locked
High Availability for NPS extension servers RRS feed

  • Question

  • It would be great to see additional details on High Availability for NPS extension. Since, it is getting popular , many customers has this question in mind before they take it to production. Options like using Load Balancer over NPS server or any other recommendations with traffic flow will be helpful.

    As per the article :

    The NPS extension automatically handles redundancy, so you don't need a special configuration. You can create as many Azure MFA-enabled NPS servers as you need. If you do install multiple servers, you should use a difference client certificate for each one of them. Creating a cert for each server means that you can update each cert individually, and not worry about downtime across all your servers. VPN servers route authentication requests, so they need to be aware of the new Azure MFA-enabled NPS server. '

    However, in this case, We need to configure new RADIUS server address with VPN along with secret in order to keep it working when other NPS extension server is down ( Manual Process) . What is the recommendation for automatic fail-over ? Should we use LB, Traffic Manager or something else , since most VPN solutions will let u define only one IP as Primary RADIUS server and others as secondary, however, if we need to have multiple NPS servers to be available to server requests at one time under Primary NPS servers ( to handle load  & redundancy ) , what solution is recommend ? 


    Tuesday, August 28, 2018 2:49 PM

All replies

  • you need to have a multiple NPS servers if you want to provide high availability then at least two servers must be created and configured for the high availability purpose. check out this link for the whole configuration http://blog.mycloudit.com/best-practices-for-azure-multi-factor-authentication-in-mycloudit-deployments

    To achieve high-availability with your Azure Server MFA deployment, you need to deploy multiple MFA servers. This section provides information on a load-balanced design to achieve your high availability targets in you Azure MFS Server deployment. see this link 

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-deploy-ha

    Cheers!!

    SAM..

    • Proposed as answer by samyyysam Tuesday, August 28, 2018 8:27 PM
    Tuesday, August 28, 2018 8:27 PM
  • @anuj_rana, Checking in to see if the above suggestions helped or you need further assistance on this issue. If that answers your query, do click “Mark as Answer” and Up-Vote for the same.

    Tuesday, September 4, 2018 5:59 AM
  • @samyyysam - The Azure MFA Server != the NPS extension.

    To provide the various cross-referenced sources here for everyone's benefit:

    As per #12273, details / a recommendation is still required here for how to properly achieve high availability with a load balancer or traffic manager with multiple NPS servers with the MFA extension.  Specifically, how can a proper health probe be configured to the RADIUS servers (other than a ping to the server itself) - which would reply with a static return code to signal the server and service are both up and available?  Even creating a test account here is not feasible, as something would need to respond to the mobile app notification on the other end of the test.  I'd strongly prefer to not have to write / use yet an additional component that checks for the state of the service on the server, monitors for failed requests, etc. - then serves a response on a separate port that could be used for a health probe...


    Mark A. Ziesemer

    Thursday, September 27, 2018 2:27 AM