All posts in category SSL and TLS

What’s New in Absolute Secure Access v13

Recently I wrote about NetMotion Mobility’s acquisition by Absolute Software. Absolute Secure Access (formerly NetMotion Mobility) is an enterprise VPN and Zero Trust Network Access (ZTNA) solution that includes fine-grained policy enforcement to restrict network access based on a wide range of parameters, including IP address, protocol, port, application, time of day, location, and type of network (e.g., wired, Wi-Fi, wireless, etc.), available bandwidth, battery level, and more. It also includes integrated Network Access Control (NAC), which administrators can use to inform access policy decisions based on device security and configuration posture. Now, Absolute has created its first major release since the acquisition – Absolute Secure Access v13.

Secure Web Gateway

Absolute Secure Access is already the most comprehensive and compelling enterprise VPN and ZTNA solution available today. With the release of Absolute Secure Access v13, the solution now includes cloud-based Secure Web Gateway integration, providing administrators with increased visibility and control of web traffic outside the tunnel. Not all web traffic must flow through the secure web gateway. Administrators can use policy to selectively route web traffic through the secure web gateway to meet their requirements.

Enhanced Security

The secure web gateway feature of Absolute Secure Access v13 includes the following enhanced security features.

Web Filtering

The secure web gateway allows administrators to restrict access based on web category (e.g., gambling, malware sites, personal storage, etc.). Administrators can allow or deny access based on risk level or use the destination’s categorization to take policy action to restrict access further or require additional authentication.

TLS Inspection

The secure web gateway can terminate HTTPS (SSL/TLS) sessions to perform traffic inspection and granular content categorization based on the full URL. The TLS inspection certificate is added dynamically to the local computer certificate store.

Virus Scan

The secure web gateway performs malware and virus scans on web content and files, preventing users from downloading malicious software.

Remote Browser Isolation

Remote Browser Isolation (RBI) executes web browsing sessions on a remote, isolated system to prevent potential malware threats. It enhances security by ensuring malicious content is contained and executed away from the user’s device.

Content Disarm and Reconstruction

Content Disarm and Reconstruction (CDR) is a security feature that eliminates dynamic content from downloaded files and guards against zero-day vulnerabilities undetected by antivirus scans.

Data Loss Prevention

Data Loss Prevention (DLP) is designed to prevent sensitive or confidential data from being leaked, accessed, or shared inappropriately, ensuring data security and compliance with regulations.

Policy Enhancements

Absolute Secure Access policies now include actions that can be taken based on information from the secure web gateway. For example, if a user visits a risky category like Malware Sites, additional security features such as antivirus scan, CDR and DLP enforcement, and RBI can be enforced. In addition, administrators can now force reauthentication when users roam between networks.

Summary

Absolute Secure Access v13 significantly upgrades previous versions of Absolute Secure Access and NetMotion Mobility. The security enhancements associated with the new secure web gateway service will tremendously increase an organization’s security posture and eliminate the need for additional web security solutions. Absolute Secure Access has powerful security enforcement technologies with policy and NAC to ensure the highest level of security for today’s mobile workforce.

Learn More

Are you interested in learning more about Absolute Secure Access? Would you like a demonstration of this enterprise VPN and Zero-Trust Network Access solution? Fill out the form below, and we’ll provide more information.

Leave a comment
by Richard M. Hicks on August 7, 2023  •  Permalink
Posted in Absolute, Absolute Secure Access, Absolute Software, Enterprise, enterprise mobility, Mobility, NetMotion, NetMotion Mobility, NetMotion Software, Secure Web Gateway, Security, SSL and TLS, TLS, Transport Layer Security, VPN, Zero Trust, Zero Trust Network Access
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on August 7, 2023

https://directaccess.richardhicks.com/2023/08/07/whats-new-in-absolute-secure-access-v13/

Always On VPN Trusted Network Detection and Native Azure AD Join

Administrators deploying Microsoft Always On VPN are quickly learning that the native Azure Active Directory join (AADJ) model has significant advantages over the more traditional Hybrid Azure AD join (HAADJ) scenario. Native AADJ is much simpler to deploy and manage than HAADJ while still allowing full single sign-on (SSO) to on-premises resources for remote users. Intune even allows for the import of custom ADMX and ADML administrative templates, further reducing the dependency on on-premises Active Directory for device management.

Remote Management

Although devices aren’t joined to the domain, administrators may still wish to access those clients connected to their network for device discovery or to perform administrative tasks. However, when native AADJ clients connect via Always On VPN, the Public Windows firewall profile is assigned to the VPN tunnel adapter. The Public profile is, of course, more restrictive and blocks most management protocols by default.

Firewall Rules

While adding firewall rules to the Public profile to allow management protocols is possible, this isn’t recommended for security reasons. The Public profile is typically loaded when the device is on an untrusted network. Exposing management protocols on an insecure network is asking for trouble.

Domain Profile

Domain-joined or Hybrid AADJ endpoints will use the Domain Windows firewall profile. This profile is more permissive, allowing many standard management protocols by default. Also, administrators can add rules to allow additional access as required without increasing the risk for devices on untrusted networks.

Trusted Network Detection

So, the trick is to get a native AADJ endpoint to load the Domain profile for the VPN tunnel adapter when connected via Always On VPN. Trusted Network Detection is accomplished by using settings configured on the endpoint using the NetworkListManager Configuration Service Provider (CSP).

Intune and XML

There are two settings administrators can enable AADJ devices to detect a trusted network and load the Domain Windows firewall profile. Unfortunately, these settings can only be applied using Intune and the Custom XML template. Administrators will use the following OMA-URI settings.

AllowedTlsAuthenticationEndpoints

The AllowedTlsAuthenticationEndpoints policy setting defines the URL the device uses to validate a trusted network. The target must be an on-premises web server with a valid TLS certificate using HTTPS. The target must be a highly available internal resource inaccessible from the Internet. DirectAccess administrators will be quite familiar with this concept; it’s the Network Location Server (NLS)!

Use the following OMA-URI to configure the TLS authentication endpoint.

URI: ./Device/Vendor/MSFT/Policy/Config/
NetworkListManager/AllowedTlsAuthenticationEndpoints

String: <![CDATA[https://nls.corp.example.net]]>

ConfiguredTlsAuthenticationNetworkName

The ConfiguredTlsAuthenticationNetworkName policy setting is optional. Administrators can use this setting to provide a friendly name for the authenticated trusted network. The FQDN of the target resource (NLS) is used by default. However, using this setting overrides the default with something more meaningful.

Use the following OMA-URI to configure the TLS authentication network name.

URI: ./Device/Vendor/MSFT/Policy/Config/
NetworkListManager/ConfiguredTlsAuthenticationNetworkName

String: <Friendly network name>

Results

Once configured, you’ll find the Always On VPN tunnel adapter uses the Domain Windows firewall profile and an optional friendly network name.

Additional Information

Deploying Always On VPN with Intune using Custom XML and CSP

Always On VPN CSP Updates

Always On VPN and VpnStrategy with CSP

2 Comments
by Richard M. Hicks on June 26, 2023  •  Permalink
Posted in AADJ, Active Directory, administration, Always On VPN, AOVPN, authentication, Azure Active Directory, Azure AD, Azure AD Join, certificates, Deployment, Device Management, Endpoint Manager, Enterprise, enterprise mobility, Group Policy, HAADJ, Hybrid Azure AD Join, Manage Out, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, OMA-DM, OMA-URI, Operational Support, Remote Access, Security, SSL, SSL and TLS, systems management, TLS, TND, Trusted Network Detection, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on June 26, 2023

https://directaccess.richardhicks.com/2023/06/26/always-on-vpn-trusted-network-detection-and-native-azure-ad-join/

Always On VPN and the PSPKI PowerShell Module

Certificates are a crucial part of a secure Always On VPN implementation. Certificates are phishing-resistant forms of authentication that, when configured correctly, provide robust and multifactor authentication for remote access users and devices.

AD CS

Most commonly, certificates are issued by an on-premises Microsoft Active Directory Certificate Services (AD CS) server. Administrators configure and deploy a Certification Authority infrastructure to issue and manage user and device authentication certificates in their organization. CA certificates are also required on the VPN server to support Always On VPN device tunnel connections and IKEv2 user tunnel connections. The NPS server also requires an enterprise CA certificate. Of course, the CA can issue certificates for other purposes, including Wi-Fi authentication, document signing, and code signing, just to name a few.

PSPKI

PSPKI is a PowerShell module available in the PowerShell Gallery for configuring, managing, and troubleshooting Microsoft AD CS. Created by Vadims Podans of PKI Solutions, PSPKI includes over 100 functions for various AD CS and certificate-related tasks. Always On VPN administrators will find this PowerShell module helpful when configuring and troubleshooting certificate-related issues for their Always On VPN deployments.

Note: The AD CS remote server administration tools (RSAT) must be installed to access all of the PSPKI module’s functionality.

Installation

Run the following PowerShell command to install the PSPKI PowerShell module.

Install-Module -Name PSPKI

Always On VPN and PSPKI

Always On VPN Administrators will immediately find a few PSPKI functions helpful when implementing and supporting Always On VPN.

Test-WebServerSSL – This function will connect to a remote web server and display details about the TLS certificate included in the response. This can be especially helpful when troubleshooting SSTP VPN connections.

Convert-PfxToPem – This is a handy utility for converting a PFX file to the PEM format. This is commonly required when importing CA certificates on non-Microsoft platforms, security devices, and load balancers.

Convert-PemToPfx – Occasionally, administrators must convert a certificate and private key in PEM format to PFX to install on a Windows server. This tool allows administrators to perform this task easily.

Get-CertificationAuthority – This function quickly enumerates all enterprise CA servers and displays information about their hostname, accessibility, service status, and type.

Ping-ICertInterface – This function helps troubleshoot CA connectivity issues. Administrators can quickly determine if a CA is reachable and capable of issuing a certificate using this command.

Get-CaTemplate – This command displays a list of certificate templates published on the specified target CA server. The certificate template’s display name and the minimum support CA version are provided. In addition, the output indicates if certificate autoenrollment is enabled on the template.

Much More

The PSPKI PowerShell module for AD CS has many tools for configuring and managing AD CS. PSPKI recently received a major update to version 4.0. Download and install PSPKI today. It will make your life easier, I can assure you!

Additional Information

PSPKI PowerShell Module – PowerShell Gallery

PSPKI PowerShell Module – GitHub

AOVPNTools PowerShell Module – PowerShell Gallery

AOVPNTools PowerShell Module – GitHub

InboxAccountingDatabaseManagement PowerShell Module

InboxAccontingDatabaseManagement – PowerShell Gallery

InboxAccountingDatabaseManagement – GitHub

4 Comments
by Richard M. Hicks on June 20, 2023  •  Permalink
Posted in Active Directory, administration, Always On VPN, AOVPN, authentication, certificates, Deployment, Encryption, Enterprise, enterprise mobility, GitHub, IKEv2, Infrastructure, Microsoft, Mobility, Multifactor Authentiction, NPS, Operational Support, PEAP, PKI, PowerShell, Protected EAP, public key infrastructure, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, Security, SSL, SSL and TLS, SSTP, systems management, TLS, Transport Layer Security, troubleshooting, Update, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on June 20, 2023

https://directaccess.richardhicks.com/2023/06/20/always-on-vpn-and-the-pspki-powershell-module/

« Older Posts