Consulting

Consulting Services

Now Available!
Connect
Mailing List

Sign Up Now!
Richard M. Hicks Consulting Newsletter
@richardhicks
- Troubleshooting and resolving #Windows 10 Always On #VPN error code 858. #Windows10 #Win10 #Microsoft #mobility… twitter.com/i/web/status/1…:: 6 minutes ago
- Join me in Denver, CO March 3-5 for #Windows 10 Always On #VPN hands-on training. Space is limtied, so register now… twitter.com/i/web/status/1…:: 1 hour ago
- Default firewall rules blocking inbound Network Policy Server (NPS) traffic on @windowsserver 2019. #Microsoft… twitter.com/i/web/status/1…:: 2 hours ago
- #Windows 10 Always On #VPN IKEv2 load balancing with @CitrixADC. #Microsoft #Windows10 #Win10 #mobility #Citrix… twitter.com/i/web/status/1…:: 3 hours ago
- #Windows 10 Always On #VPN RasMan device tunnel failure. #Microsoft #Windows10 #Win10 #aovpn #mobility rmhci.co/2II1pWW:: 5 hours ago
Follow @richardhicks
Facebook

Facebook
RSS Feed
- RSS - Posts
- RSS - Comments
Archives
- January 2020
- December 2019
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- November 2014
- October 2014
- September 2014
- August 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- July 2012
- June 2012
- May 2012
- April 2012
Categories
Tag Cloud
Active Directory ADC Always On VPN AOVPN application delivery controller authentication Azure CA certificate certificates cloud configuration device tunnel DirectAccess DNS education encryption enterprise mobility error F5 firewall Forefront Forefront UAG Forefront UAG 2010 group policy high availability hotfix IKEv2 Important Links InTune IP-HTTPS IPsec IPv6 IPv6 transition technology Kemp load balancer load balancing LoadMaster Manage Out Microsoft Mobility multisite Networking network location server NLB NLS OTP performance PKI PowerShell ProfileXML public cloud redundancy Remote Access routing and remote access service RRAS scalability security Server 2012 SSL SSTP TLS training troubleshooting UAG update VPN Windows Windows 7 Windows 8 Windows 10 Windows Server Windows Server 2012 Windows Server 2012 R2 Windows Server 2016

All posts in category NetMotion

Always On VPN Options for Azure Deployments

Always On VPN Options for Azure Deployments Organizations everywhere are rapidly adopting Microsoft Azure public cloud infrastructure to extend or replace their existing datacenter. As traditional on-premises workloads are migrated to the cloud, customers are looking for options to host VPN services there as well.

Windows Server

Windows Server with the Routing and Remote Access Service (RRAS) installed is a popular choice for on-premises Always On VPN deployments. Intuitively it would make sense to deploy Windows Server and RRAS in Azure as well. However, at the time of this writing, RRAS is not a supported workload on Windows Server in Azure.

Reference: https://support.microsoft.com/en-us/help/2721672/microsoft-server-software-support-for-microsoft-azure-virtual-machines/

Although explicitly unsupported, it is possible to deploy Windows Server and RRAS in Azure for Always On VPN. In my experience it works well and can be an option for organizations willing to forgo formal support by Microsoft.

Azure Gateway

Options for supporting Always On VPN connections using native Azure VPN infrastructure depend on the type of VPN gateway chosen.

VPN Gateway

The Azure VPN Gateway can be configured to support client-based (point-to-site) VPN. With some additional configuration it can be used to support Windows 10 Always On VPN deployments. Azure VPN gateway supports both IKEv2 and SSTP VPN protocols for client connections. The Azure VPN gateway has some limitations though. Consider the following:

A route-based VPN gateway is required
A maximum of 1000 concurrent IKEv2 connections are supported when using the VpnGw3 or VpnGw3AZ SKUs (2000 supported in active/active mode)
A maximum of 128 concurrent SSTP connections are supported on all gateway SKUs (256 supported in active/active mode)

Virtual WAN

Azure Virtual WAN is the future of remote connectivity for Azure. It includes support for client-based VPN (currently in public preview at the time of this writing), but only supports IKEv2 and OpenVPN VPN protocols for client connections. SSTP is not supported at all. Further, OpenVPN is not supported for Windows 10 Always On VPN, leaving IKEv2 as the only option, which poses some potential operational challenges. Virtual WAN offer much better scalability though, supporting up to 10,000 concurrent client-based VPN connections.

Virtual Appliance

The most supportable option for hosting VPN services in Azure for Windows 10 Always On VPN is to deploy a third-party Network Virtual Appliance (NVA). They are available from a variety of vendors including Cisco, Check Point, Palo Alto Networks, Fortinet, and many others. To support Windows 10 Always On VPN, the NVA vendor must either support IKEv2 for client-based VPN connections or have a Universal Windows Platform (UWP) VPN plug-in client available from the Microsoft store. Click here to learn more about Always On VPN and third-party VPN devices.

Note: Be careful when choosing an NVA as some vendors support IKEv2 only for site-to-site VPN, but not client-based VPN!

Hybrid Deployments

For organizations with hybrid cloud deployments (infrastructure hosted on-premises and in Azure), there are several options for choosing the best location to deploy VPN services. In general, it is recommended that client VPN connections be established nearest the resources accessed by remote clients. However, having VPN servers hosted both on-premises and in Azure is fully supported. In this scenario Azure Traffic Manager can be configured to intelligently route VPN connections for remote clients.

NetMotion Mobility

The NetMotion Mobility purpose-built enterprise VPN is a popular replacement for Microsoft DirectAccess. It is also an excellent alternative for enterprise organizations considering a migration to Always On VPN. It is a software-based solution that can be deployed on Windows Server and is fully supported running in Microsoft Azure. It offers many advanced features and capabilities not included in other remote access solutions.

Summary

Administrators have many options for deploying VPN servers in Azure to support Windows 10 Always On VPN. Windows Server and RRAS is the simplest and most cost-effective option, but it is not formally supported by Microsoft. Azure VPN gateway is an interesting alternative but lacks enough capacity for larger deployments. Azure Virtual WAN is another option but has limited protocol support. Deploying an NVA is a good choice, and NetMotion Mobility is an excellent alternative to both DirectAccess and Always On VPN that is software-based and fully supported in Azure.

Additional Information

Windows 10 Always On VPN with Azure Gateway

Windows 10 Always On VPN and Third-Party VPN Devices

Windows 10 Always On VPN and Windows Server Routing and Remote Access Service (RRAS)

Windows 10 Always On VPN IKEv2 Features and Limitations

Windows 10 Always On VPN Multisite with Azure Traffic Manager

Comparing DirectAccess and NetMotion Mobility

Deploying NetMotion Mobility in Microsoft Azure

17 Comments

by Richard M. Hicks on June 24, 2019 • Permalink

Posted by Richard M. Hicks on June 24, 2019

https://directaccess.richardhicks.com/2019/06/24/always-on-vpn-options-for-azure-deployments/

Comparing DirectAccess and NetMotion Mobility – Australia and New Zealand

Australia and New Zealand! Comparing DirectAccess and NetMotion Mobility free live webinar Thursday, November 29 at 10:00AM AEDT. Register here!

For many years, DirectAccess has been the gold standard for enterprise remote access. Its seamless and transparent operation improves productivity for mobile workers, and since it is always on, administrators enjoy improved visibility and management for their field-based assets.

As incredible as DirectAccess is, it is not without its limitations. For example, DirectAccess works only with Windows Enterprise edition clients that are joined to the domain. Professional Edition and non-domain joined machines are not supported. It also lacks many of the security features enterprise organizations require, such as device health checks and granular network access. In addition, DirectAccess communication is complex, with many different layers of encapsulation, authentication, and encryption. High protocol overhead can lead to poor performance over high latency or low bandwidth connections.

NetMotion Mobility is a secure remote access solution that is an excellent alternative to DirectAccess. It provides the same seamless, transparent, always on remote connectivity that DirectAccess provides, while at the same time offering much more in terms of features and capabilities. It supports a much broader range of clients, includes native Network Access Control (NAC) and application filtering, and offers enhanced performance.

To learn more about NetMotion Mobility, join me on Thursday, November 29 at 10:00AM AEDT (UTC +11) for a free live webinar with NetMotion. I’ll provide an overview of NetMotion Mobility and how it compares with DirectAccess. I’ll also demonstrate how it can help overcome some of the inherent limitations of DirectAccess too. Register today!

Comparing DirectAccess and NetMotion Mobility Webinar – October 2018

CORRECTION: This webinar will take place 14:00 BST on Thursday, 25 October.

To learn more about NetMotion Mobility, join me on Thursday, 25 October at 14:00 BST for a free live webinar with NetMotion. I’ll provide an overview of NetMotion Mobility and how it compares with DirectAccess. I’ll also demonstrate how it can help overcome some of the inherent limitations of DirectAccess too. Register today!

Comparing DirectAccess and NetMotion Mobility

Comparing DirectAccess and NetMotion Mobility With DirectAccess approaching the end of its useful lifetime, many organizations are considering alternative solutions to provide seamless, transparent, always on remote connectivity for their field-based workers. Microsoft is positioning Windows 10 Always On VPN as the replacement for DirectAccess. While it provides many new features that were missing from DirectAccess, it has its own unique limitations and shortcomings.

NetMotion Mobility Purpose-Built Enterprise VPN

NetMotion Mobility Purpose-Built Enterprise VPN Advanced Features

NetMotion Mobility

NetMotion Mobility is an excellent alternative to DirectAccess and Always On VPN, and it has many advantages over both native Microsoft offerings. NetMotion Mobility offers better security and performance. It provides deep visibility with broad client support, and the solution is easier to support than DirectAccess.

Comparing DirectAccess and NetMotion Mobility

If you’d like to learn more about how NetMotion Mobility compares with DirectAccess, you will find detailed comparison information in my Comparing NetMotion Mobility and DirectAccess article series on the NetMotion blog.

Comparing NetMotion Mobility and DirectAccess – Security
Comparing NetMotion Mobility and DirectAccess – Performance
Comparing NetMotion Mobility and DirectAccess – Visibility
Comparing NetMotion Mobility and DirectAccess – Supported Clients
Comparing NetMotion Mobility and DirectAccess – Support

NetMotion Mobility in Action

Watch the following videos to see NetMotion Mobility in action.

NetMotion Mobility Demonstration Video
NetMotion Mobility and Skype for Business Demonstration Video

DirectAccess Alternative

NetMotion Mobility is a premium remote access solution with many of the same characteristics as DirectAccess; seamless, transparent, and always on. It is feature rich with numerous compelling benefits over native Microsoft remote access technologies. Organizations seeking a solution to replace Microsoft DirectAccess would benefit greatly from NetMotion Mobility.

Learn More

If you’d like to learn more about NetMotion Mobility, or if you’d like to evaluate their solution, fill out the form below and I’ll respond with more information.

1 Comment

by Richard M. Hicks on June 4, 2018 • Permalink

Posted in Always On VPN, AOVPN, DirectAccess, DirectAccess Deprecated, DirectAccess End of Life, DirectAccess EOL, end of life, Enterprise, enterprise mobility, EOL, Mobility, NetMotion, NetMotion Mobility, Remote Access, Security, Windows 10, Windows Server 2012 R2, Windows Server 2016

Tagged Always On VPN, deprecated, DirectAccess, DirectAccess alternative, end of life, EOL, Mobility, NetMotion, NetMotion Mobility, performance, Remote Access, security, Skype, Skype for Business, supportability, visibility, VPN, Windows 10 Always On VPN

Posted by Richard M. Hicks on June 4, 2018

https://directaccess.richardhicks.com/2018/06/04/comparing-directaccess-and-netmotion-mobility/

NetMotion Mobility for DirectAccess Administrators – Split vs. Force Tunneling

NetMotion Mobility for DirectAccess Administrators – Split vs. Force Tunneling DirectAccess employs a split tunneling network model by default. In this configuration, only network traffic destined for the internal network (as defined by the administrator) is tunneled over the DirectAccess connection. All other network traffic is routed directly over the Internet.

Force Tunneling Use Cases

For a variety of reasons, administrators may want to configure DirectAccess to use force tunneling, requiring all client traffic be routed over the DirectAccess connection, including public Internet traffic. Commonly this is done to ensure that all traffic is logged and, importantly, screened and filtered to enforce acceptable use policy and to prevent malware infection and potential loss of data.

DirectAccess and Force Tunneling

Enabling force tunneling for DirectAccess is not trivial, as it requires an on-premises proxy server to ensure proper functionality when accessing resources on the public Internet. You can find detailed guidance for configuring DirectAccess to use force tunneling here.

NetMotion Mobility and Force Tunneling

With NetMotion Mobility, force tunneling is enabled by default. So, if split tunneling is desired, it must be explicitly configured. Follow the steps below to create a split tunneling policy.

Create a Rule Set

Open the NetMotion Mobility management console and click Policy > Policy Management.
Click New.
Enter a descriptive name for the new rule set.
Click Ok.

NetMotion Mobility for DirectAccess Administrators – Split vs. Force Tunneling

Create a Rule

Click New.
Enter a descriptive name for the new rule.
Click Ok.

NetMotion Mobility for DirectAccess Administrators – Split vs. Force Tunneling

Define an Action

Click on the Actions tab.
In the Addresses section check the box next to Allow network traffic for address(es)/port(s).
In the Base section select Pass through all network traffic.

Define the Internal Network

In the Policy rule definition section click the address(es)/port(s) link.
Click Add.
In the Remote Address column select Network Address.
Enter the network prefix and prefix length that corresponds to the internal network.
Click Ok.
Repeat the steps above to add any additional internal subnets, as required.
Click Ok.
Click Save.
Click Save.

Assign the Policy

Click on the Subscribers tab.
Choose a group to assign the policy to. This can be users, groups, devices, etc.
Click Subscribe.
Select the Split Tunneling policy.
Click Ok.

Validation Testing

With split tunneling enabled the NetMotion Mobility client will be able to securely access internal network resources over the Mobility connection, but all other traffic will be routed over the public Internet. To confirm this, first very that internal resources are reachable. Next, open your favor Internet search engine and enter “IP”. The IP address you see should be the IP address of the client, not the on-premises gateway.

Summary

I’ve never been a big fan of force tunneling with DirectAccess. Not only is it difficult to implement (and requires additional infrastructure!) the user experience is generally poor. There are usability issues especially with captive portals for Wi-Fi, and performance often suffers. In addition, enabling force tunneling precludes the use of strong user authentication with one-time passwords.

With NetMotion Mobility, force tunneling is on by default, so no configuration changes are required. The user experience is improved as NetMotion Mobility intelligently recognizes captive portals. Performance is much better too. In addition, NetMotion Mobility is more flexible, allowing for the use of OTP authentication with force tunneling. Also, with NetMotion Mobility force tunneling is not a global setting. You can selectively apply force tunneling to users and/or groups as necessary.

Additional Information

NetMotion Mobility as an Alternative for Microsoft DirectAccess

NetMotion Mobility for DirectAccess Administrators – Trusted Network Detection

Enabling Secure Remote Administration for the NetMotion Mobility Console

NetMotion Mobility Device Tunnel Configuration

1 Comment

by Richard M. Hicks on April 2, 2018 • Permalink

Posted in DirectAccess, enterprise mobility, Mobility, Multifactor Authentiction, NetMotion, NetMotion Mobility, OTP, Remote Access, Security, VPN, Windows 10, Windows Server 2016

Tagged enterprise mobility, force tunnel, force tunneling, Microsoft, Mobility, NetMotion, NetMotion Mobility, performance, policy, proxy, Remote Access, security, split tunnel, split tunneling, Windows

Posted by Richard M. Hicks on April 2, 2018

https://directaccess.richardhicks.com/2018/04/02/netmotion-mobility-for-directaccess-administrators-split-vs-force-tunneling/

NetMotion Mobility for DirectAccess Administrators – Trusted Network Detection

DirectAccess clients use the Network Location Server (NLS) for trusted network detection. If the NLS can be reached, the client will assume it is on the internal network and the DirectAccess connection will not be made. If the NLS cannot be reached, the client will assume it is outside the network and it will then attempt to establish a connection to the DirectAccess server.

Critical Infrastructure

DirectAccess NLS availability and reachability is crucial to ensuring uninterrupted operation for DirectAccess clients on the internal network. If the NLS is offline or unreachable for any reason, DirectAccess clients on the internal network will be unable to access internal resources by name until the NLS is once again available. To ensure reliable NLS operation and to avoid potential disruption, the NLS should be highly available and geographically redundant. Close attention must be paid to NLS SSL certificate expiration dates too.

NetMotion Mobility

NetMotion Mobility does not require additional infrastructure for inside/outside detection as DirectAccess does. Instead, Mobility clients determine their network location by the IP address of the Mobility server they are connected to.

Unlike DirectAccess, NetMotion Mobility clients will connect to the Mobility server whenever it is reachable, even if they are on the internal network. There are some advantages to this, but if this behavior isn’t desired, a policy can be created that effectively replicates DirectAccess client behavior by bypassing the Mobility client when the client is on the internal network.

Configuring Trusted Network Detection

Follow the steps below to create a policy to enable trusted network detection for NetMotion Mobility clients.

Create a Rule Set

From the drop-down menu in the NetMotion Mobility management console click Policy and then Policy Management.
Click New.
Enter a descriptive name for the new rule set.
Click Ok.

NetMotion Mobility for DirectAccess Administrators – Trusted Network Detection

Create a Rule

Click New.
Enter a descriptive name for the new rule.
Click Ok.

NetMotion Mobility for DirectAccess Administrators – Trusted Network Detection

Define a Condition

Click on the Conditions tab.
In the Addresses section check the box next to When the Mobility server address is address.
In the Policy rule definition section click the equal to address(es) (v9.0) link.
Click Add.
Select Mobility server address.
Select the IP address assigned to the Mobility server’s internal network interface.
Click Ok.
Click Ok.

NetMotion Mobility for DirectAccess Administrators – Trusted Network Detection

Define an Action

Click on the Actions tab.
In the Passthrough Mode section check the box next to Enable/disable passthrough mode.
Click Save.
Click Save.

Assign the Policy

Click on the Subscribers tab.
Choose a group to assign the policy to. This can be users, groups, devices, etc.
Click Subscribe.
Select the Trusted Network Detection policy.
Click Ok.

NetMotion Mobility for DirectAccess Administrators – Trusted Network Detection

Validation Testing

The NetMotion Mobility client will connect normally when the client is outside of the network. However, if the Mobility client detects that it is connected to the internal interface of the Mobility server, all network traffic will bypass the Mobility client.

NetMotion Mobility for DirectAccess Administrators – Trusted Network Detection

Summary

Trusted network detection can be used to control client behavior based on their network location. Many administrators prefer that connections only be made when clients are outside the network. DirectAccess clients use the NLS to determine network location and will not establish a DirectAccess connection if the NLS is reachable.

NetMotion Mobility trusted network detection relies on detecting the IP address of the Mobility server to which the connection was made. This is more elegant and effective than the DirectAccess NLS, and more reliable too.

Additional Information

Enabling Secure Remote Administrator for the NetMotion Mobility Management Console

NetMotion Mobility Device Tunnel Configuration

Deploying NetMotion Mobility in Azure

1 Comment

by Richard M. Hicks on March 26, 2018 • Permalink

Posted in DirectAccess, enterprise mobility, Mobility, NetMotion, NetMotion Mobility, Remote Access, VPN, Windows 10, Windows Server 2016

Tagged DirectAccess, enterprise mobility, Mobility, NetMotion, NetMotion Mobility, network location server, NLS, Remote Access, trusted network detection, VPN

Posted by Richard M. Hicks on March 26, 2018

https://directaccess.richardhicks.com/2018/03/26/netmotion-mobility-directaccess-trusted-network-detection/

Deploying NetMotion Mobility in Azure

One of the many advantages NetMotion Mobility offers is that it requires no proprietary hardware to deliver its advanced capabilities and performance. It is a software solution that can be installed on any physical or virtual Windows server. This provides great deployment flexibility by allowing administrators to deploy this remote access solution on their existing virtual infrastructure, which is much less costly than investing in dedicated hardware or virtual appliances.

Cloud Deployment

As customers begin moving their traditional on-premises infrastructure to the cloud, it’s good to know that NetMotion Mobility is fully supported in popular public cloud platforms such as Microsoft Azure. Installing and configuring Mobility on a server in Azure requires a few important changes to a standard Azure VM deployment however. Below is detailed guidance for installing and configuring NetMotion Mobility on a Windows Server 2016 virtual machine hosted in the Microsoft Azure public cloud.

Azure Networking Configuration

Before installing the NetMotion Mobility software, follow the steps below to configure the Azure VM with a static public IP address and enable IP forwarding on the internal network interface.

In the Azure management portal, select the NetMotion Mobility virtual machine and click Networking.
Click on the public-facing network interface.
In the Settings section click IP configurations.
In the IP configurations section click on the IP configuration for the network interface.
In the Public IP address setting section click Enabled for the Public IP address.
Click Configure required settings for the IP address.
Click Create New.
Enter a descriptive name and select Static as the assignment method.
Click OK
Click Save.Note: The process of saving the network interface configuration takes a few minutes. Be patient!
Note the public IP address, as this will be used later during the Mobility configuration.
Close the IP address configuration blade.
In the IP forwarding settings section click Enabled for IP forwarding.
Click Save.

NetMotion Mobility Installation

Proceed with the installation of NetMotion Mobility. When prompted for the external address, enter the public IP address created previously.

Deploying NetMotion Mobility in Azure

Next choose the option to Use pool of virtual IP addresses. Click Add and enter the starting and ending IP addresses, subnet prefix length, and default gateway and click OK.

Deploying NetMotion Mobility in Azure

Complete the remaining NetMotion Mobility configuration as required.

Azure Routing Table

A user defined routing table must be configured to ensure that NetMotion Mobility client traffic is routed correctly in Azure. Follow the steps below to complete the configuration.

In the Azure management portal click New.
In the Search the Marketplace field enter route table.
In the results section click Route table.
Click Create.
Enter a descriptive name and select a subscription, resource group, and location.
Click Create.

Deploying NetMotion Mobility in Azure

Once the deployment has completed successfully, click Go to resource in the notifications list.

Deploying NetMotion Mobility in Azure

Follow the steps below to add a route to the route table.

In the Settings sections click Routes.
Click Add.
Enter a descriptive name.
In the Address prefix field enter the subnet used by mobility clients defined earlier.
Select Virtual appliance as the Next hop type.
Enter the IP address of the NetMotion Mobility server’s internal network interface.
Click OK.
Click Subnets.
Click Associate.
Click Choose a virtual network and select the network where the NetMotion Mobility gateway resides.
Click Choose a subnet and select the subnet where the NetMotion Mobility gateway’s internal network interface resides.
Click OK.

Note: If clients connecting to the NetMotion Mobility server need to access resources on-premises via a site-to-site gateway, be sure to associate the route table with the Azure gateway subnet.

Azure Network Security Group

A network security group must be configured to allow inbound UDP port 5008 to allow external clients to reach the NetMotion Mobility gateway server. Follow the steps below to create and assign a network security group.

In the Azure management portal click New.
In the Search the Marketplace field enter network security group.
In the results section click Network security group.
Click Create.
Enter a descriptive name and select a subscription, resource group, and location.
Click Create.

Deploying NetMotion Mobility in Azure

Once the deployment has completed successfully, click Go to resource in the notifications list.

Deploying NetMotion Mobility in Azure

Follow the steps below to configure the network security group.

In the Settings section click Inbound security rules.
Click Add.
Enter 5008 in the Destination port ranges field.
Select UDP for the protocol.
Select Allow for the action.
Enter a descriptive name.
Click OK.
Click Network Interfaces.
Click Associate.
Select the external network interface of the NetMotion Mobility gateway server.

Summary

After completing the steps above, install the client software and configure it to use the static public IP address created previously. Alternatively, configure a DNS record to point to the public IP address and specify the Fully Qualified Domain Name (FQDN) instead of the IP address itself.

Additional Resources

Enabling Secure Remote Administration for the NetMotion Mobility Console

NetMotion Mobility Device Tunnel Configuration

NetMotion Mobility as an Alternative to Microsoft DirectAccess

NetMotion Mobility and Microsoft DirectAccess Comparison Whitepaper

NetMotion and Microsoft DirectAccess On-Demand Webinar

5 Comments

by Richard M. Hicks on February 8, 2018 • Permalink

Posted in Azure, cloud, NetMotion, NetMotion Mobility, Remote Access, Security, VPN, Windows 10, Windows Server 2016

Posted by Richard M. Hicks on February 8, 2018

https://directaccess.richardhicks.com/2018/02/08/deploying-netmotion-mobility-in-azure/

Enabling Secure Remote Administration for the NetMotion Mobility Console

During the initial setup of a NetMotion Mobility gateway server, the administrator must choose to allow either Secure (HTTPS) or Non-secure (HTTP) connections when using the web-based Mobility Console.

Enabling Secure Remote Administration for the NetMotion Mobility Console

Configuring HTTPS

Security best practices dictate HTTPS should be enabled to protect credentials used to log on to the gateway remotely. Immediately after selecting the Secure (https:) option, the administrator is prompted to enter server certificate information. Enter this information and click OK to continue and complete the rest of the configuration as necessary.

Enabling Secure Remote Administration for the NetMotion Mobility Console

Self-Signed Certificate

When logging in to the Mobility console, the administrator is presented with a certificate error indicating there is a problem with the website’s security certificate. This is because the certificate is self-signed by the NetMotion Mobility gateway server and is not trusted.

PKI Issued Certificate

The recommended way to resolve this is to request a certificate from a trusted certification authority (CA). To do this, open the Mobility Management Tool on the Mobility gateway server and click on the Web Server tab.

Click on the Server Certificate button and then click New in the Certificate Request section.

In the SAN (subject alternative name) field of the Optional Extension section enter the Fully Qualified Domain Name (FQDN) of the server using the syntax dns:fqdn. Include both the FQDN and the single-label hostname (short name) separated by a comma to ensure both names work without issue. For example:

dns:nm1.lab.richardhicks.net,dns:nm1

Enabling Secure Remote Administration for the NetMotion Mobility Console

Before requesting a certificate from a CA, the root and any intermediate CA certificates must first be imported. Click the Import button next to each, as required.

Click Copy in the Certificate Request section to copy the Certificate Signing Request (CSR) to the clipboard and then save it to a text file. Now submit the CSR to be signed by the CA using the certreq.exe command. Open an elevated command or PowerShell window and enter the following commands.

certreq.exe -attrib “CertificateTemplate:[TemplateName]” -submit [Path_to_CSR_file]

For example:

certreq.exe -attrib “CertificateTemplate:LabWebServer” -submit certreq.txt

Select a CA from the list and click OK, then save the certificate response when prompted.

Enabling Secure Remote Administration for the NetMotion Mobility Console

Click Response and specify the location of the certificate response file saved in the previous step.

Once complete, the newly issued certificate will be in place. Click Close to complete the process.

Click Yes when prompted to restart the Mobility console.

Enabling Secure Remote Administration for the NetMotion Mobility Console

Trusted Certificate

Opening the Mobility Console no longer produces a certificate error message with a certificate installed from a trusted CA.

In addition, if you followed the guidance above and included the single-label hostname in the SAN field, accessing the server using the short name will also work without issue.

Summary

Always select the option to use HTTPS to ensure the highest level of security and protection of credentials when remotely administering a NetMotion Mobility gateway server. For optimal security and to provide the best user experience, use a certificate issued and managed by a trusted CA to prevent certificate errors when opening the Mobility console.

Additional Information

NetMotion Mobility as an Alternative to DirectAccess

NetMotion Mobility Device Tunnel Configuration

Comparing NetMotion Mobility and DirectAccess Part 1 – Security

Comparing NetMotion Mobility and DirectAccess Part 2 – Performance

DirectAccess and NetMotion Mobility Webinar

3 Comments

by Richard M. Hicks on February 1, 2018 • Permalink

Posted in Encryption, NetMotion, NetMotion Mobility, Remote Access, Security, SSL and TLS, Windows Server 2012 R2, Windows Server 2016

Tagged CA, certificate, certificates, Certification Authority, HTTPS, management, Mobility, NetMotion, NetMotion Mobility, PKI, Remote Access, remote management, SSL, TLS

Posted by Richard M. Hicks on February 1, 2018

https://directaccess.richardhicks.com/2018/02/01/enabling-secure-remote-administration-for-the-netmotion-mobility-console/

NetMotion Mobility Device Tunnel Configuration

NetMotion Mobility Device Tunnel Configuration In its default configuration, NetMotion Mobility connections are established at the user level. In most cases this level of access is sufficient, but there are some common uses cases that require VPN connectivity before the user logs on. Examples include provisioning a new device to a user who has never logged on before, or to allow support engineers to connect to a remote device without requiring a user to log in first.

Infrastructure Requirements

To support NetMotion Mobility’s “unattended mode” (device tunnel) it will be necessary to deploy a Windows Server 2016 (or 2012R2) Network Policy Server (NPS). In addition, an internal private certification authority (CA) will be required to issue certificates to the NPS server and all NetMotion Mobility client computers.

Client Certificate Requirements

A certificate with the Client Authentication Enhanced Key Usage (EKU) must be provisioned to the local computer certificate store on all NetMotion Mobility clients that require a device tunnel (figure 1). The subject name on the certificate must match the fully qualified domain name of the client computer (figure 2). It is recommended that certificate auto enrollment be used to streamline the provisioning process.

NetMotion Mobility Device Tunnel Configuration

Figure 1. Computer certificate with Client Authentication EKU.

NetMotion Mobility Device Tunnel Configuration

Figure 2. Computer certificate with subject name matching the client computer’s hostname.

NPS Server Certificate Requirements

A certificate with the Server Authentication EKU must be provisioned to the local computer certificate store on the NPS server (figure 3). The subject name on the certificate must match the fully qualified domain name of the NPS server (figure 4).

NetMotion Mobility Device Tunnel Configuration

Figure 3. Computer certificate with Server Authentication EKU.

NetMotion Mobility Device Tunnel Configuration

Figure 4. Computer certificate with subject name matching the NPS server’s hostname.

NPS Server Configuration

Next install the NPS server role by running the following PowerShell command.

Install-WindowsFeature NPAS -IncludeMamagementTools

Once complete, open the NPS server management console and perform the following steps.

Note: Below is a highly simplified NPS configuration designed for a single use case. It is provided for demonstration purposes only. The NPS server may be used by more than one network access server (NAS) so the example policies included below may not work in every deployment.

Expand RADIUS Clients and Servers.
Right-click RADIUS clients and choose New.
Select the option to Enable this RADIUS client.
Enter a friendly name.
Enter the IP address or hostname of the NetMotion gateway server.
Click Verify to validate the hostname or IP address.
Select Manual to enter a shared secret, or select Generate to create one automatically.
Copy the shared secret as it will be required when configure the NetMotion Mobility gateway server later.
Click OK.
Expand Policies.
Right-click Network Policies and choose New.
Enter a descriptive name for the new policy.
Select Type of network access server and choose Unspecified.
Click Next.
Click Add.
Select Client IPv4 Address.
Click Add.
Enter the internal IPv4 address of the NetMotion Mobility gateway server.
Click OK.
Click Next.
Select Access granted.
Click Next.
Click Add.
Choose Microsoft: Protected EAP (PEAP).
Click OK.
Select Microsoft: Protected EAP (PEAP).
Click Edit.
Choose the appropriate certificate in the Certificate issued to drop down list.
Select Secure password (EAP-MSCHAP v2).
Click Remove.
Click Add.
Choose Smart Card or other certificate.
Click OK.
Select Smart Card or other certificate.
Click Edit.
Choose the appropriate certificate in the Certificate issued to drop down list.
Click OK.
Uncheck all options beneath Less secure authentication methods.
Click Next three times.
Click Finish.

Mobility Server Configuration

Open the NetMotion Mobility management console and perform the following steps.

In the drop-down menu click Configure.
Click Authentication Settings.
Click New.
Enter a descriptive name for the new authentication profile.
Click OK.
Expand Authentication.
Select Mode.
Select Unattended Mode Authentication Setting Override.
From the Authentication mode drop-down box choose Unattended.
Click Apply.
Expand RADIUS: Device Authentication.
Select Servers.
Select [Profile Name] Authentication Setting Override.
Click Add.
Enter the IP address of the NPS server.
Enter the port (default is 1812).
Enter the shared secret.
Click OK.
In the drop-down menu click Configure.
Click Client Settings.
Expand Device Settings.
Select the device group to enable unattended mode for.
Expand Authentication.
Select Settings Profile.
Select [Device Group Name] Group Settings Override.
In the Profile drop-down menu choose the authentication profile created previously.
Click Apply.

Validation Testing

If everything is configured correctly, the NetMotion Mobility client will now indicate that the user and the device have been authenticated.

NetMotion Mobility Device Tunnel Configuration

Summary

Enabling unattended mode with NetMotion Mobility provides feature parity with DirectAccess machine tunnel and Windows 10 Always On VPN device tunnel. It ensures that domain connectivity is available before the user logs on. This allows users to log on remotely without cached credentials. It also allows administrators to continue working seamlessly on a remote computer after a reboot without having a user present to log on.

Additional Resources

NetMotion Mobility as an Alternative to DirectAccess

4 Comments

by Richard M. Hicks on January 11, 2018 • Permalink

Posted in Manage Out, NetMotion, NetMotion Mobility, PowerShell, Remote Access, Security, SSL and TLS, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on January 11, 2018

https://directaccess.richardhicks.com/2018/01/11/netmotion-mobility-device-tunnel-configuration/

Microsoft Ignite Conference 2017

Will you be attending the Microsoft Ignite conference in Orlando, FL next week? Let’s connect! I’m not giving any talks this year, so I will be spending most of my time with the folks at Pointsharp in their booth in the expo hall. Want to talk security, remote access, multifactor authentication, load balancing/application delivery, PKI, or anything else? Stop by and say hi! Follow me on Twitter @richardhicks for live updates. In addition, I’ll be hosting a happy hour event with NetMotion on Tuesday, September 26 at 6PM at the Rocks lounge in the Hyatt Regency hotel just across the street from the conference center. Be sure to drop in and say hello! Hope to see you there!

Microsoft Ignite 2017

Richard M. Hicks Consulting, Inc.

Consulting

Connect

Mailing List

@richardhicks

Facebook

RSS Feed

Archives

Categories

Tag Cloud

All posts in category NetMotion

Comparing DirectAccess and NetMotion Mobility – Australia and New Zealand

Comparing DirectAccess and NetMotion Mobility Webinar – October 2018

Comparing DirectAccess and NetMotion Mobility

NetMotion Mobility

Comparing DirectAccess and NetMotion Mobility

NetMotion Mobility in Action

DirectAccess Alternative

Learn More

NetMotion Mobility for DirectAccess Administrators – Split vs. Force Tunneling

NetMotion Mobility for DirectAccess Administrators – Trusted Network Detection

Enabling Secure Remote Administration for the NetMotion Mobility Console

NetMotion Mobility Device Tunnel Configuration

Microsoft Ignite Conference 2017

DirectAccess Book

NetMotion Mobility

Kemp Technologies

Recent Posts

Always On VPN Resources

DirectAccess Resources

Consulting

Connect

Mailing List

RSS Feed

Archives

Categories

Tag Cloud

All posts in category NetMotion

Windows Server

Azure Gateway

VPN Gateway

Virtual WAN

Virtual Appliance

Hybrid Deployments

NetMotion Mobility

Summary

Additional Information

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

NetMotion Mobility

Comparing DirectAccess and NetMotion Mobility

NetMotion Mobility in Action

DirectAccess Alternative

Learn More

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

DirectAccess Book

NetMotion Mobility

Kemp Technologies

Recent Posts

Always On VPN Resources

DirectAccess Resources