All posts in category systems management

Always On VPN and VpnStrategy

NetMotion Mobility for DirectAccess Administrators – Split vs. Force Tunneling

Always On VPN supports a variety of VPN protocols for the user tunnel. Internet Key Exchange version 2 (IKEv2) and Secure Socket Tunneling Protocol (SSTP) are the most common. I wrote about the advantages and disadvantages of each in this post. To summarize, IKEv2 provides the highest security options but suffers from operational limitations. SSTP offers excellent security and is generally more reliable.

VpnStrategy

Always On VPN administrators must choose between IKEv2 and SSTP when configuring the Always On VPN user tunnel. Some administrators may prefer to use IKEv2 when available but then fall back to SSTP if it is not. To accomplish this requires editing the rasphone.pbk file and setting the value of VpnStrategy to 8, as described here.

Challenges

Unfortunately, setting the VpnStrategy value to 8 poses some challenges. Updating rasphone.pbk requires editing a text file on each endpoint post-deployment. Updating rasphone.pbk can be automated using the Update-Rasphone.ps1 script or Microsoft Intune proactive remediation.

Limitations

By default, Windows will overwrite the VpnStrategy setting in rasphone.pbk when fallback occurs. For example, setting VpnStrategy to prefer IKEv2 over SSTP will be reset to use SSTP first if a connection with IKEv2 fails. There’s a registry setting available that’s supposed to prevent this, but it doesn’t always work as expected.

Windows 11

There’s good news for administrators deploying Always On VPN on Windows 11. Microsoft recently introduced support for additional NativeProtocol types in XML. Specifically, VPN protocol preference can now be defined using the ProtocolList native protocol type. When using the ProtocolList native protocol type, each supported VPN protocol is listed in order of preference using the syntax shown below.

In addition, the RetryTimeInHours value defines the time Windows will try the last successful connection protocol. Setting this value to 0 overrides this and ensures the preferred protocol (the first protocol in the list) will always be attempted first.

SSTP Only

Previously the VPNv2CSP only supported IKEv2 or Automatic as values for the native protocol type. Windows 11 now supports SSTP as a native protocol type. Administrators configuring Always On VPN user tunnel connections using SSTP exclusively can now use this option.

Caveats

While the settings above are supported in both Windows 11 21H2 and 22H2, there are some known issues when enabling these settings. Specifically, when administrators define the ProtocolList value for the native protocol type, IKEv2 is always shown as the active protocol, even when an SSTP connection is established.

Also, if ProtocolList is used, the VPN connection cannot be managed using PowerShell. The VPN profile will not be displayed when running Get-VpnConnection at the time of this writing. Hopefully Microsoft will fix this soon.

Additional Information

Always On VPN CSP Updates

Always On VPN IKEv2 and SSTP Fallback

Always On VPN and Intune Proactive Remediation

Always On VPN Protocol Recommendations for Windows Server RRAS

Always On VPN IKEv2 Features and Limitations

Leave a comment
by Richard M. Hicks on May 22, 2023  •  Permalink
Posted in administration, Always On VPN, AOVPN, Azure VPN, Deployment, Device Management, Enterprise, enterprise mobility, IKEv2, InTune, MDM, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Operational Support, PowerShell, Remote Access, Secure Socket Tunneling Protocol, Security, SSTP, systems management, user tunnel, VPN, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on May 22, 2023

https://directaccess.richardhicks.com/2023/05/22/always-on-vpn-and-vpnstrategy/

Always On VPN at MMSMOA 2023

I’m excited to share that I’ve been invited to present at the popular Midwest Management Summit at Mall of America (MMSMOA) this year! The event takes place Monday, May 2, through Thursday, May 4, 2023.

Sessions

I will be delivering two talks at the event this year. One on Microsoft Always On VPN and Intune, the other on deploying certificate using Intune.

Always On VPN and Intune: Notes from the FieldTuesday, May 2 at 10:00 AM CDT

This session will cover all aspects of deploying and managing Always On VPN client configuration settings using Microsoft Intune.

Intune Certificate ManagementWednesday, May 3 at 10:00 AM CDT

This session will provide detailed configuration guidance and best practice recommendations for issuing on-premises enterprise PKI certificate using Microsoft Intune.

Attending MMS?

Will you be attending MMSMOA? Let’s connect! Drop in on my sessions, of course, but let’s plan to hang out! I will have copies of my book to give away too, so don’t miss out. Send me a note here or on Twitter, or just find me at the conference. Looking forward to seeing all of you soon!

Leave a comment
by Richard M. Hicks on April 11, 2023  •  Permalink
Posted in Always On VPN, AOVPN, certificates, Endpoint Manager, Enterprise, enterprise mobility, Intune Certificate Connector, Intune PFX Connector, learning, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, NDES, Network Device Enrollment Service, Network Device Enrollment Services, PFX Connector, PKI, PowerShell, public key infrastructure, Remote Access, SCCM, SCEP, Security, Simple Certificate Enrollment Protocol, System Center Configuration Manager, systems management, TPM, Trusted Platform Module, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Workshop
Tagged , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 11, 2023

https://directaccess.richardhicks.com/2023/04/11/always-on-vpn-at-mmsmoa-2023/

Always On VPN CSP Updates

Always On VPN DNS Registration Update Available

Administrators can deploy Always On VPN client configuration settings in several ways. The simplest method is to use the native Microsoft Intune UI and the VPN device configuration profile template. Optionally, administrators can create an XML file that can be deployed with Intune using the Custom template. In addition, the XML file can be deployed using PowerShell, either interactively or with System Center Configuration Manager (SCCM). Administrators can also deploy the XML file using PowerShell via Active Directory group policy startup script or another software provisioning platform.

Custom XML

While using the native Intune VPN device configuration template to deploy and manage Always On VPN client configuration settings is easy and convenient, it lacks support for many crucial configuration settings. Deploying Always On VPN client settings using the Custom template is helpful to overcome these limitations as it enables additional configuration settings not exposed in the Intune VPN template.

VPNv2CSP

The VPNv2 Configuration Service Provider (CSP) is the interface used by Intune to deploy Always On VPN client configuration settings to the endpoint. The WMI-to-CSP bridge enables settings deployment using PowerShell. In either scenario, administrators must create an XML file that includes the settings used for the Always On VPN profile. A reference for all supported settings in the VPNv2 CSP can be found here.

New Settings

Microsoft recently introduced some new settings in the VPNv2 CSP. Beginning with Windows 11 22H2, administrators can disable the disconnect button and prevent access to the advanced settings menu for device and user tunnels in the Windows UI by adding the following entries in the XML configuration file.

<DisableDisconnectButton>true</DisableDisconnectButton>

<DisableAdvancedOptionsEditButton>true
</DisableAdvancedOptionsEditButton>

Additional Updates

Microsoft also added options to define encryption settings, disable IKEv2 fragmentation support, update IPv4 and IPv6 interface metrics, adjust IKEv2 network outage time, and disable the use of RAS credentials in XML for device and user tunnels. These new options eliminate the need to use Intune Proactive Remediation to adjust these VPN client configuration settings post-deployment.

Unfortunately, these settings are not supported in any current release of Windows 10 or 11 today. However, they are available in the latest Windows Insider build (development channel) if you want to test them. I’ve provided example settings below. These settings will be supported in a public release of Windows in the future.

<DataEncryption>Max</DataEncryption>
<DisableIKEv2Fragmentation>true</DisableIKEv2Fragmentation>
<IPv4InterfaceMetric>3</IPv4InterfaceMetric>
<IPv6InterfaceMetric>3</IPv6InterfaceMetric>
<NetworkOutageTime>0</NetworkOutageTime>
<UseRasCredentials>false</UseRasCredentials>

Note: At the time of this writing, the VPNv2 CSP indicates these settings apply to Windows 11 21H2 and later. That is incorrect. Microsoft is aware of the issue and will hopefully correct it soon.

Intune Support

At some point, Microsoft may add these features to the Intune VPN device configuration template. However, XML with the Custom template is the only way to enable these new settings today.

Additional Information

Always On VPN VPNv2 CSP Reference

Deploying Always On VPN with Intune using Custom ProfileXML

Always On VPN and Intune Proactive Remediation

Microsoft Intune Learning Resources for Always On VPN Administrators

Example Always On VPN User Tunnel ProfileXML

Example Always On VPN Device Tunnel ProfileXML

8 Comments
by Richard M. Hicks on March 6, 2023  •  Permalink
Posted in administration, Always On VPN, AOVPN, Deployment, Device Management, device tunnel, Endpoint Manager, Enterprise, enterprise mobility, Group Policy, IKEv2, Infrastructure, InTune, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, OMA-DM, Operational Support, PowerShell, ProfileXML, Remote Access, SCCM, Security, System Center Configuration Manager, systems management, Update, VPN, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 6, 2023

https://directaccess.richardhicks.com/2023/03/06/always-on-vpn-csp-updates/

« Older Posts
%d bloggers like this: