Always On VPN at MMSMOA 2022

I am excited to announce that I will be presenting at this year’s Midwest Management Summit at the Mall of America (MMSMOA) in Bloomington, Minnesota. The conference takes place the week of May 2. This is my first time presenting at this event, and I’m looking forward to sharing my experience deploying enterprise mobility and security infrastructure solutions with systems management professionals from around the world.

Sessions

I will be delivering three talks at the conference addressing various secure remote access and certificate services topics.

Managing Always On VPN with Intune

This session will provide administrators with everything they need to know about provisioning and managing Always On VPN client configuration settings using Intune. I’ll be providing tips, tricks, and best practices for Always On VPN profile configuration and demonstrating many of the limitations associated with using Intune. I will provide workarounds whenever possible.

Managing Always On VPN with Intune: The Good, The Bad, and the Ugly

Always On VPN Gateway Options in Azure

Deploying Always On VPN in Azure is increasingly common. However, administrators are unaware of the limitations of supporting Always On VPN connections with native Azure VPN gateway solutions. In this session, I’ll describe in detail what’s required to support Always On VPN and, importantly, what the limitations are.

Always On VPN Gateway Options in Azure

Deploying On-premises PKI Certificates with Intune

As organizations continue to migrate applications, services, and infrastructure to the cloud, the requirement for endpoints to be joined to an on-premises domain is fading. Moving to full Intune management and native Azure Active Directory join for endpoints is increasingly common. However, deploying enterprise PKI certificates o these endpoints is often required. This session will provide detailed guidance for choosing the best solution to deliver on-premises certificates to Azure AD joined devices using Intune.

Deploying on-premises PKI Certificates with Intune

Let’s Connect

I’m looking forward to meeting so many folks who have helped me get up to speed with Microsoft Endpoint Manager/Intune over the years. If you’re attending the conference, or if you are in the area, be sure to reach out. Let’s grab a beer and chat!

Additional Information

Midwest Management Summit at Mall of America (MMSMOA) 2022

Managing Always On VPN with Intune: The Good, The Bad, and the Ugly

Always On VPN Gateway Options in Azure

Deploying on-premises PKI Certificates with Intune

Inbox Accounting Database Management

The Routing and Remote Access Service (RRAS) role in Windows Server is a popular VPN server choice for administrators deploying Windows Always On VPN. It is easy to configure, scales well, and is cost-effective. After installing RRAS, administrators can optionally enable inbox accounting to log historical data and generate user access and activity reports as described in Always On VPN RRAS Monitoring and Reporting.

Inbox Accounting Database

A Windows Internal Database (WID) is automatically installed and configured for data storage when inbox accounting is enabled.

WID is nothing more than a basic instance of Microsoft SQL Server. As such, the database will require periodic maintenance to perform optimally.

Inbox Accounting Database Management Scripts

I have created a series of PowerShell scripts to address the inbox accounting database management requirements for organizations using Windows Server RRAS. Scripts are available to perform the following inbox accounting database management tasks.

  • Optimize the inbox accounting database.
  • View the size of the inbox accounting database files.
  • Compress the size of the inbox accounting database.
  • Back up the inbox accounting database to a file on disk.
  • Restore the inbox accounting database from a backup file.
  • Move the inbox accounting database file to a different location.
  • Remove the inbox accounting database.

Optimize Database

A known issue with the inbox accounting database can result in high CPU and memory utilization for very busy RRAS VPN servers. Specifically, a crucial index is missing from one of the tables in the logging database. This issue persists in Windows Server 2022. To correct this issue, download and run the following PowerShell script on each RRAS VPN server in the organization.

Optimize-InboxAccountingDatabase.ps1

View Database Size

The database can grow rapidly depending on how busy the RRAS server is. Administrators can view the current database file sizes by downloading and running the following PowerShell script on the RRAS server.

Get-InboxAccountingDatabaseSize.ps1

Compress Database

Over time, the database can become fragmented, decreasing performance. Compressing the database can improve performance and result in significant recovery of disk space. To compress the inbox accounting database, download and run the following PowerShell script on each RRAS server in the organization.

Compress-InboxAccountingDatabase.ps1

In this example, compressing the database reduced its size by more than 8MB, resulting in a nearly 70% reduction in disk space usage.

Backup Database

Administrators may wish to back up the inbox accounting database before purging older records from the inbox accounting database. Also, backing up the database preservers access records when migrating to a new server. To back up the inbox accounting database, download and run the following PowerShell script on each RRAS server in the organization.

Backup-InboxAccountingDatabase.ps1

Restore Database

Naturally, to restore the inbox accounting database from a previous backup, administrators can download and run the following PowerShell script.

Restore-InboxAccountingDatabase.ps1

Restoring a database from backup will erase all records in the current database. It does not append. Proceed with caution!

Move Database Files

Inbox accounting database and log files are located in C:\Windows\DirectAccess\Db by default.

However, storing database and log files on the system drive is not ideal. A better alternative is to place the inbox accounting database and log files on a separate disk for optimum performance. To move the inbox accounting database, download and run the following PowerShell script on each VPN server in the organization.

Move-InboxAccountingDatabase.ps1

Moving inbox accounting files may not be formally supported by Microsoft. Use caution when making this change.

Remove Database

Occasionally an inbox accounting database becomes corrupt and can no longer be managed. If this happens, completely removing the database is required. It is essential to know that simply disabling and re-enabling inbox accounting on the VPN server does not delete the database. To delete the database completely, download and run the following PowerShell script.

Remove-InboxAccountingDatabase.ps1

PowerShell Module

To simplify things, the PowerShell scripts described in this article are available in a PowerShell module that can be installed from the PowerShell gallery using the following command.

Install-Module InboxAccountingDatabaseManagement

Additional Information

Windows Always On VPN RRAS Inbox Accounting Database Management PowerShell Module

Windows Always On VPN RRAS Monitoring and Reporting

Windows Always On VPN PowerShell Scripts on GitHub

Always On VPN DPC Demonstration

Recently I wrote about PowerON Platforms’ Always On VPN Dynamic Profile Configurator (DPC). This software solution enables administrators to natively provision and manage Always On VPN client configuration settings using Active Directory and group policy. In that post, I provided some high-level details about the product, along with a brief overview of its advanced features.

Demonstration Video

I have recorded a video demonstrating how to install and configure Always On VPN DPC and use its basic features. You will find that demonstration video here.

Advanced Features

Soon I will share more details about Always On VPN DPC and using its advanced capabilities to solve some common challenges faced by Always On VPN administrators. Stay tuned!

Learn More

Are you interested in learning more about PowerON Platforms Always On VPN DPC? Fill out the form below, and I’ll contact you with more information. In addition, you can visit aovpndpc.com to register for an evaluation license.

Additional Information

Always On VPN with Active Directory Group Policy

Always On VPN Dynamic Profile Configurator (DPC)

%d bloggers like this: