All posts in category Operational Support

Always On VPN and Interface Metrics

Always On VPN DNS Registration Update Available

In Windows, each network interface identified by the operating system is assigned a metric value. Interface metrics are settings that determine the priority or preference of network interfaces when there are multiple active network connections. The Windows networking stack uses these metrics to determine which network interface should be used for routing traffic when multiple network interfaces are available. Network interface metrics are critical for Always On VPN administrators to understand because they can impact how name resolution requests are processed when an Always On VPN connection is established.

Metric Values

By default, Windows automatically assigns metric values to network interfaces (including VPN interfaces) based on various factors, including the connection speed, link state, and interface type. It tries to select the most suitable interface for general internet connectivity.

Metrics and DNS

Windows will also use the network interface with the lowest metric value as the preferred interface for sending DNS queries by default. This means that DNS queries will be routed through the network interface with the lowest metric value, assuming it is available and connected. When an Always On VPN connection is established, DNS queries may fail or return unexpected results if the network interface metrics are not configured optimally.

Split DNS and Wired Ethernet

Split DNS (sometimes called ‘split brain DNS’) is when the DNS namespace is the same internally and externally. The most common scenario where interface metric settings interfere with DNS operation is when using split DNS and the endpoint is connected to the Internet with a wired Ethernet connection. In this scenario, the Ethernet interface will be assigned the same or lower interface metric value as the Always On VPN interface, which can yield unexpected results.

Viewing Metrics

Always On VPN administrators can view currently assigned interface metric values by running the following PowerShell command.

Get-NetIpInterface

Assigning Metrics

Most Always On VPN administrators will never have to change interface metric settings. However, if your implementation uses split DNS and some of your endpoints connect using wired Ethernet connections, you may need to update the interface metric settings to ensure proper DNS operation. Choose a setting for the interface metric value that is lower than the wired Ethernet interface. I’ve used a value of ‘3’ without issue for many years. Use one of the following methods to update the interface metric for Always On VPN connections.

PowerShell

Updating interface metric settings in Windows can be accomplished by running the Set-NetIpInterface PowerShell command.

Set-NetIpInterface -InterfaceAlias <connection name> -InterfaceMetric 3

Note: Using PowerShell to assign the interface metric is not persistent! While this method is suitable for local validation testing, you should use one of the following methods to implement this change permanently.

Rasphone.pbk

To assign the interface metric permanently, Always On VPN administrators can edit the following settings in the rasphone.pbk configuration file.

IpInterfaceMetric=3

Ipv6InterfaceMetric=3

Administrators can automate updating this setting using the Update-Rasphone.ps1 PowerShell script. In addition, the following scripts can be used with Microsoft Intune remediation.

Detect-DeviceIpv4InterfaceMetric.ps1

Remediate-DeviceIpv4InterfaceMetric.ps1

Detect-DeviceIpv6InterfaceMetric.ps1

Remediate-DeviceIpv6InterfaceMetric.ps1

Detect-Ipv4InterfaceMetric.ps1

Remediate-Ipv4InterfaceMetric.ps1

Detect-Ipv6InterfaceMetric.ps1

Remediate-Ipv6InterfaceMetric.ps1

DPC

Organizations using PowerON Platforms’ Dynamic Profile Configurator (DPC) to manage Always On VPN client configuration settings with Active Directory and group policy or Microsoft Intune can enable the VPN Tunnel Metric setting.

Additional Information

Get-NetIpInterface PowerShell Command

Set-NetIpInterface PowerShell Command

Managing Always On VPN Client Settings with DPC

Always On VPN DPC with Microsoft Intune

Always On VPN DPC Advanced Features

Always On VPN DPC Video Demonstration

PowerON Platforms Always On VPN Dynamic Profile Configurator (DPC)

7 Comments
by Richard M. Hicks on September 25, 2023  •  Permalink
Posted in Active Directory, administration, Always On VPN, Always On VPN DPC, AOVPN, AovpnDPC, Deployment, Device Management, device tunnel, DNS, DPC, Dynamic Profile Configurator, Endpoint Manager, Enterprise, enterprise mobility, Group Policy, HAADJ, Hybrid Azure AD Join, Infrastructure, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Name Resolution, Operational Support, PowerShell, ProfileXML, Remote Access, Split DNS, split tunnel, split tunneling, systems management, user tunnel, VPN, Windows 10, Windows 11, XML
Tagged , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on September 25, 2023

https://directaccess.richardhicks.com/2023/09/25/always-on-vpn-and-interface-metrics/

Windows Server 2012 and 2012 R2 End of Life

DirectAccess on Microsoft Windows

I want to remind you of a critical upcoming milestone that may affect your business. In just 60 days, we will reach the end of support for Windows Server 2012 and Windows Server 2012 R2. As of October 10, 2023, these operating systems will no longer receive security updates or technical support from Microsoft.

End of Support

End of support means your servers will be more vulnerable to security risks and potential threats. It is essential to take action now to ensure your IT infrastructure’s continued security and stability. Upgrading to newer, supported operating systems will protect your data and systems from potential cyber threats and provide access to enhanced features and performance improvements.

Don’t Wait

Now is the time to migrate those remaining workloads for those still running Windows Server 2012 and 2012 R2! Consider the following commonly deployed services that may still be running on Windows Server 2012 or 2012 R2 in your organization.

Remote Access – Windows Server Routing and Remote Access Service (RRAS) is commonly deployed to provide secure remote access for field-based workers. In addition, Absolute Secure Access (formerly NetMotion Mobility) is a widely implemented premium alternative to RRAS. Organizations may be hesitant to migrate these workloads because disrupting remote workers is painful.

DirectAccess – This remote access technology is widely deployed and extremely difficult to migrate. In addition, the complex nature of DirectAccess, with its many intricate interdependencies, poses a significant challenge to organizations migrating this role.

PKI – This is likely the most common enterprise service to be found running on Windows Server 2012 and 2012R2. Most organizations relying on Windows Active Directory Certificate Services (AD CS) to issue and manage enterprise certificates are reluctant to move this workload once it is deployed. This service is much easier to migrate than you might think! It can be done without disruption as well.

Consulting Services

We understand that upgrading might require careful planning and coordination, and our team is here to support you throughout the transition process. Don’t delay – take this opportunity to safeguard your organization’s data and systems by upgrading to the latest Windows Server version or exploring cloud-based solutions.

Get In Touch

Please don’t hesitate to contact us for further assistance or any questions regarding the upgrade process. Together, let’s ensure your business remains secure and productive. You can get started today by booking a free one-hour consultation to discuss your migration strategy. Just fill out the form below and I’ll provide more information.

Leave a comment
by Richard M. Hicks on August 14, 2023  •  Permalink
Posted in Active Directory Certificate Services, AD CS, administration, Always On VPN, AOVPN, Certificate Services, certificates, DirectAccess, end of life, Enterprise, enterprise mobility, Infrastructure, Microsoft, Mobility, Operational Support, PKI, Professional Services, public key infrastructure, Remote Access, RRAS, Security, VPN, Windows Server 2012, Windows Server 2012 R2
Tagged , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on August 14, 2023

https://directaccess.richardhicks.com/2023/08/14/windows-server-2012-and-2012-r2-end-of-life/

Always On VPN Windows 11 Status Indicator

Viewing the status of an Always On VPN connection has been challenging since the introduction of this technology. To see if an Always On VPN connection is active, users must proactively click on the network status icon in the system tray to view the current connection status. Optionally, users can use the Settings application in Windows and select the Network & Internet tab to view the Always On VPN connection status. Further, there were no options to see VPN status in the system tray natively if the user is using a consumer VPN such as Proton VPN.

New Status Indicator

Always On VPN administrators will be happy to hear that Microsoft recently introduced a new VPN status indicator for Windows 11. Beginning with the July 2023 cumulative update (KB5028185), users will begin to see a new network status icon (a small shield) on the network connectivity indicator on the system tray in Windows. Microsoft calls this new feature “glanceable VPN“.

Source: https://blogs.windows.com/windowsexperience/2023/05/23/announcing-new-windows-11-innovation-with-features-for-secure-efficient-it-management-and-intuitive-user-experience/

Consumer VPN

While this new VPN status indicator is helpful for Always On VPN deployments, it is not limited to Always On VPN. The VPN status indicator will also display the lock icon in the system tray when the device is connected to any recognized VPN. The new VPN status indicator will include third-party enterprise VPN clients as well as some consumer VPNs.

Additional Information

Windows 11 July 2023 Update KB5028185

Always On VPN Device Tunnel Status Indicator

2 Comments
by Richard M. Hicks on July 20, 2023  •  Permalink
Posted in administration, Always On VPN, AOVPN, Enterprise, enterprise mobility, Microsoft, Mobility, NCSI, network connectivity status indicator, Operational Support, Remote Access, Security, Security Update, Update, user tunnel, VPN, Windows 11
Tagged , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on July 20, 2023

https://directaccess.richardhicks.com/2023/07/20/always-on-vpn-windows-11-status-indicator/

« Older Posts
Newer Posts »
%d bloggers like this: