Configuring VPN Load Balancing
About VPN Load Balancing
VPN load balancing in threat defense allows you group two or more devices logically and distribute remote access VPN sessions among the devices equally. VPN load balancing shares Secure Client VPN sessions among the devices in a load balancing group.
VPN load balancing is based on simple distribution of traffic without taking into account throughput or other factors. A VPN load-balancing group consists of two or more threat defense devices. One device acts as the director, and the other devices are member devices. Devices in a group do not need to be of the exact same type, or have identical software versions or configurations. Any threat defense device that supports remote access VPN can participate in a load balancing group. Threat Defense supports VPN load balancing with Secure Client SAML authentication.
All active devices in a VPN load-balancing group carry session loads. VPN load balancing directs traffic to the least-loaded device in the group, distributing the load among all devices. It makes efficient use of system resources and provides increased performance and high availability.
Components of VPN Load Balancing
Following are the components of VPN load balancing:
-
Load-balancing group—A virtual group of two or more threat defense devices to share the VPN sessions.
A VPN load-balancing group can consist of threat defense devices of the same release or of mixed releases; but the device must support remote access VPN configuration.
See Configure Group Settings for VPN Load Balancing and Configure Additional Settings for Load Balancing.
-
Director—One device from the group acts a director. It distributes the load among other members in the group and participate is serving the VPN sessions.
The director monitors all devices in the group, keeps track of how loaded each device is, and distributes the session load accordingly. The role of director is not tied to a physical device; it can shift among devices. For example, if the current director fails, one of the member devices in the group takes over that role and immediately becomes the new director.
-
Members—Devices other than the director in a group are called members. They participate in load balancing and share the remote access VPN connections.
Prerequisites for VPN Load Balancing
-
Certificates—threat defense’s certificate must contain the IP addresses or FQDN of the director and members to which the connection is redirected. Or else, the certificate will be deemed untrusted. The certificate must use Subject Alternate Name (SAN) or wildcard certificate
-
Group URL—Add the group URL for VPN load-balancing group IP address to the connection profiles. Specify a group URL to eliminate the need for the user to select a group at login.
-
IP Address Pool—Choose unique IP address pool for member devices, and override the IP pool in management center for each of the member devices.
-
Devices that are behind Network Address Translation (NAT) can also be part of a load balancing group.
Guidelines and Limitations for VPN Load Balancing
-
VPN load balancing is disabled by default. You must explicitly enable VPN load balancing.
-
Only the threat defense devices that are co-located can be added to a load-balancing group.
-
A load-balancing group must have a minimum of two threat defense devices.
-
Devices in threat defense high availability can participate in a load-balancing group.
-
Devices that are behind Network Address Translation (NAT) can also be part of a load balancing group.
-
When a member or a director device goes down, remote access VPN connections that are served by that device will be dropped. You must initiate the VPN connection again.
-
Identity certificate on each device must have Subject Alternate Name (SAN) or wildcard.