10.9 Build a Large Scale Virtual Hub Hosting Service

    Corporations or Internet service providers (ISPs) can use their high speed backbone network and their large number of servers to create a large scale Virtual Hub hosting service for their employees or clients with SoftEther VPN Server. This section will give more information about this type of Virtual Hub hosting service, and how to set one up.


    10.9.1 The Necessity of a Virtual Hub Hosting Service

    What is a Virtual Hub Hosting Service?

    By installing VPN Server on a powerful server computer on a very high speed connection and creating multiple Virtual Hubs on that VPN Server you can provide usage rights to these Virtual Hubs to your clients or employees. This is the type of Virtual Hub hosting service described here.

    This type of Virtual Hub hosting service is also called a hosting VPN or an ASP VPN.

    The idea behind a Virtual Hub hosting service is to set up a clustered VPN Server system, and then create a large number of Virtual Hubs on those VPN Servers. Then you would give administrative rights to whoever will be using or managing that Virtual Hub. This takes care of administration as well as allowing the users of that Virtual Hub to make a VPN connection to that VPN Server and communicate with each other.


    Concept of a Virtual Hub Hosting Service.

    Usefulness of a Virtual Hub Hosting Service in the Corporate Environment

    By utilizing a Virtual Hub hosting service it is possible for the IT department of a large corporation to set up many different types of VPNs using only the Virtual Hubs it provides. For example, if a Virtual Hub hosting service was not used, the IT department would manage a VPN Server system in the company's server room or data center, and create as many Virtual Hubs as necessary for their network. They would then have to give administrator privileges to a person in charge of each department in the company for those Virtual Hubs. Those in charge would next have to install VPN Server and manage a VPN server computer. As you can imagine, this can be a very difficult process.


    Virtual Hub Hosting Service in the Corporate Environment.

    Usefulness of a Virtual Hub Hosting Service for an ISP

    Internet service providers (ISPs) can utilize their high speed backbone connection to the Internet and provide a VPN hosting service to their clients. An ISP could set up a VPN Server system in their data center and create a special Virtual Hub for each client who signs up for the Virtual Hub hosting service. By then giving administrator rights to the client for that Virtual Hub they will be able to freely add users and manage sessions. They can then connect to that Virtual Hub via the Internet from multiple locations and be able to use all the functionality of SoftEther VPN.

    This type of service is extremely useful for users at companies or homes that do not have a global IP address, or do not have a static global IP address and would like to rent a Virtual Hub on a stable VPN Server.

    For example, if a small business wants to set up a remote access VPN system, but has a dynamic global IP address (an IP address that changes every time a connection to the Internet is made), they are unable to install a stable VPN Server within the company. (It is possible to install a VPN Server on this type of network using the DDNS service as explained in section 10.10.4 Adjusting Settings For Broadband Routers or Other Networking Hardware, but this method is not recommended when stability is crucial.) There are also cases of small companies that have a static global IP address, but do not have the technical knowledge required for the daily management of a VPN Server. For these types of companies, a Virtual Hub hosting services provided by their ISP is a viable option. By making a permanent cascade connection from a VPN Bridge installed within the company to the Virtual Hub provided by the ISP, a company can provide a remote access VPN service as described in section 10.4 Build a Generic Remote Access VPN to their employees without running their own VPN Server. An illustration of this type of network is shown in the figure below. Employees wanting to use the remote access VPN connect to the Virtual Hub on the VPN Server provided by the ISP. Data is then routed through this Virtual Hub and to the VPN Bridge connected to the company network by a local bridge, granting remote access to the network.


    Virtual Hub Hosting Service Provided by an ISP.


    Also, using this type of service allows you to join two LANs without a static global IP address through the Virtual Hub hosting service provided by the ISP. Basically, you will be able to create a LAN-to-LAN VPN as described in section 10.5 Build a LAN-to-LAN VPN (Using L2 Bridge) without having to install a VPN Server on your company network.


    A LAN-to-LAN VPN Utilizing an ISP Provided Virtual Hub Hosting Service.

    How to Provide a Virtual Hub Hosting Service

    A corporation or ISP does not need any special certification or permission from SoftEther to provide a large scale Virtual Hub hosting service to their clients.

    10.9.2 Increase Network Scalability By Using Clustering

    Naturally, when running a large scale Virtual Hub hosting service the number of Virtual Hubs on your VPN Servers will likely be very large, as well as the number of VPN sessions connected to those hubs via VPN Client or VPN Bridge.

    Therefore, you will need to use the clustering capabilities as explained in section 10.8 Build a Large Scale Remote Access VPN Service. Using clustering will enable you to create a large number of dynamic Virtual Hubs without taking a performance hit. It will also allow you to handle a high number of VPN sessions at once by balancing the load across multiple VPN Servers. Furthermore, if one of your VPN Servers malfunctions or needs to be taken down for maintenance, the fault-tolerance capability of the cluster controller will automatically move any VPN sessions connected to that VPN server to another, properly working VPN Server. With this in mind, it is possible to set up a large scale Virtual Hub hosting service that runs 24 hours a day, 365 days a year with no downtime.

    10.9.3 Using Dynamic Virtual Hubs

    You can create one or more Virtual Hubs within the cluster. When dealing with clusters, there are two types of Virtual Hubs: static Virtual Hubs and dynamic Virtual Hubs.

    The best one to use for a Virtual Hub hosting service is the dynamic Virtual Hub. (See section 3.9.8 Dynamic Virtual Hubs.)

    10.9.4 Network Layout

    This section will explain the network layout as shown in the figure below.


    Network Layout.


    In this example there are five server computers installed in a data center which make up the VPN Server cluster. For this example, assume that all server machines have a static global IP address.

    If you were to set up a five server cluster such as one in the example above only to find that the load on each VPN Server is too high, you can simply add more VPN Servers to increase the throughput of the cluster and to decrease the overall load on each machine.


    10.9.5 Installing and Configuring the Cluster Controller

    When installing multiple VPN Servers as a cluster you must first install the first VPN Server as the cluster controller. If the VPN Server machines you have prepared have different hardware specifications, you should pick the one with the most memory and the most powerful hardware to be the cluster controller.

    Please refer to section 3.9.2 Cluster Controllers for more information on setting up a VPN Server as a cluster controller.

    10.9.6 Installing and Configuring the Cluster Member Servers

    Each VPN Server installed after the first will connect to the cluster controller as a cluster member server. Please refer to section 3.9.3 Cluster Member Servers for more information on setting up a VPN Server as a cluster member server.

    10.9.7 Creating Dynamic Virtual Hubs

    When you make Virtual Hubs for a Virtual Hub hosting service you should always make them as dynamic Virtual Hubs. For example, you may need to make new Virtual Hubs for your company or, as an ISP, when new clients sign up for your Virtual Hub hosting service.


    10.9.8 Assigning Virtual Hub Administrator Rights

    When you make a new Virtual Hub you will have to give administrator rights to the user that will actually be managing that Virtual Hub. In a corporation, administrator rights would be given to the person who requested the Virtual Hub from the IT department. For an ISP, they would be given to the client who has requested the Virtual Hub hosting service.

    Handing off administrator rights is as easy as telling the user the administrator password for the Virtual Hub, or registering a password the user requests when you first create the Virtual Hub. Please refer to section 3.3 VPN Server Administration for more information on giving out administrator rights.

    Once the user has their password they can use it to log in to the cluster controller via their own VPN server management tool or vpncmd and freely manage their Virtual Hub. They will have access to all the features a Virtual Hub administrator has such as adding new users/groups, configuring access lists, log file settings, and more. You can also restrict access to these operations as you see fit. Please refer to section 10.9.11 for more details.


    10.9.9 Managing VPN Sessions on a Clustered VPN

    Once you have finished setting up your clustered environment, there is usually no need to make an administrative connection directly to the cluster member servers. Administrative operations such as downloading log files, changing logging preferences, adding/removing/editing currently connected users, configuring external authentication servers, or configuring trusted authentication certificates can all be done on the cluster controller. The controller will then update all VPN Servers on the cluster to maintain consistency automatically.

    Each Virtual Hub's administrator is only able to make an administrative connection to the cluster controller. Remember, you can only make a direct administrative connection to the cluster controller, not the other cluster member servers.


    10.9.10 Automating the Creation and Management of a Large Quantity of Virtual Hubs or Users

    Using vpncmd for Management Automation

    You may need to automatically create a Virtual Hub for a user after they have signed up for your Virtual Hub hosting service through a form on your website or another method. This is especially true for ISPs. You can automate this process of creating new dynamic Virtual Hubs for your clients.

    By using an automatic managing system that could, for example, automatically delete a Virtual Hub from the cluster if a user cancels their service, or automatically restrict access to a Virtual Hub that a user has not made a payment on in time, you can make managing your system very easy.

    You can use the SoftEther VPN command line management interface (vpncmd) to develop a system such as this. vpncmd can call scripts such as CGI or ASP/ASP.NET in the background with parameters given through a command line. Error codes or output files returned by those scripts can be retrieved by vpncmd.

    Refer to section 6. Command Line Management Utility Manual for more information about vpncmd. An ISP can use vpncmd to call its own internal automated system to automate the control of its VPN Servers or Virtual Hubs when providing a Virtual Hub hosting service.

    10.9.11 User's Usage Status and Billing

    By connecting to the VPN Server with overall administrator rights you can manage or view the traffic volume of each Virtual Hub on the entire system. An ISP will need to use this to bill each user (Virtual Hub) appropriately according to the traffic volume of that individual user. You can get this information by retrieving the statistical data automatically created and managed by the VPN Server and each Virtual Hub. Also, this information is stored in the vpn_server.config configuration file generated by the cluster controller. By retrieving the data stored in this file you can measure the traffic volume for each user and bill them accordingly. Please refer to section 3.3.10 Administration of Statistical Information for more information on the statistical data generated by VPN Server and the Virtual Hubs. You could also make a simple program that process and records this information to automatically calculate billing for you.

    10.9.12 Limiting Administrator Rights by Configuring the Virtual Hub Management Options

    The overall VPN Server administrator (the ISP or company IT department's administrator) can limit the administrative functions available to each Virtual Hub's administrator (a client or employee).

    This feature is referred to as the Virtual Hub management options and is a standard feature of VPN Server. Please refer to section 3.5.12 Virtual Hub Administration Options for a list of items you can configure.

    By configuring the Virtual Hub management options you could, for example, limit the maximum number of allowed simultaneous VPN sessions on a certain Virtual Hub despite the number originally set by the Virtual Hub. You can also set the maximum number of users or groups that can be created on a Virtual Hub. ISPs can use this functionality to provide different pricing plans to their customers. By providing several plans that differ in terms of maximum users, connection speed, and usable features you can provide flexible options to meet the individual needs of each customer.