All posts in category PowerShell

Always On VPN SSTP and 47-Day TLS Certificates

The Secure Socket Tunneling Protocol (SSTP) VPN protocol uses Transport Layer Security (TLS) encryption and HTTP transport over TCP port 443. SSTP is easy to configure and firewall-friendly, making it an excellent choice for the Always On VPN user tunnel. Security best practices dictate using a TLS certificate issued by a public Certification Authority (CA). Today, the maximum lifetime of a public TLS certificate is 398 days (approximately 1 year). Always On VPN administrators using SSTP are familiar with the process of renewing their SSTP certificate annually. However, that’s about to change.

47 Days

In April of this year, the CA/Browser Forum, a voluntary consortium of public CAs, browser vendors, and other industry stakeholders that develop and promote security standards and best practices for digital certificates and Public Key Infrastructure (PKI), adopted a measure reducing the current maximum lifetime of public TLS certificates to 47 days. This means Always On VPN administrators using public TLS certificates must eventually update their TLS certificates monthly.

Automation

Of course, no administrator in their right mind would want to renew SSTP certificates every month. Automating this process will be crucial to ensuring reliability and reducing management overhead. I’ll provide more details later in this post.

Why Is This Happening?

The industry has been trending toward shorter certificate lifetimes for a while now. In the old days, you could purchase a certificate valid for 5 years or more. Today, a one-year certificate is all you can get. Let’s Encrypt, a public CA that issues certificates for free, issues only 90-day lifetime certificates.

Advantages

The advantage of using short-lived certificates for public TLS certificates is that they improve security and provide agility for future changes. Public TLS certificates become less secure and trustworthy over time. The longer a certificate is valid, the less trustworthy it becomes and the longer the opportunity for an attacker to leverage a certificate for which the private key has been compromised.

Why 47 Days?

A 47-day maximum certificate lifetime allows administrators to rotate their certificates monthly (a maximum of 31 days plus some margin to resolve issues).

Not So Fast

The good news for Always On VPN administrators using SSTP with public TLS certificates is that they won’t have to worry about this immediately. The reduction in maximum certificate lifetime to 47 days takes place gradually over a few years.

  • Today, the maximum public TLS certificate lifetime is 398 days
  • On March 15, 2026, the maximum public TLS certificate lifetime will be reduced to 200 days
  • On March 15, 2027, the maximum public TLS certificate lifetime will be reduced to 100 days
  • On March 15, 2029, the maximum public TLS certificate lifetime will be reduced to 47 days

Let’s Encrypt

Over the years, I’ve deployed Always On VPN with SSTP for several customers using Let’s Encrypt TLS certificates. Let’s Encrypt is a pubic CA that issues certificates with a maximum lifetime of 90 days, so automating this task is essential. Let’s Encrypt supports ACME, a standard protocol for automating the issuance and renewal of TLS certificates, which makes automating TLS certificate installation and renewal a breeze.

Sample Script

I’ve published a sample PowerShell script demonstrating how to automate the enrollment process for Let’s Encrypt TLS certificates. It leverages the Posh-ACME PowerShell module and my AOVPNTools module to enroll and automatically install a TLS certificate for SSTP. This script will also work for DirectAccess. You can find the sample script here.

Note: My sample script demonstrates using the Cloudflare DNS plugin for Posh-ACME. Posh-ACME has plugins for many public DNS providers, which can be found here. Feel free to customize my script to meet your specific needs.

Act Now

Always On VPN administrators are advised to consider solutions to automate TLS certificate enrollment and renewal as soon as possible. If your public CA of choice doesn’t support some form of certificate automation like ACME, it’s time to find another provider.

Summary

Starting in March 2026, the maximum lifetime for public TLS certificates will be reduced gradually, reaching just 47 days by March 2029. Automation will no longer be optional for Always On VPN administrators using SSTP—it will be essential. Tools like the Posh-ACME PowerShell module provide a reliable solution to streamline certificate management and ensure uninterrupted connectivity. Now is the time to prepare for this industry shift by implementing automated certificate renewal solutions. If you’d like professional assistance with this task or simply want to learn more about your options, drop me a note via the contact page, and I’ll respond with more information.

Additional Information

TLS Certificate Lifetimes Will Officially Reduce to 47 Days – DigiCert

Posh-ACME PowerShell Module

Posh-ACME Documentation

Always On VPN Tools (AOVPNTools) PowerShell Module

1 Comment
by Richard M. Hicks on April 22, 2025  •  Permalink
Posted in administration, Always On VPN, AOVPN, Certificate Authority, Certificate Services, certificates, Cryptography, Deployment, encapsulation, Encryption, Enterprise, enterprise mobility, Infrastructure, Microsoft, Mobility, Operational Support, PKI, PowerShell, Professional Services, public key infrastructure, Remote Access, routing and remote access service, RRAS, Security, SSL, SSL and TLS, TLS, TLS 1.3, Transport Layer Security, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 22, 2025

https://directaccess.richardhicks.com/2025/04/22/always-on-vpn-sstp-and-47-day-tls-certificates/

Always On VPN Troubleshooting with Windows Packet Monitor PktMon.exe

When troubleshooting Always On VPN, taking a network packet capture or network trace is sometimes required to identify the root cause of a problem. After all, Packets Don’t Lie™. There are numerous ways to capture packets. Many administrators will install Wireshark for this purpose. However, Windows has a native packet capture tool called PktMon.exe that offers many advantages over Wireshark.

Wireshark

Many Always On VPN administrators will be familiar with Wireshark. Wireshark is a popular open-source network protocol analyzer that enables the capture and analysis of network traffic for troubleshooting. A packet capture driver must first be installed to capture network traffic with Wireshark. Typically, administrators will install Npcap, which is part of the default installation of Wireshark. Installing a capture driver poses a potential problem, as the administrator must install software on the target device before capturing traffic. Installing software may not always be feasible or possible. Fortunately, there’s an alternative.

PktMon.exe

The Windows Packet Monitor (PktMon.exe) is a built-in command-line tool first introduced in Windows 10 1809 and Windows Server 2019. It is designed to capture network traffic on Windows servers and client systems. This native lightweight tool is ideal for collecting network traces for offline analysis.

Capture All Interfaces

The most common scenario for PktMon.exe is to capture data for offline analysis. Use the following command to capture all network traffic on all active network interfaces.

PktMon.exe start –capture –file c:\capture.etl –pkt-size 0 –comp nics –flags 0x10

The command breaks down as follows:

–capture – captures network traffic

–file – the path of the file to save the data to

–pkt-size 0 – captures the full packet (not truncated)

–comp nics – captures traffic on all active network interfaces

–flags 0x10 – captures the raw packet

After reproducing the issue, you can stop the trace by running the following command.

PktMon.exe stop

Capture Specific Interface

Administrators may wish to capture traffic on a specific network interface instead of all active network interfaces. In this example, I have a multi-homed VPN server and want to capture traffic on only the DMZ interface. To do this, use PktMon.exe to enumerate all interfaces using the following command.

PktMon.exe list

Note: The output of PktMon.exe filter list does not include information that easily maps to existing network interfaces. I suggest also running the Get-NetAdapter PowerShell command to view detailed information about network interfaces. You can use this information to select the correct Network ID for PktMon.exe filtering.

Next, change the value of –comp nics in the command referenced above to –comp <Network ID>. Here’s an example.

PktMon.exe start –capture –file c:\capture.etl –pkt-size 0 –comp 62 –flags 0x10

Filtering

It’s also possible to use PktMon.exe to capture network traffic selectively. Filtering allows you to narrow the capture to relevant traffic, making analysis easier and faster. Add a filter, then start a trace to restrict data capture to traffic that matches the defined filters. You can add one or more filters to apply to the capture. Here are a few examples.

Protocols and Ports

Let’s say you are troubleshooting a device tunnel connection and want to see only IKEv2 traffic. The following filter will restrict the network capture to only the IKEv2-related protocols and ports.

PktMon.exe filter add IKEv2 -t UDP -p 500
PktMon.exe filter add IKEv2 -t UDP -p 4500

IP Address

The following filter will capture data that includes the specified IP address in the source or destination address field.

PktMon.exe filter add VPN1 -i 172.21.12.50

You can also specify IP address subnets using their CIDR notation.

PktMon.exe filter add Subnet1 -i 172.16.0.0/16

View and Clear Filters

You can view configured filters using the following command.

PktMon.exe filter list

You can remove configured filters using the following command. Use with caution, as this removes ALL filters!

PktMon.exe filter remove

Reference

You’ll find a complete list of PktMon.exe filters here.

Analysis

PktMon.exe outputs captured data in ETL format. Administrators can convert captured data to the standard PCAP format by running the following command.

PktMon.exe etl2pcap <path of trace file>

This command converts the file from ETL to PCAPNG format. Administrators can then open the capture in Wireshark for further detailed analysis.

Display Only

PktMon.exe can be configured to display network traffic in the console for quick troubleshooting. Console traffic display can be helpful for those scenarios where a quick check to validate traffic is reaching a particular destination is required. Here’s an example.

PktMon.exe start –capture –pkt-size 0 –comp nics –flags 0x10 -m real-time

Note: In the example above, I applied a traffic filter to limit the capture to only SSTP traffic (TCP 443).

Limitations

One crucial limitation of PktMon.exe is that it doesn’t support persistent network captures that survive a reboot. Persistent captures can be helpful when troubleshooting a device tunnel connection or slow logons. In this scenario, you must use netsh.exe.

netsh.exe trace start capture=yes tracefile=c:\tracefile.etl persistent=yes

<reboot>

netsh.exe trace stop

Although PktMon.exe supports the ‘etl2pcap’ switch, it does NOT work for converting .etl files generated with netsh.exe. To convert captures created with netsh.exe, use the open-source etl2pcapng tool.

Learn More

PktMon.exe has many different uses. This post barely scratches the surface of what PktMon.exe can do. PktMon.exe comes with robust help, accessible by adding the ‘help’ switch to commands. Here are some examples.

PktMon.exe start help
PktMon.exe filter add help

Be sure to view the online help to explore various options for capturing and logging to meet your specific needs.

Summary

PktMon.exe is a native command-line utility in Windows that provides a lightweight solution for capturing network traffic, making it particularly useful for Always On VPN troubleshooting. Key functionalities include full-packet captures, selective filtering by protocol, port, or IP address, and conversion of ETL files to PCAPNG format for analysis in tools like Wireshark. Real-time traffic displays are also supported for quick diagnostics. While effective for many scenarios, PktMon.exe lacks support for persistent captures across reboots, for which netsh.exe is recommended. The techniques outlined above offer administrators a practical, software-free approach to deep packet inspection for troubleshooting Always On VPN issues.

Have you used PktMon.exe for network troubleshooting? Feel free to share tips and tricks in the comments section below!

Additional Information

Getting Started with Windows Packet Monitor (PktMon.exe)

PktMon.exe Filter Reference

Open-source Etl2pcap for netsh.exe captures

Leave a comment
by Richard M. Hicks on March 31, 2025  •  Permalink
Posted in Always On VPN, AOVPN, device tunnel, Enterprise, enterprise mobility, IKEv2, Infrastructure, Microsoft, Mobility, nmap, Open Source, Operational Support, PowerShell, Remote Access, troubleshooting, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 31, 2025

https://directaccess.richardhicks.com/2025/03/31/always-on-vpn-troubleshooting-with-windows-packet-monitor-pktmon-exe/

Configure Entra Conditional Access for Always On VPN

Recently, I wrote about Microsoft Always On VPN and Entra Conditional Access and how conditional access improves your organization’s security posture by making policy-based access decisions based on various signals such as user identity, location, device compliance, platform, sign-in risk, and more. In this post, I’ll provide step-by-step instructions for integrating Entra Conditional Access with existing Always On VPN deployments.

Requirements

To use Microsoft Entra Conditional Access with Always On VPN you must have Entra ID P1 at a minimum. To use advanced features such as risk-based policy assessment, you must have Entra ID P2. In addition, all endpoints must be under Intune management; either native Entra ID joined, or hybrid Entra ID joined.

Enable VPN Support

To begin, open the Microsoft Entra admin center (https://entra.microsoft.com/), navigate to Identity > Protection > Conditional Access, and perform the following steps.

  1. Click VPN Connectivity.
  2. Click New certificate.
  3. From the Select duration drop-down list, choose an appropriate certificate validity period.
  4. Click Create.

Once complete, click Download certificate and copy the certificate file to a domain-joined system on-premises.

Publish Certificate

Next, administrators must publish the Entra VPN root certificate in Active Directory to support domain authentication. Open an elevated PowerShell or command window and run the following commands.

certutil.exe -dspublish -f <path to certificate file> RootCA

certutil.exe -dspublish -f <path to certificate file> NtAuthCA

Note: You must be a domain administrator to perform this task.

Conditional Access Policy

Navigate to Identity > Protection > Conditional Access and click Policies, then perform the following steps to create a conditional access policy for VPN access.

  1. Click New Policy.
  2. Enter a descriptive name for the new policy.
  3. Click the link in the Target resources section.
  4. From the Select what this policy applies to drop-down list, select Resources (formerly cloud apps).
  5. In the Include section, choose Select resources.
  6. Click the link in the Select section.
  7. Enter VPN in the search field.
  8. Check the box next to VPN Server.
  9. Click Select.
  10. Click the link in the Grant section.
  11. Select Grant access.
  12. Check the box next to Require device to be marked as compliant.
  13. Click Select.
  14. On the Enable policy slider, select On.
  15. Click Create.

NPS

Changes to Network Policy Server (NPS) policy and configuration are required to support Always On VPN with Entra Conditional Access.

NPS Policy

To update the Always On VPN network policy to support Entra Conditional Access, open the NPS management console (nps.msc), expand Policies, then select Network Policies and perform the following steps.

  1. Right-click on the Always On VPN policy and choose Properties.
  2. Select the Settings tab.
  3. Select Vendor Specific in the RADIUS Attributes section.
  4. Click Add.
  5. Select the Allowed-Certificate-OID attribute.
  6. Click Add.
  7. Click Add.
  8. Enter 1.3.6.1.4.1.311.87 in the Attribute value field.
  9. Click Ok.
  10. Click Ok.
  11. Click Close.
  12. Click Ok.

Important Note: This change will block new Always On VPN user tunnel connections until you update the client configuration. When integrating an existing Always On VPN implementation with Entra Conditional Access, consider creating a new NPS policy and corresponding security group to migrate users to conditional access seamlessly.

NPS Configuration

By default, NPS will perform revocation checks for certificates used for domain authentication. However, Entra Conditional Access uses short-lived certificates (one-hour lifetime) that do not include CRL Distribution Point (CDP) information. Therefore, administrators must change the NPS server configuration to disable revocation checking for certificates lacking this information.

To do this, open the registry editor (regedit.exe) and create a new registry key with the following settings.

Key: HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
Name: IgnoreNoRevocationCheck
Type: DWORD
Value: 1

You can also run the following PowerShell command to implement this change.

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13\’ -Name IgnoreNoRevocationCheck -PropertyType DWORD -Value 1 -Force

Once complete, the server must be rebooted for the change to take effect.

Client Configuration

After making all required changes to the supporting infrastructure, you must also update the  Always On VPN client configuration to leverage Entra Conditional Access. Changes to client configuration vary depending on the method used to deploy and manage Always On VPN client configuration settings.

Intune

When using Microsoft Intune and the native VPN policy type to deploy and manage Always On VPN client configuration settings, perform the following steps to update the VPN configuration to include Entra Conditional Access support.

  1. Open the Microsoft Intune admin center (https://intune.microsoft.com/) and navigate to Devices > Configuration.
  2. Click on the Always On VPN policy.
  3. Click Edit next to Configuration settings.
  4. Expand the Conditional Access section.
  5. Click Enable next to Conditional access for this VPN connection.
  6. Click Enable next to Single sign-on (SSO) with alternate certificate.
  7. Enter Client Authentication in the Name field.
  8. Enter 1.3.6.1.5.5.7.3.2 in the Object Identifier field.
  9. Enter the organization’s root certification authority (CA) certificate thumbprint in the Issuer hash field.

XML

When using a custom XML configuration file for Always On VPN client configuration settings deployed using Intune or PowerShell, edit the XML file, remove the existing <TLSExtensions></TLSExtensions> section, and replace it with the following.

In addition, add the following code between the <VPNProfile></VPNProfile> tags after <TrustedNetworkDetection>.

Note: You will find a sample XML configuration file you can copy and paste from on GitHub here.

DPC

When using Always On VPN Dynamic Profile Configurator (DPC) for managing Always On VPN client configuration settings, open the DPC group policy and navigate to Computer Configuration > Policies > Administrative Templates > DPC Client > User Tunnel Settings > Advanced and perform the following steps.

  1. Double-click Optional – Device Compliance Settings.
  2. Select Enabled.
  3. Enter 1.3.6.1.5.5.7.3.2 in the Certificate EKU OID field.
  4. Enter the organization’s root certification authority (CA) certificate thumbprint in the Certificate Issuer Hash field.
  5. Click Ok.

Not using DPC? You’re missing out! Learn more about Always On VPN DPC here.

Video

I’ve published a demonstration video for enabling Microsoft Entra ID Conditional Access with Always On VPN on YouTube. You can find the video here.

Summary

Following the guidance in this post to integrate Entra Conditional Access with Always On VPN can significantly improve your organization’s security posture. In the example above, the conditional access policy is a basic one. Yet, it dramatically reduces the attack surface for your remote access infrastructure by ensuring only compliant devices can establish a VPN connection.

Administrators can use advanced conditional access policy settings to strengthen the VPN’s security further by performing additional checks, such as requiring strong, phishing-resistant credentials and requesting multifactor authentication (MFA) for risky sign-ins.

Additional Information

Always On VPN and Entra Conditional Access

Drawback of Multifactor Authentication

Understanding Enterprise Public Key Infrastructure (PKI)

Digital Certificates for Strong Authentication

Always On VPN Dynamic Profile Configurator (DPC)

Always On VPN DPC Open Source

Leave a comment
by Richard M. Hicks on February 17, 2025  •  Permalink
Posted in Active Directory, administration, Always On VPN, Always On VPN DPC, AOVPN, AovpnDPC, authentication, Azure, Azure Active Directory, Azure AD, Azure AD Join, Azure Conditional Access, Azure MF, Azure MFA, Azure VPN, cloud, Cloud Service, Compliance, Conditional Access, Deployment, Device Management, DPC, Dynamic Profile Configurator, Enterprise, enterprise mobility, Entra, Entra Conditional Access, Entra ID, GitHub, Hybrid Azure AD Join, Hybrid Entra ID Join, Hybrid Entra Join, InTune, MDM, MFA, Microsoft, Microsoft Entra, Microsoft Entra ID, Microsoft Intune, Mobile Device Management, Mobility, Multifactor Authentiction, network policy server, NPS, Operational Support, PowerShell, public cloud, Remote Access, routing and remote access service, RRAS, Security, systems management, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 17, 2025

https://directaccess.richardhicks.com/2025/02/17/configure-entra-conditional-access-for-always-on-vpn/

« Older Posts