Setting up a cluster for MaaS360 VPN

Follow these steps to set up a VPN cluster when the number of inbound VPN connections exceeds the number of connections that a single instance of the MaaS360® VPN server can handle.

About this task

The MaaS360 VPN does not load balance traffic between nodes in a cluster. Use a front end load balancer to balance traffic between multiple members of the cluster.

Use one of the following options to load balance traffic between multiple members in a cluster by balancing the external URL assigned for the VPN between round robin DNS and a load balancer:
  • Use round robin DNS to alternate traffic between various endpoints. Round robin DNS cannot compensate for a node that is offline or unavailable.
  • Use a load balancer to handle traffic that is distributed between endpoints. Use a persistence profile that locks traffic between each device endpoint to a single server during a session. Consult with your network administrator for the best method to use with this option.

Procedure

  1. Follow the steps in Installing MaaS360 VPN and configuring the MaaS360 VPN TAP Adapter on Windows Server 2016+ to configure the first node of the cluster.
  2. Download the cluster certificate (p12 format) and save the certificate to use on the other servers.
    Important: Do not lose this certificate.
  3. Install the MaaS360 VPN Cloud Extender® software on additional servers in the cluster. Follow the steps in Installing MaaS360 VPN and configuring the MaaS360 VPN TAP Adapter on Windows Server 2016+ to install the MaaS360 VPN TAP Adapter.
  4. In the Configuration mode section, select Join an existing VPN cluster.
    Join an existing VPN cluster
  5. In the VPN Certificate section, import the VPN identity certificate that you exported (p12 format) from the original Cloud Extender in the cluster to join this server to the cluster.
    VPN certificate
    Note: You can download the VPN identity certificate by clicking Download VPN Certificate at the top of the MaaS360 VPN configuration screens in the Cloud Extender Configuration Tool.
    Download VPN Certificate button
  6. To assign user IP addresses, you must provide the private address of the interface on the server (with the port) and the subnet. To avoid confusion, use a different user IP subnet for each Cloud Extender in the cluster.
  7. Save the configuration.
  8. Repeat steps 2 - 6 for the other servers in the cluster.
    You do not need to change user policies in the IBM® MaaS360 Portal to support clusters. All members of a cluster use the same name. The distribution of traffic between those members is handled by a front end load balancer, not by MaaS360.