All posts in category Windows Server 2012 R2

PowerON Platforms are No More

If you’re a follower of this website, you are undoubtedly familiar with PowerON Platforms as I have promoted their products extensively over the years. Dynamic Profile Configurator (DPC) is a clever solution that enables Always On VPN client configuration provisioning and management using Active Directory group policy. They recently introduced a cloud-based centralized reporting solution for organizations with multiple VPN servers. I worked closely with PowerON and influenced many of the features of these great technologies.

Out of Business

Sadly, I learned recently that PowerON Platforms has entered insolvency. Effective October 16, 2024, PowerON Platforms now cease to exist. If you are a current customer of theirs, you likely have received a notification email already.

The Future

Many of my customers have asked what will become of DPC and their cloud-based reporting solution. Here is some additional information.

DPC

Fortunately, DPC will live on through open source. My good friend and primary developer of DPC, Leo D’Arcy, is currently working on refactoring the software to meet open-source specifications. Although I don’t have a timeline for when the software will be available for download, I hope it will be soon.

You can follow the GitHub repository for the open-source DPC here.

If you have a current DPC license, the product should continue to work without issue. You can upgrade to the open-source version of DPC in the future if you choose to. You will likely encounter problems if you use DPC with a trial license. If this happens, contact me directly, and I’ll assist you.

Reporting

The PowerON Platforms Always On VPN reporting solution is dead and will not continue. If you were using this product, I would suggest deleting the resource group you created in Azure for this and the PowerBI application installed for it.

In addition, Always On VPN administrators should remove the reporting agent software from their VPN servers. You can do this on GUI installations using the Add or Remove Programs control panel app.

If you’ve installed the reporting agent on Server Core systems, you can remove it by running the following PowerShell command.

Get-WmiObject -Class Win32_Product | Where-Object {$_.IdentifyingNumber -Match ‘{FFFC6424-82BB-49C5-9112-2C1436717C9C}’ } |  Invoke-WmiMethod -Name Uninstall

Support

With PowerON Platforms out of business, their products are no longer supported. However, if you have issues with DPC or have any questions, please don’t hesitate to contact me. I’ll provide as much support as I can.

Additional Information

Always On VPN Dynamic Profile Configurator (DPC) Open Source on GitHub

2 Comments
by Richard M. Hicks on October 29, 2024  •  Permalink
Posted in Active Directory, Always On VPN, Always On VPN DPC, AOVPN, AovpnDPC, Deployment, Device Management, device tunnel, DPC, Dynamic Profile Configurator, end of life, Enterprise, enterprise mobility, GitHub, Group Policy, Infrastructure, Mobility, Open Source, PowerShell, Remote Access, routing and remote access service, RRAS, Server Core, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025, XML
Tagged , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 29, 2024

https://directaccess.richardhicks.com/2024/10/29/poweron-platforms-are-no-more/

DirectAccess and CVE-2024-38063

With the August 2024 Windows security updates, Microsoft released a fix to address a Remote Code Execution vulnerability in the Windows TCP/IP stack (CVE-2024-38063). Critically, this vulnerability affects IPv6 only and does not require authentication or user interaction to exploit. An attacker would only need to send specially crafted IPv6 packets to a Windows host, which could allow them to run arbitrary code on the server. This vulnerability presents some unique challenges for organizations that have deployed DirectAccess.

Exposure

DirectAccess servers are deployed to provide secure remote access and are, necessarily, exposed to the public Internet. Sometimes, this is a direct connection (not recommended) or behind an edge firewall or load balancer. In either case, anyone can establish a TCP connection from the Internet to the DirectAccess server by default. If the DirectAccess server has a global unicast IPv6 address assigned to its external interface, that presents a worst-case scenario for exposure. Administrators should update their DirectAccess servers immediately. There are some other mitigation options, though. See below for more details.

IPv6 Transition

DirectAccess servers are usually reachable on the public Internet via IPv4 only. The lack of direct IPv6 connectivity significantly reduces the attack vector for this vulnerability. However, DirectAccess servers use various IPv6 transition technologies that could present additional risks.

Tunnel Establishment

Clients on the Internet can establish an IPv6 transition tunnel to the DirectAccess server without authentication. Once the tunnel is established, the client will receive a router advertisement (RA) and establish an IPv6 address on link. However, communication over the link requires IPsec. Although an attacker can obtain an IPv6 address, they require authentication to send TCP and UDP traffic inside the tunnel.

ICMP

It’s important to know that ICMP traffic inside the DirectAccess IPv6 transition tunnel is exempt from IPsec policy processing, by default. It is unclear whether the “specially crafted packets” an attacker must send to exploit this vulnerability can be ICMP packets. If that’s the case, this introduces significant risks and increases exposure exponentially. I will update this post if I learn anything more about this specifically.

Mitigation

The best and most obvious way to mitigate this attack is to immediately apply the Microsoft security updates. However, some additional controls can be effective in mitigating this risk.

Authentication

As mentioned, DirectAccess allows IPv6 transition tunnels to be established by default without authentication. However, it is possible to update the DirectAccess configuration to support authentication, as described here.

https://directaccess.richardhicks.com/2016/06/13/directaccess-ip-https-preauthentication/

Note: Updating the DirectAccess configuration can be impactful for remote users. Be sure to test this change in a lab environment before implementing in production.

Load Balancers

If the DirectAccess server is behind a load balancer, it can be configured to require authentication for DirectAccess IPv6 transition tunnels. Below is published guidance for configuring popular load balancers to support this.

F5 BIG-IP

Citrix ADC (formerly NetScaler)

Additional Information

Microsoft Windows TCP/IP Remote Code Execution Vulnerability

DirectAccess IP-HTTPS Preauthentication

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IP

DirectAccess IP-HTTPS Preauthentication using Citrix ADC (formerly NetScaler)

3 Comments
by Richard M. Hicks on August 15, 2024  •  Permalink
Posted in BIG-IP, CVE, DirectAccess, encapsulation, Enterprise, enterprise mobility, Hotfix, IP-HTTPS, IPv6, Load Balancing, local traffic manager, LTM, Microsoft, Mobility, Operational Support, Remote Access, Security, Security Update, SSL, SSL and TLS, TLS, transition technology, Update, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , ,

Posted by Richard M. Hicks on August 15, 2024

https://directaccess.richardhicks.com/2024/08/15/directaccess-and-cve-2024-38063/

« Older Posts
Newer Posts »