Always On VPN and the PSPKI PowerShell Module

Certificates are a crucial part of a secure Always On VPN implementation. Certificates are phishing-resistant forms of authentication that, when configured correctly, provide robust and multifactor authentication for remote access users and devices.

AD CS

Most commonly, certificates are issued by an on-premises Microsoft Active Directory Certificate Services (AD CS) server. Administrators configure and deploy a Certification Authority infrastructure to issue and manage user and device authentication certificates in their organization. CA certificates are also required on the VPN server to support Always On VPN device tunnel connections and IKEv2 user tunnel connections. The NPS server also requires an enterprise CA certificate. Of course, the CA can issue certificates for other purposes, including Wi-Fi authentication, document signing, and code signing, just to name a few.

PSPKI

PSPKI is a PowerShell module available in the PowerShell Gallery for configuring, managing, and troubleshooting Microsoft AD CS. Created by Vadims Podans of PKI Solutions, PSPKI includes over 100 functions for various AD CS and certificate-related tasks. Always On VPN administrators will find this PowerShell module helpful when configuring and troubleshooting certificate-related issues for their Always On VPN deployments.

Note: The AD CS remote server administration tools (RSAT) must be installed to access all of the PSPKI module’s functionality.

Installation

Run the following PowerShell command to install the PSPKI PowerShell module.

Install-Module -Name PSPKI

Always On VPN and PSPKI

Always On VPN Administrators will immediately find a few PSPKI functions helpful when implementing and supporting Always On VPN.

Test-WebServerSSL – This function will connect to a remote web server and display details about the TLS certificate included in the response. This can be especially helpful when troubleshooting SSTP VPN connections.

Convert-PfxToPem – This is a handy utility for converting a PFX file to the PEM format. This is commonly required when importing CA certificates on non-Microsoft platforms, security devices, and load balancers.

Convert-PemToPfx – Occasionally, administrators must convert a certificate and private key in PEM format to PFX to install on a Windows server. This tool allows administrators to perform this task easily.

Get-CertificationAuthority – This function quickly enumerates all enterprise CA servers and displays information about their hostname, accessibility, service status, and type.

Ping-ICertInterface – This function helps troubleshoot CA connectivity issues. Administrators can quickly determine if a CA is reachable and capable of issuing a certificate using this command.

Get-CaTemplate – This command displays a list of certificate templates published on the specified target CA server. The certificate template’s display name and the minimum support CA version are provided. In addition, the output indicates if certificate autoenrollment is enabled on the template.

Much More

The PSPKI PowerShell module for AD CS has many tools for configuring and managing AD CS. PSPKI recently received a major update to version 4.0. Download and install PSPKI today. It will make your life easier, I can assure you!

Additional Information

PSPKI PowerShell Module – PowerShell Gallery

PSPKI PowerShell Module – GitHub

AOVPNTools PowerShell Module – PowerShell Gallery

AOVPNTools PowerShell Module – GitHub

InboxAccountingDatabaseManagement PowerShell Module

InboxAccontingDatabaseManagement – PowerShell Gallery

InboxAccountingDatabaseManagement – GitHub

Always On VPN and VpnStrategy

NetMotion Mobility for DirectAccess Administrators – Split vs. Force Tunneling

Always On VPN supports a variety of VPN protocols for the user tunnel. Internet Key Exchange version 2 (IKEv2) and Secure Socket Tunneling Protocol (SSTP) are the most common. I wrote about the advantages and disadvantages of each in this post. To summarize, IKEv2 provides the highest security options but suffers from operational limitations. SSTP offers excellent security and is generally more reliable.

VpnStrategy

Always On VPN administrators must choose between IKEv2 and SSTP when configuring the Always On VPN user tunnel. Some administrators may prefer to use IKEv2 when available but then fall back to SSTP if it is not. To accomplish this requires editing the rasphone.pbk file and setting the value of VpnStrategy to 8, as described here.

Challenges

Unfortunately, setting the VpnStrategy value to 8 poses some challenges. Updating rasphone.pbk requires editing a text file on each endpoint post-deployment. Updating rasphone.pbk can be automated using the Update-Rasphone.ps1 script or Microsoft Intune proactive remediation.

Limitations

By default, Windows will overwrite the VpnStrategy setting in rasphone.pbk when fallback occurs. For example, setting VpnStrategy to prefer IKEv2 over SSTP will be reset to use SSTP first if a connection with IKEv2 fails. There’s a registry setting available that’s supposed to prevent this, but it doesn’t always work as expected.

Windows 11

There’s good news for administrators deploying Always On VPN on Windows 11. Microsoft recently introduced support for additional NativeProtocol types in XML. Specifically, VPN protocol preference can now be defined using the ProtocolList native protocol type. When using the ProtocolList native protocol type, each supported VPN protocol is listed in order of preference using the syntax shown below.

In addition, the RetryTimeInHours value defines the time Windows will try the last successful connection protocol. Setting this value to 0 overrides this and ensures the preferred protocol (the first protocol in the list) will always be attempted first.

SSTP Only

Previously the VPNv2CSP only supported IKEv2 or Automatic as values for the native protocol type. Windows 11 now supports SSTP as a native protocol type. Administrators configuring Always On VPN user tunnel connections using SSTP exclusively can now use this option.

Caveats

While the settings above are supported in both Windows 11 21H2 and 22H2, there are some known issues when enabling these settings. Specifically, when administrators define the ProtocolList value for the native protocol type, IKEv2 is always shown as the active protocol, even when an SSTP connection is established.

Also, if ProtocolList is used, the VPN connection cannot be managed using PowerShell. The VPN profile will not be displayed when running Get-VpnConnection at the time of this writing. Hopefully Microsoft will fix this soon.

Additional Information

Always On VPN CSP Updates

Always On VPN IKEv2 and SSTP Fallback

Always On VPN and Intune Proactive Remediation

Always On VPN Protocol Recommendations for Windows Server RRAS

Always On VPN IKEv2 Features and Limitations

Always On VPN May 2023 Security Updates

Hey, Always On VPN administrators! It’s the second Tuesday of the month, which means security updates for Windows have been released. This month’s batch includes an update to address a critical vulnerability likely to affect many Always On VPN implementations using Windows Server.

SSTP Vulnerability

CVE-2023-24903 documents a vulnerability on Windows Servers with the Routing and Remote Access Service (RRAS) configured to support Secure Socket Tunneling Protocol (SSTP) for VPN connections. This is a remote code execution (RCE) vulnerability that can be exploited when an attacker sends a specifically crafted malicious packet to the server. Administrators are encouraged to update as soon as possible.

Mitigation

SSTP is commonly used for Always On VPN user tunnels. However, if administrators have configured user tunnels using IKEv2, or are using the device tunnel only, consider blocking inbound TCP 443 at the edge firewall to prevent attacks from the Internet. In addition, if SSTP is not in use, consider disabling support for SSTP by opening an elevated PowerShell command window and running the following commands.

netsh.exe RAS set wanports device = “WAN Miniport (SSTP)” rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 0

Restart-Service RemoteAccess -PassThru

Alternatively, SSTP can be disabled in the RRAS management console by following the steps below.

  1. Open the RRAS management console (rrasmgmt.msc).
  2. Expand the server.
  3. Right-click Ports.
  4. Choose Properties.
  5. Highlight WAN Miniport (SSTP).
  6. Click Configure.
  7. Uncheck Remote access connections (inbound only).
  8. Uncheck Demand-dial routing connections (inbound and outbound).
  9. Enter 0 in the Maximum ports field.
  10. Click Ok.

Additional Information

Windows SSTP Remote Code Execution Vulnerability (CVE-2023-24903)

May 2023 Security Updates for Windows Server 2016 (KB5026363)

May 2023 Security Updates for Windows Server 2019 (KB5026362)

May 2023 Security Updates for Windows Server 2022 (KB5026370)

%d