10.9 Setting Up a Large Scale Virtual HUB Hosting Service
Corporations or Internet service providers (ISPs) can use their high
speed backbone network and their large number of servers to create a
large scale Virtual HUB hosting service for their employees or clients
with PacketiX VPN Server 2.0. This section will give more information
about this type of Virtual HUB hosting service, and how to set one up.
10.9.1 The Necessity of a Virtual HUB Hosting Service
What is a Virtual HUB Hosting Service?
By installing VPN Server on a powerful server computer on a very high
speed connection and creating multiple Virtual HUBs on that VPN Server
you can provide usage rights to these Virtual HUBs to your clients or
employees. This is the type of Virtual HUB hosting service described
This type of Virtual HUB hosting service is also called a hosting VPN
or an ASP VPN.
The idea behind a Virtual HUB hosting service is to set up a
clustered VPN Server system, and then create a large number of Virtual
HUBs on those VPN Servers. Then you would give administrative rights to
whoever will be using or managing that Virtual HUB. This takes care of
administration as well as allowing the users of that Virtual HUB to make
a VPN connection to that VPN Server and communicate with each other.
Fig. 10-9-1 Concept of a Virtual HUB Hosting Service
Usefulness of a Virtual HUB Hosting Service in the Corporate
By utilizing a Virtual HUB hosting service it is possible for the IT
department of a large corporation to set up many different types of VPNs
using only the Virtual HUBs it provides. For example, if a Virtual HUB
hosting service was not used, the IT department would manage a VPN
Server system in the company's server room or data center, and create as
many Virtual HUBs as necessary for their network. They would then have
to give administrator privileges to a person in charge of each
department in the company for those Virtual HUBs. Those in charge would
next have to install VPN Server and manage a VPN server computer. As you
can imagine, this can be a very difficult process.
Fig. 10-9-2 Virtual HUB Hosting Service in the Corporate
Usefulness of a Virtual HUB Hosting Service for an ISP
Internet service providers (ISPs) can utilize their high speed
backbone connection to the Internet and provide a VPN hosting service to
their clients. An ISP could set up a VPN Server system in their data
center and create a special Virtual HUB for each client who signs up for
the Virtual HUB hosting service. By then giving administrator rights to
the client for that Virtual HUB they will be able to freely add users
and manage sessions. They can then connect to that Virtual HUB via the
Internet from multiple locations and be able to use all the
functionality of PacketiX VPN 2.0.
This type of service is extremely useful for users at companies or
homes that do not have a global IP address, or do not have a static
global IP address and would like to rent a Virtual HUB on a stable VPN
For example, if a small business wants to set up a remote access VPN
system, but has a dynamic global IP address (an IP address that changes
every time a connection to the Internet is made), they are unable to
install a stable VPN Server within the company. (It is possible to
install a VPN Server on this type of network using the DDNS service as
explained in section 「10.10.4 Adjusting Settings For Broadband Routers or Other Networking
Hardware」, but this method is not recommended when
stability is crucial.) There are also cases of small companies that have
a static global IP address, but do not have the technical knowledge
required for the daily management of a VPN Server. For these types of
companies, a Virtual HUB hosting services provided by their ISP is a
viable option. By making a permanent cascade connection from a VPN
Bridge installed within the company to the Virtual HUB provided by the
ISP, a company can provide a remote access VPN service as described in
section 「10.4 Setting Up a Generic Remote Access VPN」 to their employees without running their own VPN Server.
An illustration of this type of network is shown in the figure below.
Employees wanting to use the remote access VPN connect to the Virtual
HUB on the VPN Server provided by the ISP. Data is then routed through
this Virtual HUB and to the VPN Bridge connected to the company network
by a local bridge, granting remote access to the network.
Fig. 10-9-3 Virtual HUB Hosting Service Provided by an ISP
Also, using this type of service allows you to join two LANs without
a static global IP address through the Virtual HUB hosting service
provided by the ISP. Basically, you will be able to create a LAN-to-LAN
VPN as described in section 「10.5 Setting Up a LAN-to-LAN VPN (Using Bridge Connections)」 without having to install a VPN
Server on your company network.
Fig. 10-9-4 A LAN-to-LAN VPN Utilizing an ISP Provided
Virtual HUB Hosting Service
How to Provide a Virtual HUB Hosting Service
A corporation or ISP does not need any special certification or
permission from SoftEther to provide a large scale Virtual HUB hosting
service to their clients. By purchasing however many VPN Server 2.0
product licenses and connection licenses you need, you can set up a
Virtual HUB hosting services in a short time very easily.
10.9.2 Increase Network Scalability By Using Clustering
Naturally, when running a large scale Virtual HUB hosting service the
number of Virtual HUBs on your VPN Servers will likely be very large, as
well as the number of VPN sessions connected to those hubs via VPN
Client or VPN Bridge.
Therefore, you will need to use the clustering capabilities of
PacketiX VPN Server 2.0 Enterprise Edition or PacketiX VPN Server 2.0
Carrier Edition as explained in section 「10.8 Setting Up a Large Scale Remote Access VPN Service」. Using clustering will
enable you to create a large number of dynamic Virtual HUBs without
taking a performance hit. It will also allow you to handle a high number
of VPN sessions at once by balancing the load across multiple VPN
Servers. Furthermore, if one of your VPN Servers malfunctions or needs
to be taken down for maintenance, the fault-tolerance capability of the
cluster controller will automatically move any VPN sessions connected to
that VPN server to another, properly working VPN Server. With this in
mind, it is possible to set up a large scale Virtual HUB hosting service
that runs 24 hours a day, 365 days a year with no downtime.
|However, keep in mind that the
suggestions written here are for a large scale Virtual HUB
hosting service. If you are planning to set up a small scale
Virtual HUB hosting service (approximately 100 Virtual HUBs or
less and no more than 200 simultaneous sessions active) then you
may not need to use clustering. In this case you can use
PacketiX VPN Server 2.0 Standard Edition instead of the E or
Carrier Edition. If you decide not to use clustering at first,
but later decide that a single VPN Server is not enough to
handle any more Virtual HUBs or simultaneous sessions, you can
easily upgrade to the Enterprise Edition or the Carrier Edition
and use clustering by adding more VPN Servers to your network.
10.9.3 Using Dynamic Virtual HUBs
You can create one or more Virtual HUBs within the cluster. When
dealing with clusters, there are two types of Virtual HUBs: static
Virtual HUBs and dynamic Virtual HUBs.
The best one to use for a Virtual HUB hosting service is the dynamic
Virtual HUB. (See section 「3.9.8 Dynamic Virtual HUBs」.)
10.9.4 Network Layout
This section will explain the network layout as shown in the figure
Fig. 10-9-5 Network Layout
In this example there are five server computers installed in a data
center which make up the VPN Server cluster. For this example, assume
that all server machines have a static global IP address.
If you were to set up a five server cluster such as one in the
example above only to find that the load on each VPN Server is too high,
you can simply add more VPN Servers to increase the throughput of the
cluster and to decrease the overall load on each machine.
10.9.5 Calculating the Number of Required Licenses
Required Product Licenses
You will have to estimate the number of incoming VPN connections to
our VPN Server cluster when setting up a Virtual HUB hosting service.
First you will need to acquire enough product licenses to install
This network layout example would require VPN Server 2.0
Enterprise Edition License x 5.
A service provider or other communications company could also use the
VPN Server 2.0 Carrier Edition License. See section 「1.3.7 PacketiX VPN Server 2.0 Academic Edition 」 for more
Required Connection Licenses
The number of client and bridge connection licenses required by your
VPN Server cluster will be determined by the number of client mode VPN
sessions and bridge/routing mode VPN sessions that will be connected to
the cluster at the same time. You should always prepare enough
connection licenses to handle a slightly higher number of connections
than you expect will actually be connected to your cluster, just to be
If you are using the VPN Server 2.0 Carrier Edition License then
there is no need to purchase or register connection licenses beforehand.
See section 「1.3.7 PacketiX VPN Server 2.0 Academic Edition 」 for more details.
10.9.6 Installing and Configuring the Cluster Controller
When installing multiple VPN Servers as a cluster you must first
install the first VPN Server as the cluster controller. If the VPN
Server machines you have prepared have different hardware
specifications, you should pick the one with the most memory and the
most powerful hardware to be the cluster controller.
Please refer to section 「3.9.2 Cluster Controllers」 for more information on setting up a
VPN Server as a cluster controller.
10.9.7 Installing and Configuring the Cluster Member Servers
Each VPN Server installed after the first will connect to the cluster
controller as a cluster member server. Please refer to section 「3.9.3 Cluster Member Servers」
for more information on setting up a VPN Server as a cluster member
10.9.8 Creating Dynamic Virtual HUBs
When you make Virtual HUBs for a Virtual HUB hosting service you
should always make them as dynamic Virtual HUBs. For example, you may
need to make new Virtual HUBs for your company or, as an ISP, when new
clients sign up for your Virtual HUB hosting service.
10.9.9 Assigning Virtual HUB Administrator Rights
When you make a new Virtual HUB you will have to give administrator
rights to the user that will actually be managing that Virtual HUB. In a
corporation, administrator rights would be given to the person who
requested the Virtual HUB from the IT department. For an ISP, they would
be given to the client who has requested the Virtual HUB hosting
Handing off administrator rights is as easy as telling the user the
administrator password for the Virtual HUB, or registering a password
the user requests when you first create the Virtual HUB. Please refer to
section 「3.3.4 Administration Authority」 for more information on giving out administrator rights.
Once the user has their password they can use it to log in to the
cluster controller via their own VPN server management tool or vpncmd
and freely manage their Virtual HUB. They will have access to all the
features a Virtual HUB administrator has such as adding new
users/groups, configuring access lists, log file settings, and more. You
can also restrict access to these operations as you see fit. Please
refer to section 「10.9.13 Limiting Administrator Rights by Configuring the Virtual HUB
Management Options」 for more details.
10.9.10 Managing VPN Sessions on a Clustered VPN
Once you have finished setting up your clustered environment, there is
usually no need to make an administrative connection directly to the
cluster member servers. Administrative operations such as downloading
log files, changing logging preferences, adding/removing/editing
currently connected users, configuring external authentication servers,
or configuring trusted authentication certificates can all be done on
the cluster controller. The controller will then update all VPN Servers
on the cluster to maintain consistency automatically.
Each Virtual HUB's administrator is only able to make an
administrative connection to the cluster controller. Remember, you can
only make a direct administrative connection to the cluster controller,
not the other cluster member servers.
10.9.11 Automating the Creation and Management of a Large Quantity
of Virtual HUBs or Users
Using vpncmd for Management Automation
You may need to automatically create a Virtual HUB for a user after
they have signed up for your Virtual HUB hosting service through a form
on your website or another method. This is especially true for ISPs. You
can automate this process of creating new dynamic Virtual HUBs for your
By using an automatic managing system that could, for example,
automatically delete a Virtual HUB from the cluster if a user cancels
their service, or automatically restrict access to a Virtual HUB that a
user has not made a payment on in time, you can make managing your
system very easy.
You can use the PacketiX VPN command line management interface
(vpncmd) to develop a system such as this. vpncmd can call scripts such
as CGI or ASP/ASP.NET in the background with parameters given through a
command line. Error codes or output files returned by those scripts can
be retrieved by vpncmd.
Refer to section 「Chapter 6 Command Line Management Utility Manual」 for more information about vpncmd. An ISP can
use vpncmd to call its own internal automated system to automate the
control of its VPN Servers or Virtual HUBs when providing a Virtual HUB
Using a .NET Library for Automated Management
The type of VPN Server or Virtual HUB management possible with vpncmd
can be executed within a program via function calls. (See section
#1.3.22# for more information.) The first version of this library is
provided as a DLL file which can be called through the Microsoft .NET
By using this library an ISP can issue commands and see the results
of those commands faster and more reliably than by using vpncmd.
Using the Framework Kit for ISPs
In the future, SoftEther plans to release a framework kit for ISPs
made up of scripts (ASP.NET) and databases that will automate the
configuration of a Virtual HUB hosting service that can automatically
handle online sign-up requests, cancellations, and temporary stoppage of
service due to payment issues. At the time of the writing of this manual
(December, 2005) the date that this service will become available is
still yet to be decided. ISPs will be able to use this framework kit and
customize it to work with their existing front-end or back-end systems.
This framework kit will consist of Microsoft .NET Framework 2.0 sample
programs and databases and will likely come packaged with PacketiX VPN
Server 2.0 Carrier Edition. Please refer to section 「1.3.7 PacketiX VPN Server 2.0 Academic Edition 」 for more
information about PacketiX VPN Server 2.0 Carrier Edition.
- When more detailed information about the
framework kit for ISPs is available, it will be available at
10.9.12 User's Usage Status and Billing
By connecting to the VPN Server with overall administrator rights you
can manage or view the traffic volume of each Virtual HUB on the entire
system. An ISP will need to use this to bill each user (Virtual HUB)
appropriately according to the traffic volume of that individual user.
You can get this information by retrieving the statistical data
automatically created and managed by the VPN Server and each Virtual
HUB. Also, this information is stored in the vpn_server.config
configuration file generated by the cluster controller. By retrieving
the data stored in this file you can measure the traffic volume for each
user and bill them accordingly. Please refer to section 「3.3.10 Administration of Statistical Information」 for
more information on the statistical data generated by VPN Server and the
Virtual HUBs. You could also make a simple program that process and
records this information to automatically calculate billing for you.
10.9.13 Limiting Administrator Rights by Configuring the Virtual HUB
The overall VPN Server administrator (the ISP or company IT
department's administrator) can limit the administrative functions
available to each Virtual HUB's administrator (a client or employee).
This feature is referred to as the Virtual HUB management options and
is a standard feature of VPN Server. Please refer to section 「3.5.12 Virtual HUB Administration Options」
for a list of items you can configure.
By configuring the Virtual HUB management options you could, for
example, limit the maximum number of allowed simultaneous VPN sessions
on a certain Virtual HUB despite the number originally set by the
Virtual HUB. You can also set the maximum number of users or groups that
can be created on a Virtual HUB. ISPs can use this functionality to
provide different pricing plans to their customers. By providing several
plans that differ in terms of maximum users, connection speed, and
usable features you can provide flexible options to meet the individual
needs of each customer.