Always On VPN RRAS and Stale Connections

Always On VPN Updates for RRAS and IKEv2

Always On VPN administrators may be familiar with an issue that affects Windows Server Routing and Remote Access Service (RRAS) servers, where many stale VPN connections appear in the list of active connections. The issue is most prevalent when using IKEv2, either for the Always On VPN device tunnel or the user tunnel. Typically, this does not cause problems, but some administrators have reported issues related to port exhaustion or failed IKEv2 connections when many stale connections are present. Stale connections happen so frequently that I created a PowerShell script to clean them up on the RRAS server. Restarting the RemoteAccess service or rebooting the server also clears stale connections.

Microsoft Fix

Thankfully, Microsoft has addressed these issues in Windows Server 2019 and Windows Server 2022 this month. An update is now available in the March 2023 security update that resolves this problem.

You can find more information about the updates here.

The update was not made available for Windows Server 2016, however. Organizations are encouraged to upgrade to Windows Server 2019 or later to address this problem.

Additional Information

Always On VPN Updates for RRAS and IKEv2

Always On VPN IKEv2 Load Balancing and NAT

Always On VPN and IKEv2 Fragmentation

Always On VPN CSP Updates

Always On VPN DNS Registration Update Available

Administrators can deploy Always On VPN client configuration settings in several ways. The simplest method is to use the native Microsoft Intune UI and the VPN device configuration profile template. Optionally, administrators can create an XML file that can be deployed with Intune using the Custom template. In addition, the XML file can be deployed using PowerShell, either interactively or with System Center Configuration Manager (SCCM). Administrators can also deploy the XML file using PowerShell via Active Directory group policy startup script or another software provisioning platform.

Custom XML

While using the native Intune VPN device configuration template to deploy and manage Always On VPN client configuration settings is easy and convenient, it lacks support for many crucial configuration settings. Deploying Always On VPN client settings using the Custom template is helpful to overcome these limitations as it enables additional configuration settings not exposed in the Intune VPN template.

VPNv2CSP

The VPNv2 Configuration Service Provider (CSP) is the interface used by Intune to deploy Always On VPN client configuration settings to the endpoint. The WMI-to-CSP bridge enables settings deployment using PowerShell. In either scenario, administrators must create an XML file that includes the settings used for the Always On VPN profile. A reference for all supported settings in the VPNv2 CSP can be found here.

New Settings

Microsoft recently introduced some new settings in the VPNv2 CSP. Beginning with Windows 11 22H2, administrators can disable the disconnect button and prevent access to the advanced settings menu for device and user tunnels in the Windows UI by adding the following entries in the XML configuration file.

<DisableDisconnectButton>true</DisableDisconnectButton>

<DisableAdvancedOptionsEditButton>true
</DisableAdvancedOptionsEditButton>

Additional Updates

Microsoft also added options to define encryption settings, disable IKEv2 fragmentation support, update IPv4 and IPv6 interface metrics, adjust IKEv2 network outage time, and disable the use of RAS credentials in XML for device and user tunnels. These new options eliminate the need to use Intune Proactive Remediation to adjust these VPN client configuration settings post-deployment.

Unfortunately, these settings are not supported in any current release of Windows 10 or 11 today. However, they are available in the latest Windows Insider build (development channel) if you want to test them. I’ve provided example settings below. These settings will be supported in a public release of Windows in the future.

<DataEncryption>Max</DataEncryption>
<DisableIKEv2Fragmentation>true</DisableIKEv2Fragmentation>
<IPv4InterfaceMetric>3</IPv4InterfaceMetric>
<IPv6InterfaceMetric>3</IPv6InterfaceMetric>
<NetworkOutageTime>0</NetworkOutageTime>
<UseRasCredentials>false</UseRasCredentials>

Note: At the time of this writing, the VPNv2 CSP indicates these settings apply to Windows 11 21H2 and later. That is incorrect. Microsoft is aware of the issue and will hopefully correct it soon.

Intune Support

At some point, Microsoft may add these features to the Intune VPN device configuration template. However, XML with the Custom template is the only way to enable these new settings today.

Additional Information

Always On VPN VPNv2 CSP Reference

Deploying Always On VPN with Intune using Custom ProfileXML

Always On VPN and Intune Proactive Remediation

Microsoft Intune Learning Resources for Always On VPN Administrators

Example Always On VPN User Tunnel ProfileXML

Example Always On VPN Device Tunnel ProfileXML

Always On VPN NPS and PEAP Vulnerabilities

The February 2023 security updates for Windows Server address multiple vulnerabilities that affect Microsoft Always On VPN administrators. This latest update addresses multiple critical and important vulnerabilities in the Network Policy Server (NPS), commonly used to perform RADIUS authentication for Always On VPN servers. Specifically, there are several Remote Code Execution (RCE) and Denial of Service (DoS) vulnerabilities with Protected Extensible Authentication Protocol (PEAP). PEAP with user authentication certificates is the authentication protocol of choice for Always On VPN user tunnel authentication.

Vulnerabilities

The following is a list of vulnerabilities in PEAP addressed in the February 2023 security update.

  • CVE-2023-21689Microsoft PEAP Remote Code Execution Vulnerability (critical)
  • CVE-2023-21690Microsoft PEAP Remote Code Execution Vulnerability (critical)
  • CVE-2023-21691Microsoft PEAP Information Disclosure vulnerability (important)
  • CVE-2023-21692Microsoft PEAP Remote Code Execution Vulnerability (critical)
  • CVE-2023-21695Microsoft PEAP Remote Code Execution Vulnerability (important)
  • CVE-2023-21701Microsoft PEAP Denial of Service Vulnerability (important)

Mitigation

Unauthenticated attackers can exploit the RCE vulnerabilities in PEAP on Microsoft Windows NPS servers. However, NPS servers should not be exposed directly to the Internet and would require an attacker to have access to the internal network already. However, administrators are advised to apply this update to their NPS servers as soon as possible. In addition, organizations that deploy the NPS role on enterprise domain controllers should update immediately.

Additional Information

February 2023 Update for Windows Server 2022 (KB5022842)

February 2023 Update for Windows Server 2019 (KB022840)

February 2023 Update for Windows Server 2016 (KB5022838)

%d bloggers like this: