A lot of IT people these days are faced with an emergency requirement to massively scale up existing Remote Access VPNs (RAVPN) or create entirely new ones from scratch. This can be daunting in itself especially if hardware is not readily available and pressure from the business is felt throughout the IT department
Quick deployment with virtual form factor
The good news is that this can actually be accomplished quite elegant and swiftly. Of course we would often prefer our well known crypto accelerated hardware units, but in situations of stress virtual form factors proves to be most handy as these can be delivered and deployed within minutes or hours and not days or weeks.
Note specifically the numbers for maximum AnyConnect clients and AES throughput as these are the relevant numbers for a RAVPN concentrator. Multiples units can be stacked in order to scale even further, but more on this later.
Deploying the VMware template itself is fairly easy.. just download the VMware VI image, fill out the UI wizard, deploy and you are done.
Wait! Why not FTD?
Well, we need a VPN headend, and a dedicated solution for this is much more clean and optimal performance wise. For security concern the RAVPN solution could be placed on a DMZ leg of an FTD and also further hardened with Umbrella and DUO integrations For now let us focus solely on the VPN role. You could also put it on FTD if so desired.
Setting up a load-balanced VPN cluster
There are multiple ways we can scale an AnyConnect VPN cluster.
- DNS load-balancing
- VPN load-balancing
- AnyConnect profile with server selection
In this post I will use option 2 and create a VPN load-balancing cluster. Some of the nice properties from this deployment is listed in en configuration guide (below). Note that it is quite flexible with regards to types of devices in the cluster.
Load balancing is a mechanism for equitably distributing remote-access VPN traffic among the devices in a virtual cluster. …
These devices do not need to be of the exact same type, or have identical software versions or configurations….
All active devices in a virtual cluster carry session loads. Load balancing directs traffic to the least-loaded device in the cluster…ASA configuration guide
Configuring the AnyConnect Client
Deploy two ASAv50 (support 20.000 VPN users) is fairly easy. Just find some suited iron to run them on (look at the reference tabel above) and deploy the ASA VI image.
As of the time of writing I was made aware of this video blog which went over the configuration details. As such I will save the Internet of redundant information 🙂
VPN head ends can be easily spun up in a cost effective way by leveraging Virtual appliances. Its is one of the pieces in the arsenal which should not be overlooked as they offer great flexibility and cost effectiveness.
Going with ‘only’ ASA is somewhat old school as there are a lot fewer security mechanisms, however it is a simple and easy way to get into good shap ewith a high-capacity pure-play VPN concentrator.