All posts in category GitHub

Always On VPN SSTP Certificate Automation with CertKit

With public TLS certificates moving to significantly shorter certificate lifetimes, eventually just 47 days, Always On VPN administrators supporting Secure Socket Tunneling Protocol (SSTP) connections must prepare to address this eventuality. The first milestone for shortened public TLS certificate lifetimes is a few months, on March 15, 2026, when public TLS certificate lifetimes will be reduced from a maximum of 398 days to 200 days. One year later, on March 15, 2027, they will be reduced to just 100 days. Now is the time to begin planning an automated certificate enrollment solution to reduce administrative overhead and ensure uninterrupted connectivity for remote users.

Previous Approaches: PowerShell and Posh-ACME

In the past, I’ve written about using Let’s Encrypt Certificates for Always On VPN using the Posh-ACME PowerShell module. I’ve also posted some sample code to demonstrate how to integrate with a DNS provider to automate publishing the ACME challenge to public DNS for certificate enrollment verification. However, this assumes your DNS provider supports this option. Some do not. In addition, granting write permissions to public DNS via an API key introduces significant security risks. So, if direct ACME DNS automation isn’t viable in your environment, CertKit is an excellent alternative.

CertKit: Automated Certificate Issuance, Monitoring, and Alerting

To address these limitations, administrators can use the CertKit service. With CertKit, you delegate the Let’s Encrypt certificate enrollment process to them by simply creating a CNAME record in your public DNS. Once complete, CertKit handles the entire process transparently.

Issuance

Today, CertKit supports issuing certificates using Let’s Encrypt. In the future, support for additional certificate providers such as Google Trust and ZeroSSL will be added. CertKit supports Let’s Encrypt certificates using RSA (2048-bit) and Elliptic Curve (recommended). Certificates can be issued for an individual resource, a group of resources (multi-SAN), and a domain wildcard (e.g., *.example.net).

Monitoring

In addition to certificate issuance and management, CertKit offers domain TLS certificate monitoring to track your public assets. You can monitor your CertKit-managed certificates easily, but you can also add other services using TLS and track them on the same console. In this example, I’m using CertKit to manage certificates for two VPN servers (indicated by solid green dots) and to monitor my public websites, for which certificate management is handled by their respective hosting providers.

Alerts and Notifications

CertKit will automatically send emails to let you know when a certificate is expiring and if a CertKit-managed certificate has been renewed.

Pending certificate expiration.

Successful certificate renewal.

Certificate Retrieval

Once CertKit completes the enrollment process on your behalf, it stores all certificate files (.PFX, .PEM, and .KEY) in a secure S3-compatible storage bucket. While an administrator could easily retrieve and install them manually, automation will help reduce administrative overhead, especially as public TLS certificate lifetimes are further reduced. You can download certificate files programmatically in several ways.

PowerShell

The first way to download the certificate files from CertKit is to use the AWSPowerShell module. However, the AWSPowerShell is relatively heavy and is overkill for this specific use case. A better alternative is to use the MinIO client.

MinIO

The MinIO client (mc.exe) is an open-source command-line tool developed by MinIO. It provides access to any S3-compatible storage, which CertKit uses in its environment. MinIO is a single, portable executable installer that’s easy to use and well-documented.

Sample Code

I’ve published some sample code to demonstrate how to use the MinIO client to retrieve certificates from CertKit and install them on a Windows Server Routing and Remote Access (RRAS) server. You can find the sample code on GitHub here.

https://github.com/richardhicks/aovpn/blob/master/Install-SstpLetsEncryptCertificate-Certkit.ps1

Note: This sample code demonstrates how to download a .PFX file from CertKit and install it on the RRAS server. It is designed to run as a scheduled task in Windows during non-peak times. The code includes robust checks for service viability and will reboot the server if they fail. As such, this sample code could cause service disruptions, so use it with caution.

Cost

Today, CertKit is in beta and is free for everyone to use. In the future, there will be both free and paid tiers. You can learn more about their pricing models and sign up for the service at CertKit.io.

Learn More

If you’d like to learn more about CertKit and how you can leverage it for Always On VPN and other workloads in your environment, or you’d like to see a demonstration of CertKit, fill out the form below, and I’ll provide you with more information.

Additional Information

CertKit

Install-SstpLetsEncryptCertificate-Certkit.ps1 on GitHub

Always On VPN SSTP and 47-Day TLS Certificates

Always On VPN SSTP with Let’s Encrypt Certificates

Leave a comment
by Richard M. Hicks on February 2, 2026  •  Permalink
Posted in administration, Always On VPN, AOVPN, Automation, Certificate Services, certificates, CertKit, cloud, Cloud Service, Cryptography, Deployment, Device Management, Elliptic Curve Cryptography, Encryption, Enterprise, enterprise mobility, GitHub, Operational Support, public cloud, Remote Access, reporting, Security, SSL, SSL and TLS, systems management, TLS, Transport Layer Security, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 2, 2026

https://directaccess.richardhicks.com/2026/02/02/always-on-vpn-sstp-certificate-automation-with-certkit/

Always On VPN Discord Channel

I’m excited to announce the launch of a brand-new Discord channel dedicated to administrators working with Always On VPN! Whether you’re a seasoned pro or just getting started, this community is designed to be your go-to hub for collaboration, troubleshooting, and staying up to date on all things Always On VPN. The channel was established by my good friend Leo D’Arcy, the creator of the popular Always On VPN Dynamic Profile Generator (DPC) software.

Why Discord?

Always On VPN is a powerful solution for secure, seamless remote connectivity, but managing it comes with its own set of challenges. From configuration quirks to deployment strategies, administrators often need a space to share insights, ask questions, and learn from one another in real time. That’s where our new Discord channel comes in.

Community Forum

Discord offers a dynamic, user-friendly platform for instant communication and community building. Unlike forums or email threads, it’s a place where you can start a conversation, jump into live discussions, share resources, ask questions, share important insights or experiences, and much more.

Channels

Today, the Always On VPN Discord channel is part of the Microsoft Remote Access User Group Discord Server. It consists of multiple channels divided into the following topics.

General – This is a great place to introduce yourself and say hello to everyone!

DPC-Development – Here, you can ask questions about DPC, provide feedback, and suggest new features and functionality.

DPC-Chat – This channel is for administrators to discuss all things DPC, including deployment strategies, operation, support, and more.

Aovpn-Chat – If you’ve deployed Always On VPN but aren’t using DPC, this is your channel! Although DPC is fantastic, not everyone is using it. In this channel, you can submit questions and share general information about Always On VPN.

Gsa-Chat – We’ve also included a Microsoft Entra Global Secure Access channel for the new Microsoft Security Service Edge (SSE) solution, which includes Entra Private Access. This channel is pretty quiet right now. Hopefully, it will grow in the future!

DirectAccess-Chat – Yes, we realize some of you are still running DirectAccess, so there’s also a channel for you! Feel free to drop in and ask questions here, hopefully about migrating soon. 😉

Who Is This For?

This channel is open to anyone managing Microsoft secure remote access products. Whether you’re an IT administrator in a small business, an enterprise network engineer, or a consultant helping clients stay connected. If you’re working with Microsoft remote access technologies, this is the place to be!

Why Not Reddit?

Funny story: I tried to create an Always On VPN subreddit a few years ago. It lasted one day before it was banned! No reason was given, and I couldn’t get anyone from Reddit to respond. I answer questions ad hoc on Reddit all the time, but there’s no dedicated space for Always On VPN or Microsoft remote access in general.

How To Join

Joining our Discord channel is easy.

  1. Click this link.
  2. Set up your Discord account if you don’t already have one. It’s free and only takes a minute!
  3. Optionally, you can download the Discord app here.
  4. Say hello and introduce yourself in the #general channel.
  5. Explore the other channels, ask questions, give feedback, and share your expertise!

See You There!

Leo and I, along with many other experienced Always On VPN administrators, are on the forums daily. We encourage you to share your expertise, ask questions, and help others along the way. The more we contribute, the stronger this resource becomes for everyone. Join us today!

Additional Information

Always On VPN Discord Channel

Always On VPN Dynamic Profile Configurator (DPC)

DPC on GitHub

1 Comment
by Richard M. Hicks on March 10, 2025  •  Permalink
Posted in administration, Always On VPN, Always On VPN DPC, AOVPN, AovpnDPC, Community, Deployment, Device Management, DirectAccess, Discord, DPC, Dynamic Profile Configurator, Enterprise, enterprise mobility, Entra, Entra Global Secure Access, Entra Private Access, Forum, GitHub, Global Secure Access, GSA, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra Private Access, Mobility, Operational Support, Remote Access, Secure Access Service Edge, Secure Service Edge, Security, Security Service Edge, SSE, systems management, troubleshooting, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 10, 2025

https://directaccess.richardhicks.com/2025/03/10/always-on-vpn-discord-channel/

Configure Entra Conditional Access for Always On VPN

Recently, I wrote about Microsoft Always On VPN and Entra Conditional Access and how conditional access improves your organization’s security posture by making policy-based access decisions based on various signals such as user identity, location, device compliance, platform, sign-in risk, and more. In this post, I’ll provide step-by-step instructions for integrating Entra Conditional Access with existing Always On VPN deployments.

Requirements

To use Microsoft Entra Conditional Access with Always On VPN you must have Entra ID P1 at a minimum. To use advanced features such as risk-based policy assessment, you must have Entra ID P2. In addition, all endpoints must be under Intune management; either native Entra ID joined, or hybrid Entra ID joined.

Enable VPN Support

To begin, open the Microsoft Entra admin center (https://entra.microsoft.com/), navigate to Identity > Protection > Conditional Access, and perform the following steps.

  1. Click VPN Connectivity.
  2. Click New certificate.
  3. From the Select duration drop-down list, choose an appropriate certificate validity period.
  4. Click Create.

Once complete, click Download certificate and copy the certificate file to a domain-joined system on-premises.

Publish Certificate

Next, administrators must publish the Entra VPN root certificate in Active Directory to support domain authentication. Open an elevated PowerShell or command window and run the following commands.

certutil.exe -dspublish -f <path to certificate file> RootCA

certutil.exe -dspublish -f <path to certificate file> NtAuthCA

Note: You must be a domain administrator to perform this task.

Conditional Access Policy

Navigate to Identity > Protection > Conditional Access and click Policies, then perform the following steps to create a conditional access policy for VPN access.

  1. Click New Policy.
  2. Enter a descriptive name for the new policy.
  3. Click the link in the Target resources section.
  4. From the Select what this policy applies to drop-down list, select Resources (formerly cloud apps).
  5. In the Include section, choose Select resources.
  6. Click the link in the Select section.
  7. Enter VPN in the search field.
  8. Check the box next to VPN Server.
  9. Click Select.
  10. Click the link in the Grant section.
  11. Select Grant access.
  12. Check the box next to Require device to be marked as compliant.
  13. Click Select.
  14. On the Enable policy slider, select On.
  15. Click Create.

NPS

Changes to Network Policy Server (NPS) policy and configuration are required to support Always On VPN with Entra Conditional Access.

NPS Policy

To update the Always On VPN network policy to support Entra Conditional Access, open the NPS management console (nps.msc), expand Policies, then select Network Policies and perform the following steps.

  1. Right-click on the Always On VPN policy and choose Properties.
  2. Select the Settings tab.
  3. Select Vendor Specific in the RADIUS Attributes section.
  4. Click Add.
  5. Select the Allowed-Certificate-OID attribute.
  6. Click Add.
  7. Click Add.
  8. Enter 1.3.6.1.4.1.311.87 in the Attribute value field.
  9. Click Ok.
  10. Click Ok.
  11. Click Close.
  12. Click Ok.

Important Note: This change will block new Always On VPN user tunnel connections until you update the client configuration. When integrating an existing Always On VPN implementation with Entra Conditional Access, consider creating a new NPS policy and corresponding security group to migrate users to conditional access seamlessly.

NPS Configuration

By default, NPS will perform revocation checks for certificates used for domain authentication. However, Entra Conditional Access uses short-lived certificates (one-hour lifetime) that do not include CRL Distribution Point (CDP) information. Therefore, administrators must change the NPS server configuration to disable revocation checking for certificates lacking this information.

To do this, open the registry editor (regedit.exe) and create a new registry key with the following settings.

Key: HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
Name: IgnoreNoRevocationCheck
Type: DWORD
Value: 1

You can also run the following PowerShell command to implement this change.

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13\’ -Name IgnoreNoRevocationCheck -PropertyType DWORD -Value 1 -Force

Once complete, the server must be rebooted for the change to take effect.

Client Configuration

After making all required changes to the supporting infrastructure, you must also update the  Always On VPN client configuration to leverage Entra Conditional Access. Changes to client configuration vary depending on the method used to deploy and manage Always On VPN client configuration settings.

Intune

When using Microsoft Intune and the native VPN policy type to deploy and manage Always On VPN client configuration settings, perform the following steps to update the VPN configuration to include Entra Conditional Access support.

  1. Open the Microsoft Intune admin center (https://intune.microsoft.com/) and navigate to Devices > Configuration.
  2. Click on the Always On VPN policy.
  3. Click Edit next to Configuration settings.
  4. Expand the Conditional Access section.
  5. Click Enable next to Conditional access for this VPN connection.
  6. Click Enable next to Single sign-on (SSO) with alternate certificate.
  7. Enter Client Authentication in the Name field.
  8. Enter 1.3.6.1.5.5.7.3.2 in the Object Identifier field.
  9. Enter the organization’s root certification authority (CA) certificate thumbprint in the Issuer hash field.

XML

When using a custom XML configuration file for Always On VPN client configuration settings deployed using Intune or PowerShell, edit the XML file, remove the existing <TLSExtensions></TLSExtensions> section, and replace it with the following.

In addition, add the following code between the <VPNProfile></VPNProfile> tags after <TrustedNetworkDetection>.

Note: You will find a sample XML configuration file you can copy and paste from on GitHub here.

DPC

When using Always On VPN Dynamic Profile Configurator (DPC) for managing Always On VPN client configuration settings, open the DPC group policy and navigate to Computer Configuration > Policies > Administrative Templates > DPC Client > User Tunnel Settings > Advanced and perform the following steps.

  1. Double-click Optional – Device Compliance Settings.
  2. Select Enabled.
  3. Enter 1.3.6.1.5.5.7.3.2 in the Certificate EKU OID field.
  4. Enter the organization’s root certification authority (CA) certificate thumbprint in the Certificate Issuer Hash field.
  5. Click Ok.

Not using DPC? You’re missing out! Learn more about Always On VPN DPC here.

Video

I’ve published a demonstration video for enabling Microsoft Entra ID Conditional Access with Always On VPN on YouTube. You can find the video here.

Summary

Following the guidance in this post to integrate Entra Conditional Access with Always On VPN can significantly improve your organization’s security posture. In the example above, the conditional access policy is a basic one. Yet, it dramatically reduces the attack surface for your remote access infrastructure by ensuring only compliant devices can establish a VPN connection.

Administrators can use advanced conditional access policy settings to strengthen the VPN’s security further by performing additional checks, such as requiring strong, phishing-resistant credentials and requesting multifactor authentication (MFA) for risky sign-ins.

Additional Information

Always On VPN and Entra Conditional Access

Drawback of Multifactor Authentication

Understanding Enterprise Public Key Infrastructure (PKI)

Digital Certificates for Strong Authentication

Always On VPN Dynamic Profile Configurator (DPC)

Always On VPN DPC Open Source

Leave a comment
by Richard M. Hicks on February 17, 2025  •  Permalink
Posted in Active Directory, administration, Always On VPN, Always On VPN DPC, AOVPN, AovpnDPC, authentication, Azure, Azure Active Directory, Azure AD, Azure AD Join, Azure Conditional Access, Azure MF, Azure MFA, Azure VPN, cloud, Cloud Service, Compliance, Conditional Access, Deployment, Device Management, DPC, Dynamic Profile Configurator, Enterprise, enterprise mobility, Entra, Entra Conditional Access, Entra ID, GitHub, Hybrid Azure AD Join, Hybrid Entra ID Join, Hybrid Entra Join, InTune, MDM, MFA, Microsoft, Microsoft Entra, Microsoft Entra ID, Microsoft Intune, Mobile Device Management, Mobility, Multifactor Authentiction, network policy server, NPS, Operational Support, PowerShell, public cloud, Remote Access, routing and remote access service, RRAS, Security, systems management, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 17, 2025

https://directaccess.richardhicks.com/2025/02/17/configure-entra-conditional-access-for-always-on-vpn/

« Older Posts