Awards
Consulting
Newsletter
Subscribe today!
Connect
- Facebook
- Twitter
- LinkedIn
- YouTube
- GitHub
- Tumblr
My Tweets
RSS Feed
- RSS - Posts
- RSS - Comments
Archives
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- April 2021
- March 2021
- January 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- November 2014
- October 2014
- September 2014
- August 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- July 2012
- June 2012
- May 2012
- April 2012
Categories
Tag Cloud
0x2af9 0x274c 0x800b0101 0x800b0109 0x80090326 2FA 6to4 691 809 812 853 864 892 1803 1809 2012 R2 13801 13806 13868 20227 A10 access access denied ACL Activation active/passive Active Directory Active Directory Certificate Services active directory domain services AD ADC AD CS AD DS administration administrator advertise default route always on Always On VPN Always On VPN. VPN Always On VPN book Always On VPN device tunnel Amazon amazon.com Amazon Web Services anniversary update AOVPN aovpn Always On VPN aovpn book appliance application deliver controller application delivery application delivery controller Application Filter application policy Apress Apress Media ARP assurance attack attack surface audit authentication authenticity automation autopilot availability award AWS Azure Azure AD Azure AD Join Azure Application Gateway Azure Conditional Access Azure infrastructure Azure Load Balancer Azure MFA Azure Traffic Manager Azure Virtual WAN Azure VPN Azure VPN Gateway backup Belgium best practice best practice analyzer best practices BIG-IP BIGIP biometric Bomgar book BPA bug business BYOD CA ccertificate CDN certificate certificate 6to4 certificate authentication certificate authority certificate expiration certificate revocation certificate revocation list certificates certificate selection certificate server certificate template Certification Authority CERT_E_EXPIRED Checkpoint Check Point CIDR cipher cipher suite cipher suites Cisco Cisco Umbrella Citrix Citrix ADC Citrix NetScaler class-based default route class-based routing client client authentication client authentication certificate client deployment client operating system client provisioning clients cloud Cloudflare cloud infrastructure cluster clustering cmdlet CNG code codeplex command line Compliance component event log conditional access conference ConfigMgr configuration configuration error configuration manager Configuration Service Provider connect connected standby connecting connection failure connection status connectivity connectivity assistant consulting consulting services content filter control cookbook Core corporate resource COVID-19 CPU CRL CRL check cryptographic key cryptographic next generation cryptographic service provider cryptography CSP CSR custom cryptography custom IPsec policies custom IPsec policy custom policy DA database datacenter DCA DCA 2.0 DDoS decommission deep-packet inspection deep dive default route Dell demo demonstration denial of service deny access deployment deployment flexibility deployment guide deprecated deprecated feature design development Device Management device tunnel DFS DFS-R DHCP diagnostic log Direct Access DirectAccess DirectAccess. remote access DirectAccess 2012 DirectAccess 2012 R2 DirectAccess alternative DirectAccess alternatives DirectAccess Book DirectAccess clients DirectAccess Connectivity Assistant DirectAccess Deprecated DirectAccess End of Life DirectAccess EOL DirectAccess troubleshooting disaster recovery disconnect distributed file service DMZ DNAT DNS DNS64 DNS registration DNS suffix document management domain domain controller DomainNameInformation DoS DoS Protection Mode DPI DR drinks DTE Dual NIC dynamic password EAP EAP-TLS EC EC2 ECC ECDHE ECDSA education EKU elastic compute cloud elastic IP ELB elliptical curve elliptic curve cryptography. cryptography encapsulation encryption end of life endpoint management endpoint manager enhanced key usage enterprise enterprise edition enterprise mobility Enterprise Networking Enterprise Networking Magazine enterprise VPN entry point EOL error error 0x800b0101 error 619 error 691 error 801 error 809 error 829 Error 853 error 864 error 13806 error 13868 error code error code 809 error code 853 error code 858 error message ERROR_IPSEC_IKE_AUTH_FAIL ERROR_IPSEC_IKE_NO_CERTIFICATE ESTS_TOKEN_ERROR Europe event event ID 6 event ID 1000 event ID 7024 Event ID 20227 event log event viewer exception exceptions Exchange 2013 Exchange OWA Exchange OWA 2010 exclusion route exclusions expired certificate explorer export extensible authentication protocol external load balancer F5 F5 BIG-IP F5 Local Traffic Manager F5 LTM failover failure fallback feature file explorer file replication service file share financial FIPS firewall fix Florida force tunnel force tunneling Forefront Forefront TMG Forefront TMG 2010 Forefront UAG Forefront UAG 2010 Forefront UAG 2010 SP3 Forefront UAG 2010 SP4 Forefront UAG SP3 Forefront Unified Access Gateway formatting Fortinet FQDN fragmentation FRS full NAT Fully Qualified Domain Name future GCM GEO geographic redundancy getting started wizard GitHub Global Protect GlobalProtect global server load balancer Global Server Load Balancing GoToMyPC government GPMC GPO graphical user interface group membership group policy group policy object group policy preferences GSLB GSW GUI guidance guide happy hour hardening hardware load balancer hardware security module hashing health check hibernate high availability hostname hotfix hotfix rollup HP HSM HTTP http.sys HTTPS Hybrid Azure AD Join hybrid cloud Hyper-V hypervisor IaaS ICMP ICMPv6 Ignite Ignite conference IIS IKE IKE authentication credentials are unacceptable ikeext IKE failed to find a valid machine certificate IKEv2 IKEv2 fragmentation iManage iManage Work implementation implementing import Important Links index infrastructure infrastructure as a service insider preview installation integration integrity Internet Internet Information Services Internet Key Exchange Internet Key Exchange version 2 Internet Key Exchange version 2 (IKEv2) interview intrasite automatic tunnel addressing protocol InTune Intune certificate connector Intune Proactive Remediation inutne IP IP-HTTPS ipad IPHTTPS IPsec IPsec SA IPv4 IPv6 IPv6 transition IPv6 transition protocol IPv6 transition technologies IPv6 transition technology IPv6 transition tunnel IPv6 translation Iron Networks iRule ISATAP issue issuing CA issuing certification authority IT/Devconnections Kemp Kemp Load Balancer Kemp Load Master Kemp LoadMaster Kemp LoadMaster Load Balancer Kemp Technologies kerberos Kerberos proxy key storage provider KMS KMS activation known issue k security KSP L2TP L2TP/IPsec L7 Las Vegas layer 7 learn learning LMOS load balancer load balancing LoadMaster LoadMaster Load Balancer local traffic manager Lockdown Lockdown mode log log collection log file logging Logjam LogMeIn LTM M365 MAK malware management management pack Manage Out managing maximum transmission unit MDM MDX media disconnected meeting MEM MEMCM MFA Microsoft Microsoft 365 Microsoft Always On VPN Microsoft Azure Microsoft DirectAccess Microsoft Endpoint Manager Microsoft Ignite Microsoft Ignite conference Microsoft Intune Microsoft Most Valuable Professional Microsoft MVP Microsoft Office Microsoft Outlook Microsoft Surface Microsoft Surface Pro Microsoft Surface Pro 4 Microsoft Surface RT Microsoft System Center Microsoft System Center 2012 Microsoft TechDays Belgium 2013 Microsoft TechEd Microsoft TechEd 2013 Microsoft TechEd Europe 2013 Microsoft TechEd North America 2013 Microsoft VPN Microsoft Windows minimal server interface minimize network connections missing route mitigation mobile mobile device Mobile Device Management Mobility monitor monitoring MSCHAPv2 MTU multi-factor authentication multi-SAN multi-SAN certificate multi-site multicast multifactor authentication multihome multihomed multinetworking multisite multisite DirectAccess MVP NAC name resolution name resolution policy table namespace namespace proxy NAP NAT NAT64 NCA ncasvc NCSI NDES NDES connector NetMotion NetMotion Mobility NetMotion Software Netscaler netsh netsh.exe network Network Access Control Network Access Protection network adapter network address translation network administration network connectivity assistant network connectivity status indicator Network Device Enrollment Service Networking network interface network load balancer network load balancing network location server network policy network policy server Network Policy Server. powerhsell network prefix network security group network virtual appliance network virtualization Nevada next generation firewall NGFW NIC NLB NLS nmap Notes Notes Novell November Update NPS NPS Extension for Azure MFA NRPT NSG NSlookup NTAuth NTAuth Store null cipher null cipher suites NULL encryption NVA OCSP ODJ OEM Office office 365 offline offline domain join offload offloading OID OMA OMA-DM OMA-URI one-time password one-time passwords online responder OpenDNS open source openssl operating system Operational Support operations Operations Manager Ops Manager Orlando OS OTP Outlook PAC PAC file packet capture Packt Publishing PAL Palo Alto Palo Alto Networks partnership path MTU PC PEAP perfmon performance performance IPv6 performance monitor perimeter perimeter network persistence persistence profile persistency group Petri PFE PKI plug-in Pluralsight podcast point-to-site point-to-site connection point-to-site VPN PointSharp PointSharp ID policy policy mismatch POODLE portal portproxy PowerShell PowerShell remoting PPTP pre-order preauthentication prefix preorder prerequisites preview privacy private key Proactive Remediation Proactive Remediations probe productivity professional professional services ProfileXML ProfileXML. Intune protected extensible authentication protocol protection protocol provisioning proxy proxy autoconfiguration proxy server proxy settings psexec public certificate public cloud public key cryptography public key infrastructure public resolver public sector publishing publish route Pulse Secure purpose-built VPN putty QA QoS Quad9 Quad9 DNS Qualys Qualys SSL Labs RA RADIUS ransomware RAS rascient RasClient RasClient 20226 rasclient error 858 rasdial rasman rasmans.dll rasphone RasSstp RDC RDP RDS real server real server check method RealStuff Recommended Reading Redmond redundancy redundnacy reference registry remediation Remote Access remote access IPv6 remote access service remote access VPN remote assistance remote desktop remote desktop connection remote desktop services remote management remote PowerShell remote server administration tools remove remtoe access reporting resolver retail retired revocation revocation check risk roadmap rollup root CA root certificate RootCertificateNameToAccept root certification authority round robin DNS route router routes route table routing Routing and Remote Access Routing and Remote Acc ess Service routing and remote access service routing table RRAS RSA RSAT RunAs Radio SA SAN Satya Nadella scalability SCCM SCCM remote control SCEP schannel school script scripting script package scripts SDX Secure Socket Tunneling Protocol security security advisory security association security group security update selective tunneling self-service password reset self-signed certificates Server Server 2012 Server 2012 Core Server 2012 DirectAccess Server 2012 R2 server authentication Server Core server operating system service account service group service pack session SharePoint SharePoint 2010 SharePoint 2013 signing Simple Certificate Enrollment Protocol simplified deployment single NIC single sign-on site-to-site to VPN site-to-site VPN SKU Skype Skype for Business sleep smart card smart card logon SMB SNAT software SonicWALL SP3 speaking split DNS split tunnel split tunneling SQL SQL server SSD SSH SSL SSL/TLS SSL certificate SSl certificates SSL inspection SSL offload SSL termination SSL VPN SSO SSPR SSTP SSTP. SSL standby strong authentication strongSwan strong user authentication subject alternative name subnet subnet mask subnetting subscription activation support supportability supporting Surface Surface Pro Surface Pro 4 Surface RT svchost.exe Switzerland Symantec sysinternals System Center System Center 2012 System Center Configuration Manager System Center Operations Manager System Center Operations Manager 2012 systeminfo systems management tablet TCP TeamViewer TechDays TechDays 2013 Belgium TechDays San Francisco 2013 TechDaysSF TechDaysSF2014 TechEd TechEd 2012 TechEd 2013 TechEd Europe TechEd Europe 2012 TechEd Europe 2013 TechEd North America TechEd North America 2012 TechEd North America 2013 TechMentor TechMentor 2019 TechMentor Conference TechNet Teredo termination testing Threshold 2 throughput Thunder TLS TLS certificate TLS inspection TLS offload TMG TMG 2010 TND TPM Traffic Filter Traffic Manager traffic routing training TrainSignal transition protocol transition technologies transition technology transition tunnel transport layer security Troopers16 troubleshoot troubleshooting trusted network detection Trusted Platform Module trusted root CA trusted root certification authority tunnel tunnel adapter tunnel adapter IP-HTTPS interface tunnel endpoint tunneling two factor authentication UAG UAG 2010 UAG 2010 SP4 UAG DirectAccess UAG SP3 UAG SP4 UDP UI ULA Umbrella Umbrella Roaming Client unattended mode unicast unicode Unified Remote Access uninstall unique local address unsupported configuration update updates upgrade UseRasCredentials user defined route user interface user tunnel user tunnel authentication utilities utilization v6v4tunnel validation video video training VIP virtual appliance virtual IP address virtualization virtual machine virtual network adapter virtual networking virtual private netowrking virtual private network virtual private networking virtual server Virtual WAN visibility Visual Studio Visual Studio Code VM VMware VNC VPN VPN gateway VPN profile VPN server VpnStrategy VPX VS VS Code vserver vulnerabilities vulnerability WAF wake from hibernate wake from sleep WAN WAP warning Washington web application proxy web filter webinar webprobehost web proxy web proxy server web publishing web server WFAS WHFB whitepaper WID Widows Win10 Windows Windows 7 Windows7 Windows 7 Enterprise Windows 7 SP1 Windows 7 Ultimate Windows 8 Windows 8 Enterprise Windows 8 Pro Windows 8 Professional Windows 8.1 Windows 8.x Windows 8.x/10 Windows 10 Windows10 Windows 10 1803 Windows 10 1809 Windows 10 1903 Windows 10 2004 Windows 10 Always On VPN Windows 10 anniversary update Windows 10 Enterprise Windows 10 November Update Windows 10 pro Windows 10 Professional Windows 10 Technical Preview Windows11 Windows 11 Windows 11 Enterprise Windows DirectAccess windows firewall Windows Firewall with Advanced Security Windows Hello Windows Hello for Business Windows Information Protection Windows Information Protection (WIP) Windows Internal Database Windows RRAS Windows Server Windows Server 1809 Windows Server 2003 Windows Server 2003 R2 Windows Server 2008 R2 Windows Server 2008R2 Windows Server 2012 Windows Server 2012 Core Windows Server 2012 DirectAccess Windows Server 2012 R2 Windows Server 2015 TP5 Windows Server 2016 Windows Server 2016 Technical Preview Windows Server 2016 Technical Preview 5 Windows Server 2019 Windows Server 2022 Windows server core Windows Server Update Services Windows Servr 2012 R2 Windows Sever Windows Update winhttp WinPcap WinRM WinRM quickconfig WIP Wireshark workaround work folders workplace join WorkSite WSAETIMEDOUT WSAHOST_NOT_FOUND WSUS XenApp XML YouTube Zero Trust Zero Trust Network Access Zscaler ZTNA

All posts in category Encryption

Always On VPN and TLS 1.3

Secure Socket Tunneling Protocol (SSTP) is a Microsoft-proprietary VPN protocol with several advantages over Internet Key Exchange version 2 (IKEv2) for Always On VPN user tunnel connections. SSTP uses HTTP with Transport Layer Security (TLS) to encrypt communication between the Always On VPN client and the VPN gateway. SSTP is very firewall-friendly, with VPN connections operating on the commonly open TCP port 443, resulting in more consistent VPN availability. SSTP throughput is better compared to IKEv2 as well.

Learn more about TLS with Practical TLS, a comprehensive online video training course.

TLS and Windows Server

For versions of Windows Server before Windows Server 2022, the out-of-the-box security for TLS is not ideal. TLS is notoriously complex to configure, with myriad options for administrators to choose from. However, with the release of Windows Server 2022 and Windows 11, Microsoft has introduced support for the latest TLS specification, TLS 1.3, which eases much of this configuration pain.

TLS 1.3

TLS 1.3 provides significant advantages for Always On VPN SSTP user tunnel connections in security and performance.

Security

TLS 1.3 is greatly simplified and offers only five cipher suites, all considered secure by today’s standards. In addition, all TLS 1.3 ciphers support forward secrecy, ensuring the privacy of communication even in the event of a server private key compromise.

Performance

The TLS handshake in TLS 1.3 is streamlined and requires less back-and-forth (round trips) to establish a connection. TLS 1.3 speeds connection establishment for new Always On VPN user tunnel connections.

Caveat

Adding support for TLS 1.3 on the server-side is a compelling reason to consider upgrading existing Windows Server Routing and Remote Access Service (RRAS) servers to Windows Server 2022. However, TLS 1.3 support for SSTP also requires Windows 11 on the client-side. TLS 1.3 is not currently supported in Windows 10.

Summary

Realizing the performance benefits provided by TLS 1.3 will likely only occur in large environments supporting many thousands of concurrent connections per server. However, the security benefits apply to all deployments, regardless of size. Administrators should consider upgrading to Windows Server 2022 before proceeding with Windows 11 adoption.

Additional Information

Practical TLS: A Deep Dive into SSL and TLS Online Video Training Course

Always On VPN SSTP Security Configuration

Always On VPN SSTP with Let’s Encrypt Certificates

Always On VPN TLS Certificate Requirements for SSTP

TLS Protocol Version Support in Windows

TLS Cipher Suites in Windows Server 2022

A Detailed Look at TLS 1.3

TLS Cipher Suite Reference

RFC8446 TLS 1.3

5 Comments

by Richard M. Hicks on January 3, 2022 • Permalink

Posted by Richard M. Hicks on January 3, 2022

https://directaccess.richardhicks.com/2022/01/03/always-on-vpn-and-tls-1-3/

Always On VPN SSTP with Let’s Encrypt Certificates

Always On VPN SSTP Security Configuration

When configuring the Windows Server Routing and Remote Access Service (RRAS) to support Secure Socket Tunneling Protocol (SSTP) for Always On VPN user tunnel connections, administrators must install a Transport Layer Security (TLS) certificate on the VPN server. The best practice is to use a certificate issued by a public Certification Authority (CA). In addition, administrators should use a TLS certificate using Elliptic Curve Digital Signature Algorithm (ECDSA) for optimal security and performance.

Let’s Encrypt

Obtaining a public TLS certificate is not inherently difficult, nor is it expensive. However, Let’s Encrypt is a nonprofit public CA issues TLS certificates entirely for free. Always On VPN supports Let’s Encrypt TLS certificates, and installing a Let’s Encrypt certificate on the Always On VPN RRAS server is quite simple.

Pros and Cons

Using Let’s Encrypt certificates for Always On VPN has several significant advantages over traditional public CAs.

Cost – Let’s Encrypt certificates are free! No cost whatsoever.
Speed – Enrolling for a Let’s Encrypt certificate takes just a few minutes.
Trusted – Let’s Encrypt certificates are trusted by default in Windows 10 and Windows 11.

Let’s Encrypt is not without some drawbacks, however.

Lifetime – Let’s Encrypt certificates are only valid for 90 days.
Administration – Certificates must be redeployed frequently (every 90 days).
Security – PFX files (which include private keys) are left on disk by default.

It is possible to mitigate some of these drawbacks, though. For example, deleting PFX files after import can improve security. Alternatively, using a Certificate Signing Request (CSR) eliminates PFX files completely.

Also, it is possible to fully automate the Let’s Encrypt certificate enrollment and RRAS configuration process, which eases the administrative burden. And rotating certificates every 90 days could be considered an advantage from a security perspective! Enrolling new certificates (and specifically certificates with unique keys) is advantageous in that respect.

Certificate Enrollment

There are several different ways to enroll for Let’s Encrypt certificates. The preferred method is using PowerShell, as it works on both Windows Server with Desktop Experience (GUI) and Windows Server Core. Using PowerShell, administrators can also fully automate the enrollment and assignment of the certificate in RRAS.

PowerShell Module

To enroll for Let’s Encrypt TLS certificates on the VPN server, install the Posh-ACME PowerShell module. On the RRAS server, open an elevated PowerShell window and run the following command.

Install-Module Posh-ACME

Certificate Request

After installing the Posh-ACME PowerShell module, select a Let’s Encrypt environment by running the following command. Use LE_PROD for the production Let’s Encrypt server or LE_STAGE for the staging environment (used for testing).

Set-PAServer LE_PROD

Next, request a new certificate using the following command.

New-PACertificate -Domain vpn.example.net -Contact ‘[email protected]’ -CertKeyLength ec-256 -AcceptTOS -Install

The administrator is prompted to create a TXT record in public DNS to prove ownership of the domain. Using the example above, create a DNS record called _acme-challenge.vpn in the example.net DNS zone.

Once complete, the TLS certificate is automatically installed in the local computer certificate store on the VPN server and can be assigned in the RRAS management console, as shown here.

Note: R3 is a Let’s Encrypt issuing certification authority.

DNS Plugin

The Posh-ACME PowerShell module supports DNS plugins that allow administrators to automate the creation of the DNS TXT record used to authorize certificate enrollment. DNS plugins for many public DNS providers are available. Some of the more popular DNS providers are listed here.

Microsoft Azure
Amazon Route53
Cloudflare
Akamai
GoDaddy
Infoblox
Windows Server

A list of all supported DNS plugins for Posh-ACME can be found here.

Certificate Binding

Administrators can use the following PowerShell example code to automate the process of binding the new TLS certificate to the SSTP listener in RRAS.

$Thumbprint = <TLS certificate thumbprint>
$Cert = Get-ChildItem -Path Cert:\LocalMachine\My\$thumbprint
Set-RemoteAccess -SslCertificate $Cert
Restart-Service RemoteAccess -Passthru

Additional Information

Posh-ACME Tutorial

Windows 10 Always On VPN TLS Certificate Requirements for SSTP

Windows 10 Always On VPN SSTP Security Configuration

Always On VPN SSTP Security Configuration

When using Windows Server Routing and Remote Access Service (RRAS) to terminate Always On VPN client connections, administrators can leverage the Secure Socket Tunneling Protocol (SSTP) VPN protocol for client-based VPN connections. SSTP is a Microsoft proprietary VPN protocol that uses Transport Layer Security (TLS) to secure connections between the client and the VPN gateway. SSTP provides some crucial advantages over IKEv2 in terms of operational reliability. It uses the TCP port 443, the standard HTTPS port, which is universally available and ensures Always On VPN connectivity even behind highly restrictive firewalls.

TLS Certificate

When configuring SSTP, the first thing to consider is the certificate installed on the server. A certificate with an RSA key is most common, but for SSTP, provisioning a certificate with an ECDSA key is recommended for optimal security and performance. See the following two articles regarding SSTP certificate requirements and ECDSA Certificate Signing Request (CSR) creation.

Always On VPN SSL Certificate Requirements for SSTP

Always On VPN ECDSA SSL Certificate Request for SSTP

TLS Configuration

Much like IKEv2, the default TLS security settings for SSTP are less than optimal. However, SSTP can provide excellent security with some additional configuration.

TLS Protocols

There are several deprecated TLS protocols enabled by default in Windows Server. These include SSLv3.0, TLS 1.0, and TLS 1.1. They should be disabled to improve security for TLS. To do this, open an elevated PowerShell window on the VPN server and run the following commands.

New-Item -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server\’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server\’ -Name Enabled -PropertyType DWORD -Value ‘0’

New-Item -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\’ -Name Enabled -PropertyType DWORD -Value ‘0’

New-Item -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\’ -Name Enabled -PropertyType DWORD -Value ‘0’

Cipher Suites

Many weak TLS cipher suites and enabled by default in Windows Server. To further enhance security and performance, they can be optimized using a tool such as IIS Crypto. For example, consider prioritizing cipher suites that use ECDHE and GCM with ECDSA to improve security. Also, remove ciphers that use AES-256 to enhance scalability and performance.

Note: AES-256 does not provide any additional practical security over AES-128. Details here.

PowerShell Script

I have published a PowerShell script on GitHub that performs security hardening and TLS cipher suite optimization to streamline the configuration TLS on Windows Server RRAS servers. You can download the script here.

Validation Testing

After running the script and restarting the server, visit the SSL Labs Server Test site to validate the configuration. You should receive an “A” rating, as shown here.

Note: An “A” rating is not achievable on Windows Server 2012 or Windows Server 2012 R2 when using an RSA TLS certificate. A TLS certificate using ECDSA is required to receive an “A” rating on these platforms.

Additional Information

Always On VPN SSL/TLS Certificate Requirements for SSTP

Always On VPN ECDSA SSL Certificate Request for SSTP

Qualys SSL Labs Server Test Site

Always On VPN Protocol Recommendations for Windows Server RRAS

Microsoft SSTP Specification on MSDN

6 Comments

by Richard M. Hicks on June 21, 2021 • Permalink

Tagged Always On VPN, cryptography, ECDSA, Microsoft, Mobility, PowerShell, Remote Access, routing and remote access service, RRAS, RSA, Secure Socket Tunneling Protocol, security, SSL, SSTP, TLS, VPN, Windows, Windows 10, Windows Server

Posted by Richard M. Hicks on June 21, 2021

https://directaccess.richardhicks.com/2021/06/21/always-on-vpn-sstp-security-configuration/

Always On VPN IPsec Root Certificate Configuration Issue

When configuring a Windows Routing and Remote Access Service (RRAS) server to support Internet Key Exchange version 2 (IKEv2) VPN connections, it is essential for the administrator to define the root certification authority for which to accept IPsec security associations (SAs). Without defining this setting, the VPN server will accept a device certificate issued by any root certification authority defined in the Trusted Root Certification Authorities store. Details about configuring IKEv2 security and defining the root certification authority can be found here.

Multiple Root Certificates

Administrators may find that when they try to define a specific root certification authority, the setting may not be implemented as expected. This commonly occurs when there is more than one root certificate in the Trusted Root Certification Authorities store for the same PKI.

Certificate Selection

When running the PowerShell command Set-VpnAuthProtocol to define the root certification authority, PowerShell may ignore the administrator-defined certificate and choose a different one, as shown here. This will result in failed IPsec VPN connections from Windows 10 Always On VPN clients using IKEv2.

Certificate Publishing

This issue can occur when root certification authority certificates are published using Active Directory group policy. It appears that Windows prefers Active Directory group policy published certificates over those published directly in the Certification Authorities Container in Active Directory. To resolve this issue, remove any group policy objects that are publishing root certification authority certificates and ensure those root certificates are published in the Certification Authorities container in Active Directory.

PowerShell Script

A PowerShell script to configure this setting that can be found in my Always On VPN GitHub repository here. I have updated this script to validate the defined root certification authority certificate and warn the user if it does not match.

Additional Information

Set-Ikev2VpnRootCertificate.ps1 PowerShell script on GitHub

Windows 10 Always On VPN IKEv2 Security Configuration

Windows 10 Always On VPN IKEv2 Load Balancing and NAT

Windows 10 Always On VPN IKEv2 Features and Limitations

Windows 10 Always On VPN IKEv2 Fragmentation

Windows 10 Always On VPN IKEv2 Certificate Requirements

4 Comments

by Richard M. Hicks on October 19, 2020 • Permalink

Posted by Richard M. Hicks on October 19, 2020

https://directaccess.richardhicks.com/2020/10/19/always-on-vpn-ipsec-root-certificate-configuration-issue/

Always On VPN SSTP Certificate Binding Error

When configuring a Windows Server with the Routing and Remote Access Service (RRAS) role to support Windows 10 Always On VPN connections, the administrator may encounter the following error message when installing or updating the TLS certificate used for Secure Socket Tunneling Protocol (SSTP) connections.

“The thumbprint (cert hash) of the certificate used for Secure Socket Tunneling Protocol (SSTP) is different than the certificate bound to the Web listener (HTTP.sys). Configure SSTP to use the default certificate or the certificate bound to SSL. You can configure web server applications to use the same certificate used by SSTP.”

IIS Binding

Most commonly this error can occur if an administrator mistakenly binds a TLS certificate directly in IIS. To resolve this problem, open the IIS management console (inetmgr.exe), navigate to the Default Web Site and click Bindings in the Actions section. Highlight the HTTPS binding and click Remove. Once complete, open an elevated command window and run the iisreset.exe command.

Netsh

In some instances, the administrator may find no certificate bindings in the IIS management console. However, a certificate binding may still be present. To confirm, open an elevated command window and run the following command.

netsh.exe http show sslcert

Remove existing certificate binding by running the following commands.

netsh.exe http delete sslcert ipport=0.0.0.0:443
netsh.exe http delete sslcert ipport=[::]:443

SSTP Configuration

When configuring SSTP in RRAS for Always On VPN, certificate assignment should always be performed using the Routing and Remote Access management console (rrasmgmt.msc). No changes are required to be made in the IIS management console for SSTP.

Additional Information

Windows 10 Always On VPN SSL Certificate Requirements for SSTP

Windows 10 Always On VPN SSTP Load Balancing with Citrix NetScaler ADC Load Balancer

Windows 10 Always On VPN SSTP Load Balancing with Kemp LoadMaster Load Balancer

Windows 10 Always On VPN SSTP Load Balancing with F5 BIG-IP Load Balancer

9 Comments

by Richard M. Hicks on August 31, 2020 • Permalink

Posted by Richard M. Hicks on August 31, 2020

https://directaccess.richardhicks.com/2020/08/31/always-on-vpn-sstp-certificate-binding-error/

Always On VPN Split vs. Force Tunneling

During the planning phase of a Windows 10 Always On VPN implementation the administrator must decide between two tunneling options for VPN client traffic – split tunneling or force tunneling. When split tunneling is configured, only traffic for the on-premises network is routed over the VPN tunnel. Everything else is sent directly to the Internet. With force tunneling, all client traffic, including Internet traffic, is routed over the VPN tunnel. There’s been much discussion recently on this topic, and this article serves to outline the advantages and disadvantages for both tunneling methods.

Force Tunneling

Force tunneling is typically enabled to meet the following requirements.

Visibility and Control

By routing all the client’s Internet traffic over the VPN tunnel, administrators can inspect, filter, and log Internet traffic using existing on-premises security solutions such as web proxies, content filters, or Next Generation Firewalls (NGFW).

Privacy

Enabling force tunneling ensures privacy and protection of all Internet communication. By routing all Internet traffic over the VPN, administrators can be certain that all communication from the Always On VPN client is encrypted, even when clients access unencrypted web sites or use untrusted or insecure wireless networks.

Force Tunneling Drawbacks

While configuring force tunneling for Always On VPN has some advantages, it comes with some serious limitations as well.

Poor User Experience

User experience is often degraded when all Internet traffic is routed over the VPN. These suboptimal network paths increase latency, and VPN encapsulation and encryption overhead increase fragmentation, leading to reduced throughput. Most Internet traffic is already encrypted in some form, and encrypting traffic that is already encrypted makes the problem even worse. In addition, force tunneling short-circuits geographic-based Content Delivery Networks (CDNs) further reducing Internet performance. Further, location-based services are often broken which can lead to improper default language selection or inaccurate web search results.

Increased Resource Consumption

Additional resources may need to be provisioned to support force tunneling. With corporate and Internet traffic coming over the VPN, more CPU, memory, and network resources may be required. Deploying additional VPN servers and higher throughput load balancers to support the increase in network traffic may also be necessary. Force tunneling also places higher demands on Internet Service Provider (ISP) links to the corporate datacenter.

Split Tunneling

The alternative to force tunneling is “split tunneling”. With split tunneling configured, only traffic destined for the internal corporate network is routed over the VPN. All other traffic is sent directly to the Internet. Administrators define IP networks that should be routed over the VPN, and those networks are added to the routing table on the VPN client.

Security Enforcement

The challenge of providing visibility and control of Internet traffic with split tunneling enabled can be met using a variety of third-party security solutions. Microsoft Defender ATP recently introduced support for web content filtering. Also, there are numerous cloud-based security offerings from many vendors that allow administrators to monitor and control client-based Internet traffic. Zscaler and Cisco Umbrella are two popular solutions, and no doubt there are many more to choose from.

Recommendations

The general guidance I provide customers is to use split tunneling whenever possible, as it provides the best user experience and reduces demands on existing on-premises infrastructure. Enabling split or force tunneling is ultimately a design decision that must be made during the planning phase of an Always On VPN implementation project. Both configurations are supported, and they each have their merits.

In today’s world, with many applications accessible via public interfaces, force tunneling is an antiquated method for providing visibility and control for managed devices in the field. If required, investigate the use of Microsoft or other third-party solutions that enforce security policy in place without the requirement to backhaul client Internet traffic to the datacenter over VPN for inspection, logging, and filtering.

Additional Information

Whitepaper: Enhancing VPN Performance at Microsoft

Whitepaper: How Microsoft Is Keeping Its Remote Workforce Connected

Microsoft Defender ATP Web Content Filtering

18 Comments

by Richard M. Hicks on April 14, 2020 • Permalink

Posted by Richard M. Hicks on April 14, 2020

https://directaccess.richardhicks.com/2020/04/14/always-on-vpn-split-vs-force-tunneling/

Always On VPN Device Tunnel Only Deployment Considerations

Recently I wrote about Windows 10 Always On VPN device tunnel operation and best practices, explaining its common uses cases and requirements, as well as sharing some detailed information about authentication, deployment recommendations, and best practices. I’m commonly asked if deploying Always On VPN using the device tunnel exclusively, as opposed to using it to supplement the user tunnel, is supported or recommended. I’ll address those topics in detail here.

Device Tunnel Only?

To start, yes, it is possible to deploy Windows 10 Always On VPN using only the device tunnel. In this scenario the administrator will configure full access to the network instead of limited access to domain infrastructure services and management servers.

Is It Recommended?

Generally, no. Remember, the device tunnel was designed with a specific purpose in mind, that being to provide pre-logon network connectivity to support scenarios such as logging on without cached credentials. Typically, the device tunnel is best used for its intended purpose, which is providing supplemental functionality to the user tunnel.

Deployment Considerations

The choice to implement Always On VPN using only the device tunnel is an interesting one. There are some potential advantages to this deployment model, but it is not without some serious limitations. Below I’ve listed some of the advantages and disadvantages to deploying the device tunnel alone for Windows 10 Always On VPN.

Advantages

Using the device tunnel alone does have some compelling advantages over the standard two tunnel (device tunnel/user tunnel) deployment model. Consider the following.

Single VPN Connection – Deploying the device tunnel alone means a single VPN connection to configure, deploy, and manage on the client. This also results in less concurrent connections and, importantly, less IP addresses to allocate and provision.
Reduced Infrastructure – The device tunnel is authenticated using only the device certificate. This certificate check is performed directly on the Windows Server Routing and Remote Access Service (RRAS) VPN server, eliminating the requirement to deploy Network Policy Server (NPS) servers for authentication.
User Transparency – The device tunnel does not appear in the modern Windows UI. The user will not see this connection if they click on the network icon in the notification area. In addition, they will not see the device tunnel connection in the settings app under Network & Internet > VPN. This prevents casual users from playing with the connection settings, and potentially deleting the connection entirely. It’s not that they can’t delete the device tunnel however, it’s just not as obvious.
Simplified Deployment – Deploying the device tunnel is less complicated than deploying the user tunnel. The device tunnel is provisioned once to the device and available to all users. This eliminates the complexity of having to deploy the user tunnel in each individual user’s profile.

Disadvantages

While there are some advantages to using the device tunnel by itself, this configuration is not without some serious limitations. Consider the following.

IKEv2 Only – The device tunnel uses the IKEv2 VPN protocol exclusively. It does not support SSTP. While IKEv2 is an excellent protocol in terms of security, it is commonly blocked by firewalls. This will prevent some users from accessing the network remotely depending on their location.
Limited OS Support – The device tunnel is only supported on Windows 10 Enterprise edition clients, and those clients must be joined to a domain. Arguably the device tunnel wouldn’t be necessary if the client isn’t domain joined, but some organizations have widely deployed Windows 10 Professional, which would then preclude them from being able to use the device tunnel.
Machine Certificate Authentication Only – The device tunnel is authenticated using only the certificate issued to the device. This means anyone who logs on to the device will have full access to the internal network. This may or may not be desirable, depending on individual requirements.
No Mutual Authentication – When the device tunnel is authenticated, the server performs authentication of the client, but the client does not authenticate the server. The lack of mutual authentication increases the risk of a man-in-the-middle attack.
CRL Checks Not Enforced – By default, RRAS does not perform certificate revocation checking for device tunnel connections. This means simply revoking a certificate won’t prevent the device from connecting. You’ll have to import the client’s device certificate into the Untrusted Certificates certificate store on each VPN server. Fortunately, there is a fix available to address this limitation, but it involves some additional configuration. See Always On VPN Device Tunnel and Certificate Revocation for more details.
No Support for Azure Conditional Access – Azure Conditional Access requires EAP authentication. However, the device tunnel does not use EAP but instead uses a simple device certificate check to authenticate the device.
No Support for Multifactor Authentication – As the device tunnel is authenticated by the RRAS VPN server directly and authentication requests are not sent to the NPS server, it is not possible to integrate MFA with the device tunnel.
Limited Connection Visibility – Since the device tunnel is designed for the device and not the user it does not appear in the list of active network connections in the Windows UI. There is no user-friendly connection status indicator, although the connection can be viewed using the classic network control panel applet (ncpa.cpl).

Summary

The choice to deploy Windows 10 Always On VPN using the device tunnel alone, or in conjunction with the user tunnel, is a design choice that administrators must make based on their individual requirements. Using the device tunnel alone is supported and works but has some serious drawbacks and limitations. The best experience will be found using the device tunnel as it was intended, as an optional component to provide pre-logon connectivity for an existing Always On VPN user tunnel.

Additional Information

Windows 10 Always On VPN Device Tunnel with Azure VPN Gateway

Windows 10 Always On VPN Device Tunnel and Certificate Revocation

Windows 10 Always On VPN Device Tunnel Configuration with Microsoft Intune

Windows 10 Always On VPN Device Tunnel Does Not Connect Automatically

Windows 10 Always On VPN Device Tunnel Missing in Windows 10 UI

Deleting a Windows 10 Always On VPN Device Tunnel

Windows 10 Always On VPN Device Tunnel Configuration using PowerShell

Windows 10 Always On VPN IKEv2 Features and Limitations

64 Comments

by Richard M. Hicks on April 6, 2020 • Permalink

Posted by Richard M. Hicks on April 6, 2020

https://directaccess.richardhicks.com/2020/04/06/always-on-vpn-device-tunnel-only-deployment-considerations/

Always On VPN Device Tunnel with Azure VPN Gateway

Always On VPN is infrastructure independent, which allows for many different deployment scenarios including on-premises and cloud-based. In Microsoft Azure, the Azure VPN gateway can be configured to support Windows 10 Always On VPN client connections in some scenarios. Recently I wrote about using the Azure VPN gateway for Always On VPN user tunnels. In this post I’ll describe how to configure the Azure VPN gateway to support an Always On VPN device tunnel.

Limitations

There are a few crucial limitations that come with using the Azure VPN gateway for Always On VPN. Importantly, the Azure VPN gateway can support either user tunnels or device tunnels, not both at the same time. In addition, Azure supports only a single VPN gateway per VNet, so deploying an additional VPN gateway in the same VNet to support Always On VPN user tunnels is not an option.

Root CA Certificate

The Always On VPN device tunnel is authenticated using a machine certificate issued to domain-joined Windows 10 Enterprise edition clients by the organization’s internal Certification Authority (CA). The CA’s root certificate must be uploaded to Azure for the VPN gateway to authorize device tunnel connections. The root CA certificate can be exported using the Certification Authority management console (certsrv.msc) or via the command line.

Export Certificate – GUI

Follow the steps below to export a root CA certificate using the Certification Authority management console.

1. On the root CA server, open the Certification Authority management console.
2. Right-click the CA and choose Properties.
3. Select the CA server’s certificate and choose View Certificate.
4. Select the Details tab and click Copy to File.
5. Click Next.
6. Choose Base-64 encoded X.509 (.CER).

7. Click Next.
8. Enter a location to save the file to.
9. Click Next, Finish, and Ok.

Export Certificate – Command Line

Follow the steps below to export a root CA certificate using the command line.

1. On the root CA server, open an elevated command window (not a PowerShell window).
2. Enter certutil.exe -ca.cert root_certificate.cer.
3. Enter certutil.exe -encode root.cer root_certificate_base64.cer.

Copy Public Key

1. Open the saved root certificate file using Notepad.
2. Copy the file contents between the BEGIN CERTIFICATE and END CERTIFICATE tags, as shown here. Use caution and don’t copy the carriage return at the end of the string.

Point-to-Site Configuration

The Azure VPN gateway must be deployed as a Route-Based gateway to support point-to-site VPN connections. Detailed requirements for the gateway can be found here. Once the VPN gateway has been provisioned, follow the steps below to enable point-to-site configuration for Always On VPN device tunnels.

1. In the navigation pane of the Azure VPN gateway settings click Point-to-site configuration.
2. Click the Configure now link and specify an IPv4 address pool to be assigned to VPN clients. This IP address pool must be unique in the organization and must not overlap with an IP address ranges defined in the Azure virtual network.
3. From the Tunnel type drop-down list select IKEv2.
4. In the Root certificates section enter a descriptive name for the certificate in the Name field.
5. Copy and paste the Base64 encoded public key copied previously into the Public certificate data field.
6. Click Save to save the configuration.

VPN Client Configuration

To support the Always On VPN device tunnel, the client must have a certificate issued by the internal CA with the Client Authentication Enhanced Key Usage (EKU). Detailed guidance for deploying a Windows 10 Always On VPN device tunnel can be found here.

Download VPN Configuration

1. Click Point-to-site configuration.
2. Click Download VPN client.
3. Click Save.
4. Open the downloaded zip file and extract the VpnSettings.xml file from the Generic folder.
5. Copy the FQDN in the VpnServer element in VpnSettings.xml. This is the FQDN that will be used in the template VPN connection and later in ProfileXML.

Create a Test VPN Connection

It is recommended to create a test VPN connection to perform validation testing of the Azure VPN gateway before provisioning an Always On VPN device tunnel broadly. On a domain-joined Windows 10 enterprise client, create a new VPN connection using IKEv2 with machine certificate authentication. Use the VPN server FQDN copied from the VpnSettings.xml file previously.

Create an Always On VPN Connection

Once the VPN has been validated using the test profile created previously, an Always On VPN profile can be created and deployed using Intune, SCCM, or PowerShell. The following articles can be used for reference.

Deploy Always On VPN device tunnel using PowerShell

Deploy Always On VPN device tunnel using Intune

IKEv2 Security Configuration

The default IKEv2 security parameters used by the Azure VPN gateway are better than Windows Server, but the administrator will notice that a weak Diffie-Hellman (DH) key (Group 2 – 1024 bit) is used during IPsec phase 1 negotiation.

Use the following PowerShell commands to update the default IKEv2 security parameters to recommended baseline defaults, including 2048-bit keys (DH group 14) and AES-128 for improved performance.

Connect-AzAccount
Select-AzSubscription -SubscriptionName [Azure Subscription Name]

$Gateway = [Gateway Name]
$ResourceGroup = [Resource Group Name]

$IPsecPolicy = New-AzVpnClientIpsecParameter -IpsecEncryption AES128 -IpsecIntegrity SHA256 -SALifeTime 28800 -SADataSize 102400000 -IkeEncryption AES128 -IkeIntegrity SHA256 -DhGroup DHGroup14 -PfsGroup PFS14

Set-AzVpnClientIpsecParameter -VirtualNetworkGatewayName $Gateway -ResourceGroupName $ResourceGroup -VpnClientIPsecParameter $IPsecPolicy

Note: Be sure to update the cryptography settings on the test VPN connection and in ProfileXML for Always On VPN connections to match the new VPN gateway settings. Failing to do so will result in an IPsec policy mismatch error.

Additional Information

Windows 10 Always On VPN User Tunnel with Azure VPN Gateway

Windows 10 Always On VPN IKEv2 Security Configuration

Windows 10 Always On VPN Device Tunnel Configuration using Microsoft Intune

Windows 10 Always On VPN Device Tunnel Configuration using PowerShell

Windows 10 Always On VPN Options for Azure Deployments

Windows 10 Always On VPN IKEv2 Features and Limitations

28 Comments

by Richard M. Hicks on January 6, 2020 • Permalink

Posted by Richard M. Hicks on January 6, 2020

https://directaccess.richardhicks.com/2020/01/06/always-on-vpn-device-tunnel-with-azure-vpn-gateway/

Always On VPN Error Code 858

When configuring Windows 10 Always On VPN using Extensible Authentication Protocol (EAP), the administrator may encounter a scenario in which the client connection fails. The event log will include an event ID 20227 from the RasClient source that includes the following error message.

“The user [domain\username] dialed a connection named [connection name] which has failed. The error code returned on failure is 858.”

RasClient Error 858

RasClient error code 858 translates to ERROR_EAP_SERVER_CERT_EXPIRED. Intuitively, this indicates that the Server Authentication certificate installed on the Network Policy Server (NPS) has expired. To resolve this issue, renew the certificate on the NPS server.

Additional Information

Windows 10 Always On VPN Network Policy Server (NPS) Load Balancing

Windows 10 Always On VPN and Windows Server 2019 NPS Bug

Windows 10 Always On VPN Error Code 864

Microsoft Intune NDES Connector Setup Wizard Ended Prematurely

A Windows Server with the Network Device Enrollment Service (NDES) role can be provisioned on-premises to support certificate deployment for non-domain Windows 10 Always On VPN clients. In addition, the Microsoft Intune Connector must be installed and configured on the NDES server to allow Intune-managed clients to request and receive certificates from the on-premises Certification Authority (CA) server.

Setup Wizard Ended Prematurely

When installing the Microsoft Intune Connector, the administrator may encounter a scenario where the setup wizard fails with the following error message.

“Microsoft Intune Connector Setup Wizard ended prematurely because of an error. Your system has not been modified. To install this program at a later time, run Setup Wizard again. Click the Finish button to exit the Setup Wizard.”

Cryptographic Service Provider

This error can occur if the NDES server certificate template is configured to use the Key Storage Provider cryptography service provider (CSP). When configuring the certificate template for the NDES server, the Legacy Cryptography Service Provider must be used, as shown here.

Additional Information

Deploying Windows 10 Always On VPN with Intune using Custom ProfileXML

Windows 10 Always On VPN Device Tunnel Configuration using Microsoft Intune

Deploying Windows 10 Always On VPN with Microsoft Intune

8 Comments

by Richard M. Hicks on November 11, 2019 • Permalink

Posted by Richard M. Hicks on November 11, 2019

https://directaccess.richardhicks.com/2019/11/11/microsoft-intune-ndes-connector-setup-wizard-ended-prematurely/

Awards

Consulting

Newsletter

Connect

RSS Feed

Archives

Categories

Tag Cloud

All posts in category Encryption

TLS and Windows Server

TLS 1.3

Security

Performance

Caveat

Summary

Additional Information

Share this:

Like this:

Let’s Encrypt

Pros and Cons

Certificate Enrollment

PowerShell Module

Certificate Request

DNS Plugin

Certificate Binding

Additional Information

Share this:

Like this:

TLS Certificate

TLS Configuration

TLS Protocols

Cipher Suites

PowerShell Script

Validation Testing

Additional Information

Share this:

Like this:

Multiple Root Certificates

Certificate Selection

Certificate Publishing

PowerShell Script

Additional Information

Share this:

Like this:

IIS Binding

Netsh

SSTP Configuration

Additional Information

Share this:

Like this:

Force Tunneling

Visibility and Control

Privacy

Force Tunneling Drawbacks

Poor User Experience

Increased Resource Consumption

Split Tunneling

Security Enforcement

Recommendations

Additional Information

Share this:

Like this:

Device Tunnel Only?

Is It Recommended?

Deployment Considerations

Advantages

Disadvantages

Summary

Additional Information

Share this:

Like this:

Limitations

Root CA Certificate

Export Certificate – GUI

Export Certificate – Command Line

Copy Public Key

Point-to-Site Configuration

VPN Client Configuration

Download VPN Configuration

Create a Test VPN Connection