This time you are using
clustering so you will need the Enterprise Edition.
Finally, you have 300 VPN Clients connecting to the VPN Server at the
same time, so you will need connection licenses for 300 clients.
Connection licenses will be managed by the entire cluster, therefore you
only need to register them to the cluster controller.
The bridge connection required to connect each VPN Server's Virtual
HUB to the existing LAN will be handled by the VPN Servers so a bridge
connection license is not required.
Thus, the required product licenses and connection licenses are as
shown below.
- VPN Server 2.0 Enterprise Edition License x 3
- VPN Server 2.0 Client Connect License (100 Clients) x 3
Please refer to section 「1.3 PacketiX VPN 2.0 Product Configuration and License」 for more information about the
licensing system.
10.8.6 Installing and Configuring the Cluster Controller
When installing multiple VPN Servers as a cluster you must first
install the first VPN Server as the cluster controller. If the VPN
Server machines you have prepared have different hardware
specifications, you should pick the one with the most memory and the
most powerful hardware to be the cluster controller.
Please refer to section 「3.9.2 Cluster Controllers」 for more information on setting up a
VPN Server as a cluster controller.
10.8.7 Installing and Configuring the Cluster Member Servers
Each VPN Server installed after the first will connect to the cluster
controller as a cluster member server. Please refer to section 「3.9.3 Cluster Member Servers」
for more information on setting up a VPN Server as a cluster member
server.
10.8.8 Creating Static Virtual HUBs
Once you have all your VPN Servers installed connect to the cluster
controller and create a single Virtual HUB. Set the type of the Virtual
HUB to static. As explained previously, if the network you wish to
connect to remotely has multiple segments, create a Virtual HUB for each
segment.
Note that the Virtual HUB that exists on a fresh install of VPN
Server named "DEFAULT" is a dynamic Virtual HUB. (You can change it to a
static Virtual HUB and use it if you would like.)
10.8.9 Making a Local Bridge between the Existing LAN and the
Virtual HUBs
When a static Virtual HUB is created on the cluster controller an
instance of that static Virtual HUB will automatically be made on all
VPN Servers in the cluster. (See section 「3.9.7 Static Virtual HUBs」.)
Next, make a direct administrative connection to each VPN Server and
set up a local bridge connection between that Virtual HUB and the
physical LAN you wish to connect to remotely. (For more information on
creating local bridge connections, see section 「3.6 Local Bridges」.) As explained
previously, if the network you wish to connect to remotely has multiple
segments, you must make local bridge connections between each static
Virtual HUB and their respective physical LAN. (You will need multiple
network adapters for this.)
Refer to section 「10.4.7 Configuring the Local Bridge」 for things to note when making local bridge
connections.
Once the local bridges are configured that cluster is ready to go as
a remote access VPN system. VPN Clients can make a VPN connection to the
cluster controller via the Internet, at which point the controller will
automatically redirect the connection to the VPN Server with the lowest
current load. That VPN Server will then process that client's
connection. The user never has to know about this process, and can
connect just as they always would.
In addition, if an operating cluster member has a hardware failure or
is taken down for maintenance, any VPN sessions being handled by the VPN
Server on that member will automatically be assigned to a different VPN
Server with no interruption of service. Even if something like this
happens, the VPN Server administrator does not have to lift a finger.
10.8.10 Managing VPN Sessions on a Clustered VPN
Once you have finished setting up your clustered environment, there is
usually no need to make an administrative connection to the cluster
member servers. Administrative operations such as downloading log files,
changing logging preferences, adding/removing/editing currently
connected users, configuring external authentication servers, or
configuring trusted authentication certificates can all be done on the
cluster controller. The controller will then update all VPN Servers on
the cluster to maintain consistency automatically.
|