Addressing the need for multiple Microsoft Tunnel Gateway servers

This week will focus on addressing the need for multiple Microsoft Tunnel Gateway servers. A single server is easy to setup, and easy to discuss and to describe, but that just a starting point. Often there is a need for multiple Microsoft Tunnel Gateway servers. That could be for providing high availabilty, for supporting the right amount of users and even for providing access to resources on different remote locations. So, it can be multiple servers on the same location and multiple servers on different locations. This post will go through the main scenarios for multiple servers and will focus on the main configurations that should be in place to support and configure those scenarios. No detailed configurations this time. Only descriptions of the main scenarios and the configurations that are different to support those scenarios.

Important: Keep in mind that Microsoft Tunnel is only available for iOS/iPadOS devices and Android devices.

Multiple Microsoft Tunnel Gateway servers at the same location

Multiple Microsoft Tunnel Gateway servers at the same location are often introduced for scaling and availability reasons. This could (and maybe should) be applicable to every organization using Microsoft Tunnel and making important business apps available for mobile devices. When looking at multiple servers at the same location that could have some impact on the basic configurations of Microsoft Tunnel. This section will look at the overview of that scenario and the main configurations.

Server architecture overview

The Microsoft Tunnel architecture of this scenario requires at least a load balancer to spread the load over the different Microsoft Tunnel Gateway servers that are available at the location. That also means that there is a single public IP address and/or DNS name for accessing Microsoft Tunnel. Figure 1 provides a simplified overview of a single-site architecture with multiple Microsoft Tunnel Gateway servers.

Server configuration

The Server configuration is used for creating a single configuration template that can be easily applied to multiple Microsoft Tunnel Gateway servers. That configuration template defines the IP address ranges, DNS servers, and split-tunneling rules that should be applied to mobile devices connecting to Microsoft Tunnel. For multiple servers in the same location, it’s important that the applied Server configuration is the same for all servers. That will make sure that whichever server is provided via the load balancer, can access the same important apps.

Site

A Site is a logical group of Microsoft Tunnel Gateway servers. That can be used for grouping multiple servers in he same location and will make sure that the same Server configuration is applied to every server in that same Site. It also makes sure that the external access and the update behavior is configured for all the different servers. Multiple Microsoft Tunnel Gateway servers, in the same Site, also require the same configuration. That will make sure that the Site is externally available and can provide access to the important apps that are available on that location.

Note: Keep in mind that theoratically a single location can contain multiple Sites. That could be useful for creating separate Microsoft Tunnel environments for different parts of the organization, or for specific apps.

VPN profile

The VPN profile is used for applying the VPN configuration of Microsoft Tunnel, to the different mobile devices (iOS/ Android). That configuration can be used to configure the Site that the mobile devices should be using, including the behavior of the VPN. With multiple Microsoft Tunnel Gateway servers in a single Site, only a single VPN profile is used for applying that configuration.

Server installation

The Microsoft Tunnel Gateway installation of multiple servers, in the same single Site of the environment, doesn’t require anything special to keep in mind. There are no additional and/or special choices to be made during the installation.

Multiple Microsoft Tunnel Gateway servers at different locations

Multiple Microsoft Tunnel Gateway servers at different locations are often introduced for providing access to resources at different remote locations. That could be useful when an organization has more locations with different resources. When looking at multiple servers at different remote locations that could have some impact on the basic configurations of Microsoft Tunnel. This section will look at the overview of that scenario and the main configurations.

Server architecture overview

The Microsoft Tunnel architecture of this scenario requires at least a Microsoft Tunnel Gateway server at the different remote locations. When availability and scalability are also important, this scenario can be combined with the first scenario. That also means that there is a public IP address and/or DNS name for accessing Microsoft Tunnel on each remote location. Figure 2 provides a simplified overview of a multi-site architecture with multiple Microsoft Tunnel Gateway servers at the different locations. That provides the same high availability experience for both locations.

Server configuration

As mentioned before, the Server configuration is used for creating a single configuration template that can be easily applied to multiple Microsoft Tunnel Gateway servers. That configuration template defines the IP address ranges, DNS servers, and split-tunneling rules that should be applied to mobile devices connecting to Microsoft Tunnel. For multiple servers in different locations, it can be important that there are different Server configurations available for the servers of different locations. Figure 3 provides an overview of a Server configuration and highlights the configuration settings that are most likely to be different for servers on another location. Those settings will make sure that whichever server is provided via the load balancer, on a specific location, can access the same important apps that are available on that location.

Site

As mentioned before, a Site is a logical group of Microsoft Tunnel Gateway servers. That can be used for grouping multiple servers in he same location and will make sure that the same Server configuration is applied to every server in that same Site. It also makes sure that the external access and the update behavior is configured for all the different servers at the same Site. For multiple Microsoft Tunnel Gateway servers, in different Sites, the external access will be different and often different Server configurations are required. Figure 4 provides an overview of a Site configuration and highlights the configuration settings that will be different for another location. Those settings will make sure that the different Sites are externally available and can provide access to the important apps that are available on that location.

VPN profile

As mentioned before, the VPN profile is used for applying the VPN configuration of Microsoft Tunnel, to the different mobile devices (iOS/ Android). That configuration can be used to configure the Site that the mobile devices should be using, including the behavior of the VPN. With multiple Microsoft Tunnel Gateway servers in different Sites, multiple VPN profiles are used for applying that configuration. Figure 5 provides an overview of a VPN profile and highlights the configuration setting that will be different for connecting to a specific location. That setting makes sure that there can be a differentiation between the mobile devices that can access the resources that are available via a specific location.

Server installation

The Microsoft Tunnel Gateway installation of multiple servers, in different Sites in the environment, requires an additional step to keep in mind during the installation process. When going through the installation script, after authenticating as an administrator with Microsoft Intune, the installation script will ask for the Site for the server to join. It provides an overview of the different Site IDs and Names to pick from (as shown below in Figure 6). Enter the Site ID to of the Site for the server to join, to continue the installation. The rest of the installation process is the same as for single Site environments.


Discover more from All about Microsoft Intune

Subscribe to get the latest posts sent to your email.

7 thoughts on “Addressing the need for multiple Microsoft Tunnel Gateway servers”

  1. Can you recommend a load balancer solution for Microsoft Tunnel Gateway servers? I’ve recently tried AWS Load balancer but no luck for now, on the ms tunnel log I see errors like:

    7/3/2022 2:41:19 AM Warning GnuTLS error (at worker-vpn.c:861): A packet with illegal or unsupported version was received.
    7/3/2022 2:41:21 AM Warning GnuTLS error (at worker-vpn.c:861): The TLS connection was non-properly terminated.
    7/3/2022 2:41:23 AM Warning GnuTLS error (at worker-vpn.c:861): No supported cipher suites have been found.

    Reply
    • Have you considered Azure Traffic Manager? You could use HTTPS endpoints from MST to monitor for availability. Multiple routing methods available in this solution also; weighted (active/active), priority (active/passive) etc…

      Reply
  2. We do run F5 Big IP in LTM Mode.
    You need to make sure UDP and TCP 443 is balanced.
    Session handling as source ip.
    Azure Load Balancer will also do fine.
    if you run Azure check global DNS Balancing Option.
    With this you just need one VPN profile.

    Reply
    • Hello Armin, can you share any information on your F5 configuration with Microsoft Tunnel?

      We are having problems getting F5 to work with Tunnel. I’m asking on behalf of our F5 admin and I’m not super F5 smart. As near as I can tell we are using nPath and not putting the F5 inline. Traffic comes into the F5 then to tunnel. Return traffic does not go to the F5 and goes directly from the tunnel to the client.

      Looking to see how you setup LTM from a high level. Thanks!

      Reply

Leave a Reply to Andy Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.