Always On VPN SSTP and HSTS

HTTP Strict Transport Security (HSTS) is a feature commonly used by websites to protect against protocol downgrade attacks, where an attacker forces the use of insecure HTTP instead of HTTPS. If successful, the attacker can intercept unencrypted communication between the client and the web server. This is undesirable for obvious reasons. As such, web server administrators implement an HTTP response header named Strict-Transport-Security with some additional settings that instruct the user agent, in this case, a web browser, to only use secure HTTPS when communicating with the web server. Attempts to use HTTP will not work.

VPN and SSTP

As security is always a top concern when building an Always On VPN infrastructure, careful attention must be paid to VPN protocol configuration to ensure optimal security. Secure Socket Tunneling Protocol (SSTP) is a popular VPN protocol for Always On VPN user tunnel connections. SSTP uses Transport Layer Security (TLS) for encryption, so administrators are encouraged to implement recommended security configurations, such as disabling insecure protocols like TLS 1.0 and TLS 1.1 and optimizing TLS cipher suites as described here.

SSTP with HSTS

It would seem that enabling HSTS on a Windows RRAS VPN server would be ideal for improving SSTP security. However, that’s not the case. HSTS prevents protocol downgrade attacks from HTTPS to HTTP, but SSTP already uses HTTPS exclusively, making the use of HSTS irrelevant. If an attacker attempted a protocol downgrade attack on an SSTP VPN connection, it would fail because the service does not support HTTP between the client and the VPN gateway. Additionally, even if it were possible to configure RRAS to send an HSTS response header, it would be ignored by the client because the user agent is not a web browser.

Additional Information

Always On VPN SSTP Security Configuration

Always On VPN SSTP and TLS 1.3

Always On VPN SSTP Certificate Renewal

Always On VPN SSTP with Let’s Encrypt Certificates

Always On VPN SSTP Certificate Binding Error

SSL and TLS Training for Always On VPN Administrators

SSL and TLS Training for Always On VPN Administrators

Understanding Transport Layer Security (TLS) is essential for Always On VPN administrators. TLS (formerly Security Sockets Layer, or SSL) is used not only for Secure Socket Tunneling Protocol (SSTP), the protocol of choice for the Always On VPN user tunnel in most deployments, but many other technologies such as secure websites and email, Remote Desktop Protocol (RDP), secure LDAP (LDAPS), and many more. High-quality, affordable TLS training is challenging to find, however.

UPDATE! This course has been further discounted for a limited time. Details below!

Practical TLS

Thankfully, Ed Harmoush from Practical Networking has a fantastic training course called Practical TLS that meets these requirements. It is the most comprehensive TLS training course I’ve seen and is surprisingly affordable too!

Course Content

The Practical TLS training course includes the following modules.

  • Module 1 – SSL/TLS Overview (free preview!)
  • Module 2 – Cryptography
  • Module 3 – x509 Certificates and Keys
  • Module 4 – Security through Certificates
  • Module 5 – Cipher Suites
  • Module 6 – SSL/TLS Handshake
  • Module 7 – TLS Defenses

TLS 1.3

The Practical TLS training course does not yet include a module on the newest TLS protocol, TLS 1.3. However, it is due out imminently! Ed is working on the content as we speak, and a preview module is included in the course today. Look for the final TLS 1.3 module soon.

Bonus Content

In addition to excellent TLS training, the course includes free OpenSSL training! Administrators working with certificates in non-Microsoft environments are sure to find this helpful. Understanding OpenSSL will benefit administrators working with network and security appliances such as firewalls and load balancers.

Enroll Now

The cost of the Practical TLS training course is regularly $297.00. It is a perpetual license, so you can view the content whenever you like and as often as you wish. You will also have access to future updates, such as the upcoming TLS 1.3 module. In addition, you can save $100.00 on the course by using promotional code RICHARDHICKS when you sign up. Don’t hesitate. Register for Practical TLS training now!

Special Discount

For a limited time, you can use the code PracticalTLS13 to get this entire course for just $49.00! This won’t last long, so register soon!

Additional Information

Practical Networking Blog

Practical TLS Training Course – $100 Off!

OpenSSL Training Course

Microsoft Always On VPN and TLS 1.3

Microsoft Always On VPN SSTP Security Configuration

Microsoft Always On VPN SSTP Certificate Renewal

Microsoft Always On VPN SSTP with Let’s Encrypt Certificates

Always On VPN DPC Advanced Features

Recently I wrote about PowerON Platforms’ Always On VPN Dynamic Profile Configurator (DPC), a software solution that allows administrators to provision and manage Always On VPN client configuration settings using Active Directory and group policy. The article described the basic functionality Always On VPN DPC provides. In this post, I will describe some of its advanced capabilities that administrators will find helpful for solving common Always On VPN challenges.

Protocol Preference

The two most common VPN protocols used with Always On VPN are Internet Key Exchange version 2 (IKEv2) and Secure Socket Tunneling Protocol (SSTP). Each protocol has its advantages and disadvantages. For example, IKEv2 has better security options, but SSTP is more firewall-friendly and reliable.

IKEv2 with SSTP Fallback

Instead of selecting one protocol over the other, some administrators may choose to configure Always On VPN to prefer IKEv2, then fall back to SSTP if IKEv2 is unavailable. Unfortunately, there is no way to configure this using Intune, XML, or PowerShell. To change this setting, the administrator must update the VPN configuration file (rasphone.pbk) and change the value of VpnStrategy to 14. While editing a text file is easy, doing it at scale is more complicated. The setting can be changed using Intune proactive remediation or a PowerShell script. However, it’s even easier using Always On VPN DPC. Simply enable the VPN Protocol advanced setting in group policy and choose IKEv2 First, SSTP Fallback.

Interface Metric

Another common problem Always On VPN administrators encounter is name resolution, specifically when the endpoint uses a wired local connection. Here, name resolution queries may fail or return incorrect IP addresses. This happens because the wired connection has a lower network interface metric than the VPN tunnel adapter. Once again, there is no option for changing this setting using Intune or XML. Administrators can update the interface metrics using PowerShell, but it is not persistent. To fully resolve this, the administrator must edit the rasphone.pbk file. With Always On VPN DPC, enable the VPN Tunnel Metric group policy setting and enter a value lower than the wired connection to solve this problem.

IKE Mobility

The Windows VPN client includes support for IKE Mobility, which allows an IKEv2 VPN connection to reconnect automatically after a loss of network connectivity. IKE Mobility is enabled by default, and the network outage time is set to 30 minutes. However, this setting can have negative side effects, especially when VPN servers are behind a load balancer. Reducing the network outage time or disabling it completely can improve failover if a VPN server goes offline. Here again, this setting cannot be changed using Intune, XML, or PowerShell; it is only configurable in rasphone.pbk. With Always On VPN DPC, enable the Network Outage Time advanced setting in group policy and choose a value that meets your requirements.

Exclusion Routes for Office 365

Force tunneling ensures that all network traffic on the client is routed over the VPN tunnel, including Internet traffic. However, Always On VPN supports exclusion routes which allow administrators to exempt selected traffic from the VPN tunnel when force tunneling is enabled. Commonly this is configured for trusted cloud applications like Microsoft Office 365. Defining exclusion routes for cloud services is more complicated than it sounds. Many cloud services, including Microsoft Office 365, have multiple IP addresses that are constantly changing. This makes keeping Always On VPN clients updated with the correct list of IP address exclusions quite challenging. With Always On VPN DPC, administrators can enable the Exclude Office 365 from VPN group policy setting, allowing the endpoint to automatically configure the necessary exclusion routes for Office 365 IP addresses. Importantly, Always On VPN DPC periodically monitors this list of IP addresses and ensures that endpoints are continually updated with Office 365 exclusion routes as they change to ensure reliable connectivity.

IP Routing

Always On VPN administrators must define which IP addresses and networks are routed over the VPN tunnel when split tunneling is enabled. However, Intune has a known issue that may pose a challenge in some environments.

IPv6

Although IPv4 routes can be configured using the Intune UI, IPv6 routes cannot. This is because the Intune UI does not correctly validate the default IPv6 prefix length, insisting that the administrator use a value between 1 and 32. 🤦‍♂️

However, the Always On VPN DPC Allowed Routes group policy setting happily accepts the proper IPv6 prefix.

Route Metrics

In addition, there is no option to define the metric values for routes configured using Intune. Assigning non-default route metrics is required to resolve routing conflicts in some scenarios. Defining route metrics requires custom XML. The Always On VPN DPC Route Metric group policy settings allow administrators to define route metrics as required.

Video

I have published a demonstration video on my YouTube channel showing some of the advanced features PowerON Platforms Always On VPN Dynamic Profile Configurator (DPC) provides. Be sure to subscribe to stay up to date as I’ll be releasing more videos in the future.

Learn More

Are you interested in learning more about PowerON Platforms Always On VPN DPC? Fill out the form below, and I’ll contact you with more information. In addition, you can visit aovpndpc.com to register for an evaluation license.

Additional Information

Always On VPN with Active Directory and Group Policy

Always On VPN Video Demonstration

PowerON Platforms Always On VPN Dynamic Profile Configurator (DPC)

%d bloggers like this: