All posts in category routing and remote access service

Configure Entra Conditional Access for Always On VPN

Recently, I wrote about Microsoft Always On VPN and Entra Conditional Access and how conditional access improves your organization’s security posture by making policy-based access decisions based on various signals such as user identity, location, device compliance, platform, sign-in risk, and more. In this post, I’ll provide step-by-step instructions for integrating Entra Conditional Access with existing Always On VPN deployments.

Requirements

To use Microsoft Entra Conditional Access with Always On VPN you must have Entra ID P1 at a minimum. To use advanced features such as risk-based policy assessment, you must have Entra ID P2. In addition, all endpoints must be under Intune management; either native Entra ID joined, or hybrid Entra ID joined.

Enable VPN Support

To begin, open the Microsoft Entra admin center (https://entra.microsoft.com/), navigate to Identity > Protection > Conditional Access, and perform the following steps.

  1. Click VPN Connectivity.
  2. Click New certificate.
  3. From the Select duration drop-down list, choose an appropriate certificate validity period.
  4. Click Create.

Once complete, click Download certificate and copy the certificate file to a domain-joined system on-premises.

Publish Certificate

Next, administrators must publish the Entra VPN root certificate in Active Directory to support domain authentication. Open an elevated PowerShell or command window and run the following commands.

certutil.exe -dspublish -f <path to certificate file> RootCA

certutil.exe -dspublish -f <path to certificate file> NtAuthCA

Note: You must be a domain administrator to perform this task.

Conditional Access Policy

Navigate to Identity > Protection > Conditional Access and click Policies, then perform the following steps to create a conditional access policy for VPN access.

  1. Click New Policy.
  2. Enter a descriptive name for the new policy.
  3. Click the link in the Target resources section.
  4. From the Select what this policy applies to drop-down list, select Resources (formerly cloud apps).
  5. In the Include section, choose Select resources.
  6. Click the link in the Select section.
  7. Enter VPN in the search field.
  8. Check the box next to VPN Server.
  9. Click Select.
  10. Click the link in the Grant section.
  11. Select Grant access.
  12. Check the box next to Require device to be marked as compliant.
  13. Click Select.
  14. On the Enable policy slider, select On.
  15. Click Create.

NPS

Changes to Network Policy Server (NPS) policy and configuration are required to support Always On VPN with Entra Conditional Access.

NPS Policy

To update the Always On VPN network policy to support Entra Conditional Access, open the NPS management console (nps.msc), expand Policies, then select Network Policies and perform the following steps.

  1. Right-click on the Always On VPN policy and choose Properties.
  2. Select the Settings tab.
  3. Select Vendor Specific in the RADIUS Attributes section.
  4. Click Add.
  5. Select the Allowed-Certificate-OID attribute.
  6. Click Add.
  7. Click Add.
  8. Enter 1.3.6.1.4.1.311.87 in the Attribute value field.
  9. Click Ok.
  10. Click Ok.
  11. Click Close.
  12. Click Ok.

Important Note: This change will block new Always On VPN user tunnel connections until you update the client configuration. When integrating an existing Always On VPN implementation with Entra Conditional Access, consider creating a new NPS policy and corresponding security group to migrate users to conditional access seamlessly.

NPS Configuration

By default, NPS will perform revocation checks for certificates used for domain authentication. However, Entra Conditional Access uses short-lived certificates (one-hour lifetime) that do not include CRL Distribution Point (CDP) information. Therefore, administrators must change the NPS server configuration to disable revocation checking for certificates lacking this information.

To do this, open the registry editor (regedit.exe) and create a new registry key with the following settings.

Key: HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
Name: IgnoreNoRevocationCheck
Type: DWORD
Value: 1

You can also run the following PowerShell command to implement this change.

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13\’ -Name IgnoreNoRevocationCheck -PropertyType DWORD -Value 1 -Force

Once complete, the server must be rebooted for the change to take effect.

Client Configuration

After making all required changes to the supporting infrastructure, you must also update the  Always On VPN client configuration to leverage Entra Conditional Access. Changes to client configuration vary depending on the method used to deploy and manage Always On VPN client configuration settings.

Intune

When using Microsoft Intune and the native VPN policy type to deploy and manage Always On VPN client configuration settings, perform the following steps to update the VPN configuration to include Entra Conditional Access support.

  1. Open the Microsoft Intune admin center (https://intune.microsoft.com/) and navigate to Devices > Configuration.
  2. Click on the Always On VPN policy.
  3. Click Edit next to Configuration settings.
  4. Expand the Conditional Access section.
  5. Click Enable next to Conditional access for this VPN connection.
  6. Click Enable next to Single sign-on (SSO) with alternate certificate.
  7. Enter Client Authentication in the Name field.
  8. Enter 1.3.6.1.5.5.7.3.2 in the Object Identifier field.
  9. Enter the organization’s root certification authority (CA) certificate thumbprint in the Issuer hash field.

XML

When using a custom XML configuration file for Always On VPN client configuration settings deployed using Intune or PowerShell, edit the XML file, remove the existing <TLSExtensions></TLSExtensions> section, and replace it with the following.

In addition, add the following code between the <VPNProfile></VPNProfile> tags after <TrustedNetworkDetection>.

Note: You will find a sample XML configuration file you can copy and paste from on GitHub here.

DPC

When using Always On VPN Dynamic Profile Configurator (DPC) for managing Always On VPN client configuration settings, open the DPC group policy and navigate to Computer Configuration > Policies > Administrative Templates > DPC Client > User Tunnel Settings > Advanced and perform the following steps.

  1. Double-click Optional – Device Compliance Settings.
  2. Select Enabled.
  3. Enter 1.3.6.1.5.5.7.3.2 in the Certificate EKU OID field.
  4. Enter the organization’s root certification authority (CA) certificate thumbprint in the Certificate Issuer Hash field.
  5. Click Ok.

Not using DPC? You’re missing out! Learn more about Always On VPN DPC here.

Video

I’ve published a demonstration video for enabling Microsoft Entra ID Conditional Access with Always On VPN on YouTube. You can find the video here.

Summary

Following the guidance in this post to integrate Entra Conditional Access with Always On VPN can significantly improve your organization’s security posture. In the example above, the conditional access policy is a basic one. Yet, it dramatically reduces the attack surface for your remote access infrastructure by ensuring only compliant devices can establish a VPN connection.

Administrators can use advanced conditional access policy settings to strengthen the VPN’s security further by performing additional checks, such as requiring strong, phishing-resistant credentials and requesting multifactor authentication (MFA) for risky sign-ins.

Additional Information

Always On VPN and Entra Conditional Access

Drawback of Multifactor Authentication

Understanding Enterprise Public Key Infrastructure (PKI)

Digital Certificates for Strong Authentication

Always On VPN Dynamic Profile Configurator (DPC)

Always On VPN DPC Open Source

Leave a comment
by Richard M. Hicks on February 17, 2025  •  Permalink
Posted in Active Directory, administration, Always On VPN, Always On VPN DPC, AOVPN, AovpnDPC, authentication, Azure, Azure Active Directory, Azure AD, Azure AD Join, Azure Conditional Access, Azure MF, Azure MFA, Azure VPN, cloud, Cloud Service, Compliance, Conditional Access, Deployment, Device Management, DPC, Dynamic Profile Configurator, Enterprise, enterprise mobility, Entra, Entra Conditional Access, Entra ID, GitHub, Hybrid Azure AD Join, Hybrid Entra ID Join, Hybrid Entra Join, InTune, MDM, MFA, Microsoft, Microsoft Entra, Microsoft Entra ID, Microsoft Intune, Mobile Device Management, Mobility, Multifactor Authentiction, network policy server, NPS, Operational Support, PowerShell, public cloud, Remote Access, routing and remote access service, RRAS, Security, systems management, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 17, 2025

https://directaccess.richardhicks.com/2025/02/17/configure-entra-conditional-access-for-always-on-vpn/

Always On VPN Security Updates February 2025

After a few months without any security updates directly affecting Microsoft Always On VPN administrators, the February 2025 security updates include fixes for two vulnerabilities in Windows Server Routing and Remote Access Service (RRAS) servers, commonly deployed to support Always On VPN.

RRAS Updates

This month’s updates for Windows Server RRAS cover the following publicly announced CVEs.

Importance

Both updates are for heap-based buffer overflow Remote Code Execution (RCE) vulnerabilities. These vulnerabilities are rated as important and require user interaction to execute, making exploitation less likely.

KB5014754

Importantly, this month’s release enables full enforcement of strong certificate mapping on Windows domain controllers by default. Full enforcement for strong certificate mapping was first introduced with Microsoft security update KB5014754. I’ve written about this recently, so hopefully, everyone is prepared! If your Always On VPN connections begin to fail after applying the February 2025 security updates to your domain controllers, your certificates may not be strongly mapped. Fortunately, there’s a workaround. You can learn more here.

Additional Information

Microsoft February 2025 Security Updates

Strong Certificate Mapping Enforcement February 2025

KB5014754 Certificate-based Authentication Changes on Windows Domain Controllers

Leave a comment
by Richard M. Hicks on February 11, 2025  •  Permalink
Posted in Always On VPN, AOVPN, Microsoft, routing and remote access service, RRAS, Security, Security Update, Update, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , ,

Posted by Richard M. Hicks on February 11, 2025

https://directaccess.richardhicks.com/2025/02/11/always-on-vpn-security-updates-february-2025/

Always On VPN Windows Server 2025 Binding Handle is Invalid Error

Microsoft released Windows Server 2025 late last year. I’ve been doing extensive testing with the Routing and Remote Access (RRAS) role, commonly deployed to support Always On VPN client connections. I heavily use automation to deploy VPN servers in my lab and for large customer deployments, and after deploying some new Windows Server 2025 machines, I encountered the “binding handle is invalid” error message when running specific commands.

VPN Ports

By default, Windows Server RRAS enables IKEv2 for Remote Access (RAS) and SSTP for RAS and Routing. Each is provisioned with 128 ports. Often, these settings are updated because there are not enough ports to support expected concurrent connections. Also, SSTP should not be enabled for Routing as it is not required, and PPPoE is enabled for Routing, which is also not required. The best practice is to disable any protocols and services that are not being used.

Although updating these settings can be updated in the GUI (rrasmgmt.msc), automating these changes requires command line configuration.

Netsh

Here’s the command to configure additional SSTP ports and disable Routing using netsh.exe.

netsh.exe ras set wanports device = “WAN Miniport (SSTP)” rasinonly = enabled ddinout = disabled ddoutonly = disabled maxports = 500

However, running this command returns the following error message.

“The binding handle is invalid.”

PowerShell

You might be wondering why we don’t use PowerShell for these tasks. Sadly, not all these settings are exposed via PowerShell. For example, with the native Set-VpnServerConfiguration PowerShell command, you can set the number of ports for IKEv2, SSTP, L2TP, and GRE. However, you cannot turn these protocols on or off entirely as you can with netsh.exe commands.

Here’s an example of setting up VPN server port configuration using PowerShell.

Set-VpnServerConfiguration -SstpPorts 500 -Ikev2Ports 500 -PassThru

Note: You must restart the server (not just the RemoteAccess service) when increasing the number of ports beyond the default setting of 128.

Set-VpnServerConfiguration does not support configuration for PPTP. However, PPTP is disabled by default on Windows Server 2025.

Backup and Restore

This issue will also impede the ability to back and restore the RRAS configuration using netsh.exe. You can back up the RRAS configuration by running the following command.

netsh.exe ras dump | Out-File rasconfig.txt -Encoding ascii

You can restore the configuration by running the following command.

netsh.exe exec .\rasconfig.txt

However, you will receive “binding handle is invalid” error when running this command.

AovpnTools

Be advised that the following functions in my AovpnTools PowerShell module use netsh.exe commands that will return the “binding handle is invalid” error message when configuring Windows Server 2025 servers.

Workaround

Until Microsoft resolves this issue, administrators must use a combination of the native PowerShell commands and manual configuration using the Routing and Remote Access management console (rrasmgmt.msc) to implement these settings changes. When backing up and restoring the RRAS configuration, additional configuration will be required after configuration import to ensure the VPN server port configuration is configured correctly.

Additional Information

Always On VPN PowerShell Module on GitHub

Leave a comment
by Richard M. Hicks on January 13, 2025  •  Permalink
Posted in administration, Always On VPN, AOVPN, Enterprise, enterprise mobility, Infrastructure, L2TP, Microsoft, Mobility, PowerShell, PPTP, Remote Access, routing, routing and remote access service, RRAS, Security, troubleshooting, VPN, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 13, 2025

https://directaccess.richardhicks.com/2025/01/13/always-on-vpn-windows-server-2025-binding-handle-is-invalid-error/

« Older Posts