How to deploy a Secure Socket Tunneling Protocol (SSTP)-based VPN server that uses Network Load Balancing (NLB) in Windows Server 2008

This article describes how to deploy a Secure Socket Tunneling Protocol (SSTP)-based virtual private network (VPN) server that uses Network Load Balancing (NLB) in Windows Server 2008.

SSTP is a new kind of VPN tunnel that is available in the Routing and Remote Access Server role in Windows Server 2008. SSTP allows for Point-to-Point Protocol (PPP) packets to be encapsulated over HTTP. This functionality allows for a VPN connection to be more easily established through a firewall or through a network address translation (NAT) device. Also, this behavior allows for a VPN connection to be established through an HTTP proxy device.

Large organizations frequently have multiple VPN servers that perform load balancing of the VPN connections. In the scenario in the "More Information" section, the VPN server, such as a computer that is running Routing and Remote Access, will be enabled for NLB. This article describes how to deploy SSTP-based VPN servers that use NLB.

Consider the following scenario. Two servers that are running Routing and Remote Access are located in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet). Both servers are enabled for NLB. Additionally, both servers have the same virtual IP addresses, 1.2.3.4. Finally, the public IP address has a DNS name of server.contoso.com. In this scenario, use the following guidelines to deploy SSTP-based VPN servers that use NLB in Windows Server 2008:

• Enable NLB on each server that is running Routing and Remote Access.
• Install the same computer certificate on each server that is running Routing and Remote Access. This certificate should have the same subject name (CN) as the host name through which the VPN clients connect. The same certificate is used so that the SSL negotiation is successful. If the client will be connecting to the public IP address of the NAT router, the subject name is the virtual IP address of each server that is running Routing and Remote Access, such as 1.2.3.4. If the client will be connecting by using the host name, the subject name is the DNS name of the public IP address, such as server.contoso.com.
• Install the server that is running Routing and Remote Access by using Server Manager on all servers that are running Routing and Remote Access.
• Configure the server that is running Routing and Remote Access by using the Routing and Remote Access configuration wizard.

For more information, click the following article number to view the article in the Microsoft Knowledge Base: