SSTP Support for NLB

I’ve written about SSTP in articles on the Web site. If you haven’t run into SSTP, its the Windows Server 2008 SSL VPN protocol that provides you full network connectivity using an SSL connection. SSTP also supports Web proxies, so that you can reach your company network through virtually any firewall or Web proxy that allows outbound SSL connections on TCP port 443.

Most companies with VPN servers need them to be highly available. In order to create a highly available VPN server configuration, you can use the Windows Server 2008 Network Load Balancing protocol. NLB enables you to bind a virtual IP address to each member of the NLB array, so that connections are automatically load balanced among all members of the array. In addition, if a member of the array becomes unavailable, connections will disconnect and automatically reconnect to a member of the array that is online.

In order to get this to work, you want to do the following:

  • Create a DNS entry that resolves the virtual IP address on the external interfaces of the array members
  • Enable NLB on members of the NLB array
  • Use the same computer certificate on each member of the array. The certificate must have the same common name as the name used in the request, which is the DNS name that the clients used to connect to the NLB array

That’ it! Have fun with SSTP — one of the most valuable features included with Windows Server 2008.



Thomas W Shinder, M.D.

Email: [email protected]
MVP – Microsoft Firewalls (ISA)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top