Once Windows 10 Always On VPN has been deployed in production, it may be necessary at some point for administrators to deny access to individual users or computers. Commonly this occurs when an employee is terminated or leaves the company, or if a device is lost, stolen, or otherwise compromised. Typically, this means that user accounts and computer accounts in Active Directory are disabled, and any issued certificates are revoked. However, additional steps may be required to disconnect current VPN sessions or prevent future remote connections.
Certificate Revocation
When certificates are used for authentication, for example when a device tunnel is deployed, or a user tunnel is configured to use Extensible Authentication Protocol (EAP) with user certificate authentication, immediately revoking issued user and device certificates and publishing a new Certificate Revocation List (CRL) is recommended. However, this will not instantly prevent VPN access because revocation information is cached on the VPN and NPS servers, as well as any online responders. The process of flushing certificate revocation caches is challenging and time consuming as well.
Blocking Users
To immediately prevent users from accessing the VPN, a security group must be created in Active Directory that contains users that will be denied access. In addition, a Network Policy must be created on the Network Policy Server (NPS) that denies access to users belong to this security group.
NPS Configuration
Once the security group has been created, open the NPS management console (nps.msc) and perform the following steps.
- Expand Policies.
- Right-click Network Policies and choose New.
- Enter a descriptive name for the policy in the Policy name field.
- Select Remote Access Server (VPN-Dial up) from the Type of network access server drop-down list.
- Click Next.
- Click Add.
- Select User Groups.
- Click Add.
- Click Add Groups.
- Select the security group create for denied users.
- Click Ok twice.
- Click Next.
- Select Access denied.
- Click Next four times and click Finish.
Once complete, move the deny access policy so that it is before the policy that allows VPN access.
Device Tunnel Considerations
Since device tunnel connections don’t use the NPS for authentication, blocking devices from establishing Always On VPN connections requires a different technique. Once again, revoking the computer certificate and publishing a new CRL is recommended, but isn’t immediately effective. To address this challenge, it is recommended that the computer certificate issued to the client be retrieved from the issuing CA and placed in the local computer’s Untrusted Certificates store on each VPN server, as shown here.
Note: The certificate must be imported on each VPN server in the organization.
Terminating Connections
Once the guidance above is put in to place, any user or device that is denied access will be unable to connect to the VPN. However, if a user or device is currently connected when these changes are implemented, additional steps must be taken to proactively terminate their existing session. When using Windows Server Routing and Remote Access Service (RRAS) as the VPN server, uUser sessions can be proactively terminated using RRAS management console or PowerShell.
GUI
To terminate an established Always On VPN connection, open the RRAS management console (rrasmgmt.msc), highlight Remote Access Clients, then right-click the client connection and choose Disconnect. Repeat the process for any additional connections established by the user or device.
PowerShell
Alternatively, Always On VPN connections can also be terminated programmatically using PowerShell. To identify currently connected users on a VPN server, open an elevated PowerShell command window and run the following command.
Get-RemoteAccessConnectionStatistics | Format-Table -AutoSize
Next, to disconnect a user tunnel, identify the User Principal Name (UPN) of the user to disconnect and include it in the following PowerShell command.
Disconnect-VpnUser -UserName “[email protected]”
To disconnect a device tunnel, identify the Fully-Qualified Domain Name (FQDN) of the device to disconnect and include it in the following PowerShell command.
Disconnect-VpnUser -UserName “client1.corp.example.net”
Matt
/ April 22, 2019Looks like the disconnection of active connections via PoewerShell only applies when using RRAS.
How would you do this if using a third party VPN server such as Cisco ASA with or without the AnyConnect app plugin?
Richard M. Hicks
/ April 22, 2019That’s correct. Terminating VPN sessions on non-Microsoft VPN platforms varies depending on the manufacturer. You’ll need to consult the vendor for specific guidance.
Rick Goodman
/ April 25, 2019Hi Richard. Thanks for your great posts, it’s helped me to work through deploying the Always On VPN which has been much needed for our organization. I do have a couple of issues I’m still facing. I’m using an IP address pool on the RRAS server and after setting the client VPN connection to “Register this device in DNS”, it does register, but it registers both the VPN IP address and their LAN IP address. Can this be prevented? I also see that in SCCM the client is always Inactive, yet I can ping the device by name from the SCCM server. Is there anything else I need to open up for that to work?
Richard M. Hicks
/ April 25, 2019This DNS registration thing is a known issue. Microsoft is aware and addressing it. No ETA on a public fix though. I’ll be sure to post something when it is released. I’m not familiar at all with SCCM so I’m not sure what to tell you there. I can only suggest you ensure that any firewall rules required for SCCM to client communication are enabled on the client.
Paddy Berger
/ May 1, 2020Hi Richard, is there powershell to remove all users rather than specify each user to disconnect. We want to run a script every morning so that it basically refreshes all sessions.
Paddy Berger
/ May 1, 2020Update: I am able to restart user sessions from NPS, however not device sessions, hence if there is a script that can log off all sessions that would be better
Richard M. Hicks
/ May 1, 2020Device tunnel connections don’t use NPS, so that won’t work. See my previous comment for suggestions.
Richard M. Hicks
/ May 1, 2020You could alter my script to remove the MaxAge parameter if you like. Or you could just restart the RemoteAccess service and that would disconnect everyone immediately.
Paddy Berger
/ May 5, 2020Thanks Richard, ended up created a PS script to disconnect sessions whose connectionduration was greater than 8 hours. Added to a schedule task and all working as expected.
Richard M. Hicks
/ May 5, 2020Awesome! 🙂
Simon Quist Erichstrup
/ March 18, 2021yes, my thoughts exactly. Keep it simple 🙂
Those actively working and using their tunnel(s) shouldn’t notice much.
Of course there may be some apps made by self-taught “coders” who never test their stuff in multi-tier configurations with latencies and cut-offs.
But life is too short to deal with those 😉
Also for blocking specific users, I like the AD group approach and would actively deny that group from Always On VPN related GPOs (we have one ensuring User Cert roll-out and another with custom settings) as well as use it in NPS (as specified above)
David White
/ February 10, 2022Hi Richard. When you say ‘…computer accounts in Active Directory are disabled, and any issued certificates are revoked’ – is the computer certificate automatically revoked? We disabled a computer account then re-enabled it a while later – the certificate was still valid, is that expected?
Thanks.
Richard M. Hicks
/ February 10, 2022No. Disabling a computer account in Active Directory doesn’t automatically revoke the device certificate. The administrator will have to perform that task manually. And yes, the certificate is still valid for the device if you simply disabled/enabled the computer account.
Simon
/ March 29, 2023Hi Richard, I reffer to “NPS Configuration”
I have in my organization an always on VPN server in a different network for protection (dmz). The server doesn’t have access to the domain. (Only de port for Raduis check is open) Do you know a solution how I can get the security group to the vpn server without adding the server to the domain?
Thanks.
Richard M. Hicks
/ March 29, 2023You can’t, unfortunately. I’m curious, though, why would you need to add the VPN users security group to the VPN server? Typically you would only need to do that on the NPS server, which must be joined to your domain.