MVP Profile
Connect
Mailing List

Sign Up Now!
Richard M. Hicks Consulting Newsletter
Buy This!

All New Amazon Echo!
@richardhicks
- #Windows10 Always On #VPN and the Name Resolution Policy Table (NRPT). #Windows #Win10 rmhci.co/2F7iQxP:: 15 minutes ago
- Endpoint isolation using the #Windows firewall. medium.com/@cryps1s… via @cryps1s #security #Microsoft #win10:: 29 minutes ago
- Deployment considerations for #DirectAccess on #AWS. rmhci.co/2oohDi0:: 1 hour ago
- Optimizing the #DirectAccess inbox accounting database using #PowerShell. #winserv rmhci.co/2q2wv1R:: 2 hours ago
- Coming up in ONE HOUR! Join me for a free live webinar with @KEMPtech where I'll be discussing and demonstrating… twitter.com/i/web/status/9…:: 3 hours ago
Follow @richardhicks
Facebook

Facebook
RSS Feed
- RSS - Posts
- RSS - Comments
Archives
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- November 2014
- October 2014
- September 2014
- August 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- July 2012
- June 2012
- May 2012
- April 2012
Categories
Tag Cloud
6to4 Active Directory ADC Always On VPN application delivery controller authentication Azure book certificate certificates conference configuration DirectAccess DirectAccess 2012 DNS education encryption error F5 firewall Forefront Forefront UAG Forefront UAG 2010 geographic redundancy group policy high availability hotfix Important Links IP-HTTPS IPsec IPv6 IPv6 transition protocol IPv6 transition technology ISATAP Kemp load balancer load balancing management Manage Out Microsoft Mobility multisite Networking network load balancing network location server NLB NLS OTP performance PKI PowerShell redundancy Remote Access scalability security Server 2012 SSL SSTP Teredo TLS training troubleshooting UAG UAG 2010 update VPN Windows Windows 7 Windows 8 Windows 8.x Windows 10 Windows Server Windows Server 2012 Windows Server 2012 R2 Windows Server 2016

Always On VPN Hands-On Training Classes Coming to Denver and New York

I’m pleased to announce that I will be bringing my popular three-day Windows 10 Always On VPN Hands-On Training classes to Denver and New York in May and June! Join me May 15-17, 2018 in Denver or June 5-7, 2018 in New York. These training classes will cover all aspects of designing, implement, and supporting an Always On VPN solution in the enterprise. These three-day courses will cover topics including…

Windows 10 Always On VPN overview
Introduction to CSP
Infrastructure requirements
Planning and design considerations
Installation, configuration, and client provisioning

Advanced topics will include…

Redundancy and high availability+
Cloud-based deployments
Third-party VPN infrastructure and client support
Multifactor authentication
Always On VPN migration strategies

Windows 10 Always On VPN Hands-On Training Classes for 2018

Reservations are being accepted now! The cost for this 3-day hands-on training class is $4995.00 USD. Space is limited, so don’t wait to register! Fill out the form below to save your seat now.

DirectAccess IP-HTTPS Performance Issues

DirectAccess IP-HTTPS Performance Issues Performance issues with DirectAccess are not uncommon. In fact, there are numerous threads on Microsoft and third-party forums where administrators frequently complain about slow download speeds, especially when using the IP-HTTPS IPv6 transition technology. Based on my experience the problem does not appear to be widespread but occurs with enough regularity that it is worthy of further investigation.

DirectAccess Design

The inherent design of DirectAccess is a major limiting factor for performance. DirectAccess uses a complex and heavy communication channel, with multiple layers of encapsulation, encryption, and translation. Fundamentally it is IPsec encrypted IPv6 traffic, encapsulated in HTTP, and then encrypted with Transport Layer Security (TLS) and routed over IPv4. It is then decrypted, decapsulated, decrypted again, then converted back to IPv4. The high protocol overhead incurred with multiple layers of encapsulation, encryption, and translation result in increased packet fragmentation, which further reduces performance.

DirectAccess Performance

Even under the best circumstances, DirectAccess performance is limited by many other factors, most notably the quality of the network connection between the client and the server. DirectAccess performs reasonably well over high bandwidth, low latency connections. However, network performance drops precipitously as latency increases and packet loss is encountered. This is to be expected given the design of the solution.

Intermediary Devices

It is not uncommon to find intermediary devices like firewalls, intrusion detection systems, malware scanners, and other security inspection devices limit the performance of DirectAccess clients. In addition, many security appliances have bandwidth caps enforced in software for licensing restrictions. Further, incorrect configuration of inline edge devices can contribute to increased fragmentation, which leads to poor performance as well.

Slow Downloads over IP-HTTPS

Many people report that download speeds seem to be artificially capped at 355Kbps. While this seems to be a display bug in the UI, there is plenty of evidence to indicate that, in some scenarios, DirectAccess is incapable of high throughput even over high-quality connections. Some who have deployed DirectAccess and VPN on the same server have reported that download speeds are only limited when using DirectAccess over IP-HTTPS and not with VPN using Secure Socket Tunneling Protocol (SSTP), which also uses TLS. This has led many to speculate that the issue is either a bug or a design flaw in the IP-HTTPS tunnel interface itself.

TCP Window Scaling Issues

In some of the network traces I’ve analyzed I’ve seen evidence that seems to support this theory. For example, a network trace taken when downloading a file over DirectAccess with IP-HTTPS showed the TCP window never scaled beyond 64K, which would seriously impede performance. Interestingly this doesn’t seem to happy when the client uploads files over IP-HTTPS. Clearly something unusual is happening.

Microsoft KB Article

Microsoft recently released a vaguely-worded KB article that appears to lend credence to some of these findings. The article seems to acknowledge the fact there are known issues with DirectAccess performance, but it lacks any specific details as to what the root cause is. Instead, it simply advises migrating to Windows 10 Always On VPN.

Summary

DirectAccess IP-HTTPS performance issues don’t appear to affect everyone, and the problem only seems to apply to file downloads and not to other types of traffic. However, there is mounting evidence of a systemic issue with DirectAccess performance especially over IP-HTTPS. Customers are advised to closely evaluate their uses cases for DirectAccess and if remote clients are frequently required to download large files over a DirectAccess connection, an alternative method of file transfer might be required. Optionally customers can consider evaluating alternative remote access solutions that offer better performance such as Windows 10 Always On VPN or third-party solutions such as NetMotion Mobility.

Additional Resources

Always On VPN and the Future of DirectAccess

What’s the Difference Between DirectAccess and Always On VPN?

NetMotion Mobility as an Alternative to Microsoft DirectAccess

3 Comments

by Richard M. Hicks on February 19, 2018 • Permalink

Posted in DirectAccess, encapsulation, Encryption, IP-HTTPS, IPv6, IPv6 Transition, Remote Access, SSL and TLS, transition technology, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012 R2, Windows Server 2016

Tagged DirectAccess, encapsulation, encryption, firewall, HTTP, IP-HTTPS, IPv6, performance, Remote Access, SSL, TLS, transition technology, transition tunnel, Windows Server 2016

Posted by Richard M. Hicks on February 19, 2018

https://directaccess.richardhicks.com/2018/02/19/directaccess-ip-https-performance-issues/

DirectAccess and Always On VPN with Trusted Platform Module (TPM) Certificates

To enhance security when provisioning certificates for DirectAccess (computer) or Windows 10 Always On VPN (user) it is recommended that private keys be stored on a Trusted Platform Module (TPM) on the client device. A TPM is a dedicated security processor included in nearly all modern computers. It provides essential hardware protection to ensure the highest levels of integrity for digital certificates and is used to generate, store, and restrict the use of cryptographic keys. It also includes advanced security and protection features such as key isolation, non-exportability, and anti-hammering to prevent brute-force attacks.

To ensure that private keys are created and stored on a TPM, the certificate template must be configured to use the Microsoft Platform Crypto Provider. Follow the steps below to configure a certificate template required to use a TPM.

Open the Certificate Templates management console (certtmpl.msc) and duplicate an existing certificate template. For example, if creating a certificate for DirectAccess, duplicate the Workstation Authentication certificate template. For Always On VPN, duplicate the User certificate template.
On the Compatibility tab, ensure the Certification Authority and Certificate recipient compatibility settings are set to a minimum of Windows Server 2008 and Windows Vista/Server 2008, respectively.
Select the Cryptography tab.
Choose Key Storage Provider from the Provider Category drop down list.
Choose the option Requests must use one of the following providers and select Microsoft Platform Crypto Provider.

Note: If Microsoft Platform Crypto Provider does not appear in the list above, got to the Request Handling tab and uncheck the option Allow private key to be exported.

Complete the remaining certificate configuration tasks (template display name, subject name, security settings, etc.) and publish the certificate template. Client machines configured to use this template will now have a certificate with private key fully protected by the TPM.

Additional Resources

Trusted Platform Module (TPM) Fundamentals

DirectAccess and Always On VPN Certificate Auto Enrollment

2 Comments

by Richard M. Hicks on February 12, 2018 • Permalink

Posted in Always On VPN, AOVPN, certificates, DirectAccess, Encryption, PKI, public key infrastructure, Remote Access, Security, TPM, Trusted Platform Module, Windows 10, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on February 12, 2018

https://directaccess.richardhicks.com/2018/02/12/directaccess-and-always-on-vpn-with-trusted-platform-module-tpm-certificates/

Deploying NetMotion Mobility in Azure

One of the many advantages NetMotion Mobility offers is that it requires no proprietary hardware to deliver its advanced capabilities and performance. It is a software solution that can be installed on any physical or virtual Windows server. This provides great deployment flexibility by allowing administrators to deploy this remote access solution on their existing virtual infrastructure, which is much less costly than investing in dedicated hardware or virtual appliances.

Cloud Deployment

As customers begin moving their traditional on-premises infrastructure to the cloud, it’s good to know that NetMotion Mobility is fully supported in popular public cloud platforms such as Microsoft Azure. Installing and configuring Mobility on a server in Azure requires a few important changes to a standard Azure VM deployment however. Below is detailed guidance for installing and configuring NetMotion Mobility on a Windows Server 2016 virtual machine hosted in the Microsoft Azure public cloud.

Azure Networking Configuration

Before installing the NetMotion Mobility software, follow the steps below to configure the Azure VM with a static public IP address and enable IP forwarding on the internal network interface.

In the Azure management portal, select the NetMotion Mobility virtual machine and click Networking.
Click on the public-facing network interface.
In the Settings section click IP configurations.
In the IP configurations section click on the IP configuration for the network interface.
In the Public IP address setting section click Enabled for the Public IP address.
Click Configure required settings for the IP address.
Click Create New.
Enter a descriptive name and select Static as the assignment method.
Click OK
Click Save.Note: The process of saving the network interface configuration takes a few minutes. Be patient!
Note the public IP address, as this will be used later during the Mobility configuration.
Close the IP address configuration blade.
In the IP forwarding settings section click Enabled for IP forwarding.
Click Save.

NetMotion Mobility Installation

Proceed with the installation of NetMotion Mobility. When prompted for the external address, enter the public IP address created previously.

Deploying NetMotion Mobility in Azure

Next choose the option to Use pool of virtual IP addresses. Click Add and enter the starting and ending IP addresses, subnet prefix length, and default gateway and click OK.

Deploying NetMotion Mobility in Azure

Complete the remaining NetMotion Mobility configuration as required.

Azure Routing Table

A user defined routing table must be configured to ensure that NetMotion Mobility client traffic is routed correctly in Azure. Follow the steps below to complete the configuration.

In the Azure management portal click New.
In the Search the Marketplace field enter route table.
In the results section click Route table.
Click Create.
Enter a descriptive name and select a subscription, resource group, and location.
Click Create.

Deploying NetMotion Mobility in Azure

Once the deployment has completed successfully, click Go to resource in the notifications list.

Deploying NetMotion Mobility in Azure

Follow the steps below to add a route to the route table.

In the Settings sections click Routes.
Click Add.
Enter a descriptive name.
In the Address prefix field enter the subnet used by mobility clients defined earlier.
Select Virtual appliance as the Next hop type.
Enter the IP address of the NetMotion Mobility server’s internal network interface.
Click OK.
Click Subnets.
Click Associate.
Click Choose a virtual network and select the network where the NetMotion Mobility gateway resides.
Click Choose a subnet and select the subnet where the NetMotion Mobility gateway’s internal network interface resides.
Click OK.

Note: If clients connecting to the NetMotion Mobility server need to access resources on-premises via a site-to-site gateway, be sure to associate the route table with the Azure gateway subnet.

Azure Network Security Group

A network security group must be configured to allow inbound UDP port 5008 to allow external clients to reach the NetMotion Mobility gateway server. Follow the steps below to create and assign a network security group.

In the Azure management portal click New.
In the Search the Marketplace field enter network security group.
In the results section click Network security group.
Click Create.
Enter a descriptive name and select a subscription, resource group, and location.
Click Create.

Deploying NetMotion Mobility in Azure

Once the deployment has completed successfully, click Go to resource in the notifications list.

Deploying NetMotion Mobility in Azure

Follow the steps below to configure the network security group.

In the Settings section click Inbound security rules.
Click Add.
Enter 5008 in the Destination port ranges field.
Select UDP for the protocol.
Select Allow for the action.
Enter a descriptive name.
Click OK.
Click Network Interfaces.
Click Associate.
Select the external network interface of the NetMotion Mobility gateway server.

Summary

After completing the steps above, install the client software and configure it to use the static public IP address created previously. Alternatively, configure a DNS record to point to the public IP address and specify the Fully Qualified Domain Name (FQDN) instead of the IP address itself.

Additional Resources

Enabling Secure Remote Administration for the NetMotion Mobility Console

NetMotion Mobility Device Tunnel Configuration

NetMotion Mobility as an Alternative to Microsoft DirectAccess

NetMotion Mobility and Microsoft DirectAccess Comparison Whitepaper

NetMotion and Microsoft DirectAccess On-Demand Webinar

1 Comment

by Richard M. Hicks on February 8, 2018 • Permalink

Posted in Azure, cloud, NetMotion, NetMotion Mobility, Remote Access, Security, VPN, Windows 10, Windows Server 2016

Posted by Richard M. Hicks on February 8, 2018

https://directaccess.richardhicks.com/2018/02/08/deploying-netmotion-mobility-in-azure/

What is the Difference Between DirectAccess and Always On VPN?

Always On VPN Device Tunnel Configuration Guidance Now Available DirectAccess has been around for many years, and with Microsoft now moving in the direction of Always On VPN, I’m often asked “What’s the difference between DirectAccess and Always On VPN?” Fundamentally they both provide seamless and transparent, always on remote access. However, Always On VPN has a number of advantages over DirectAccess in terms of security, authentication and management, performance, and supportability.

Security

DirectAccess provides full network connectivity when a client is connected remotely. It lacks any native features to control access on a granular basis. It is possible to restrict access to internal resources by placing a firewall between the DirectAccess server and the LAN, but the policy would apply to all connected clients.

Windows 10 Always On VPN includes support for granular traffic filtering. Where DirectAccess provides access to all internal resources when connected, Always On VPN allows administrators to restrict client access to internal resources in a variety of ways. In addition, traffic filter policies can be applied on a per-user or group basis. For example, users in accounting can be granted access only to their department servers. The same could be done for HR, finance, IT, and others.

Authentication and Management

DirectAccess includes support for strong user authentication with smart cards and one-time password (OTP) solutions. However, there is no provision to grant access based on device configuration or health, as that feature was removed in Windows Server 2016 and Windows 10. In addition, DirectAccess requires that clients and servers be joined to a domain, as all configuration settings are managed using Active Directory group policy.

Windows 10 Always On VPN includes support for modern authentication and management, which results in better overall security. Always On VPN clients can be joined to an Azure Active Directory and conditional access can also be enabled. Modern authentication support using Azure MFA and Windows Hello for Business is also supported. Always On VPN is managed using Mobile Device Management (MDM) solutions such as Microsoft Intune.

Performance

DirectAccess uses IPsec with IPv6, which must be encapsulated in TLS to be routed over the public IPv4 Internet. IPv6 traffic is then translated to IPv4 on the DirectAccess server. DirectAccess performance is often acceptable when clients have reliable, high quality Internet connections. However, if connection quality is fair to poor, the high protocol overhead of DirectAccess with its multiple layers of encapsulation and translation often yields poor performance.

The protocol of choice for Windows 10 Always On VPN deployments is IKEv2. It offers the best security and performance when compared to TLS-based protocols. In addition, Always On VPN does not rely exclusively on IPv6 as DirectAccess does. This reduces the many layers of encapsulation and eliminates the need for complex IPv6 transition and translation technologies, further improving performance over DirectAccess.

Supportability

DirectAccess is a Microsoft-proprietary solution that must be deployed using Windows Server and Active Directory. It also requires a Network Location Server (NLS) for clients to determine if they are inside or outside the network. NLS availability is crucial and ensuring that it is always reachable by internal clients can pose challenges, especially in very large organizations.

Windows 10 Always On VPN supporting infrastructure is much less complex than DirectAccess. There’s no requirement for a NLS, which means fewer servers to provision, manage, and monitor. In addition, Always On VPN is completely infrastructure independent and can be deployed using third-party VPN servers such as Cisco, Checkpoint, SonicWALL, Palo Alto, and more.

Summary

Windows 10 Always On VPN is the way of the future. It provides better overall security than DirectAccess, it performs better, and it is easier to manage and support.

Here’s a quick summary of some important aspects of VPN, DirectAccess, and Windows 10 Always On VPN.

	Traditional VPN	DirectAccess	Always On VPN
Seamless and Transparent	No	Yes	Yes
Automatic Connection Options	None	Always on	Always on, app triggered
Protocol Support	IPv4 and IPv6	IPv6 Only	IPv4 and IPv6
Traffic Filtering	No	No	Yes
Azure AD Integration	No	No	Yes
Modern Management	Yes	No (group policy only)	Yes (MDM)
Clients must be domain-joined?	No	Yes	No
Requires Microsoft Infrastructure	No	Yes	No
Supports Windows 7	Yes	Yes	Windows 10 only

Always On VPN Hands-On Training

If you are interested in learning more about Windows 10 Always On VPN, consider registering for one of my hands-on training classes. More details here.

Additional Resources

Always On VPN and the Future of Microsoft DirectAccess

5 Important Things DirectAccess Administrators Should Know about Windows 10 Always On VPN

3 Important Advantages of Windows 10 Always On VPN over DirectAccess

7 Comments

by Richard M. Hicks on February 5, 2018 • Permalink

Posted by Richard M. Hicks on February 5, 2018

https://directaccess.richardhicks.com/2018/02/05/what-is-the-difference-between-directaccess-and-always-on-vpn/

Enabling Secure Remote Administration for the NetMotion Mobility Console

During the initial setup of a NetMotion Mobility gateway server, the administrator must choose to allow either Secure (HTTPS) or Non-secure (HTTP) connections when using the web-based Mobility Console.

Enabling Secure Remote Administration for the NetMotion Mobility Console

Configuring HTTPS

Security best practices dictate HTTPS should be enabled to protect credentials used to log on to the gateway remotely. Immediately after selecting the Secure (https:) option, the administrator is prompted to enter server certificate information. Enter this information and click OK to continue and complete the rest of the configuration as necessary.

Enabling Secure Remote Administration for the NetMotion Mobility Console

Self-Signed Certificate

When logging in to the Mobility console, the administrator is presented with a certificate error indicating there is a problem with the website’s security certificate. This is because the certificate is self-signed by the NetMotion Mobility gateway server and is not trusted.

PKI Issued Certificate

The recommended way to resolve this is to request a certificate from a trusted certification authority (CA). To do this, open the Mobility Management Tool on the Mobility gateway server and click on the Web Server tab.

Click on the Server Certificate button and then click New in the Certificate Request section.

In the SAN (subject alternative name) field of the Optional Extension section enter the Fully Qualified Domain Name (FQDN) of the server using the syntax dns:fqdn. Include both the FQDN and the single-label hostname (short name) separated by a comma to ensure both names work without issue. For example:

dns:nm1.lab.richardhicks.net,dns:nm1

Enabling Secure Remote Administration for the NetMotion Mobility Console

Before requesting a certificate from a CA, the root and any intermediate CA certificates must first be imported. Click the Import button next to each, as required.

Click Copy in the Certificate Request section to copy the Certificate Signing Request (CSR) to the clipboard and then save it to a text file. Now submit the CSR to be signed by the CA using the certreq.exe command. Open an elevated command or PowerShell window and enter the following commands.

certreq.exe -attrib “CertificateTemplate:[TemplateName]” -submit [Path_to_CSR_file]

For example:

certreq.exe -attrib “CertificateTemplate:LabWebServer” -submit certreq.txt

Select a CA from the list and click OK, then save the certificate response when prompted.

Enabling Secure Remote Administration for the NetMotion Mobility Console

Click Response and specify the location of the certificate response file saved in the previous step.

Once complete, the newly issued certificate will be in place. Click Close to complete the process.

Click Yes when prompted to restart the Mobility console.

Enabling Secure Remote Administration for the NetMotion Mobility Console

Trusted Certificate

Opening the Mobility Console no longer produces a certificate error message with a certificate installed from a trusted CA.

In addition, if you followed the guidance above and included the single-label hostname in the SAN field, accessing the server using the short name will also work without issue.

Summary

Always select the option to use HTTPS to ensure the highest level of security and protection of credentials when remotely administering a NetMotion Mobility gateway server. For optimal security and to provide the best user experience, use a certificate issued and managed by a trusted CA to prevent certificate errors when opening the Mobility console.

Additional Information

NetMotion Mobility as an Alternative to DirectAccess

NetMotion Mobility Device Tunnel Configuration

Comparing NetMotion Mobility and DirectAccess Part 1 – Security

Comparing NetMotion Mobility and DirectAccess Part 2 – Performance

DirectAccess and NetMotion Mobility Webinar

3 Comments

by Richard M. Hicks on February 1, 2018 • Permalink

Posted in Encryption, NetMotion, NetMotion Mobility, Remote Access, Security, SSL and TLS, Windows Server 2012 R2, Windows Server 2016

Tagged CA, certificate, certificates, Certification Authority, HTTPS, management, Mobility, NetMotion, NetMotion Mobility, PKI, Remote Access, remote management, SSL, TLS

Posted by Richard M. Hicks on February 1, 2018

https://directaccess.richardhicks.com/2018/02/01/enabling-secure-remote-administration-for-the-netmotion-mobility-console/

Always On VPN Hands-On Training Coming to Chicago

Recently I announced the availability of Windows 10 Always On VPN hands-on training classes. The first class is set for March 27-29 in Los Angeles. By popular demand, I’m pleased to announce that I’ll be delivering another class April 10-12 in Chicago. This training class will cover all aspects of designing, implement, and supporting an Always On VPN solution in the enterprise. These three-day courses will cover topics including…

Windows 10 Always On VPN overview
Introduction to CSP
Infrastructure requirements
Planning and design considerations
Installation, configuration, and client provisioning

Advanced topics will include…

Redundancy and high availability+
Cloud-based deployments
Third-party VPN infrastructure and client support
Multifactor authentication
Always On VPN migration strategies

Windows 10 Always On VPN Hands-On Training Classes for 2018

Reservations are being accepted now! The cost for this 3-day hands-on training class is $4995.00 USD. Space is limited, so don’t wait to register! Fill out the form below to save your seat now.

2 Comments

by Richard M. Hicks on January 29, 2018 • Permalink

Posted in Always On VPN, education, Enterprise, learning, Remote Access, Training, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016

Tagged Always On VPN, education, enterprise mobility, learning, Mobility, Remote Access, training, VPN, Windows 10, Windows 10 Always On VPN

Posted by Richard M. Hicks on January 29, 2018

https://directaccess.richardhicks.com/2018/01/29/always-on-vpn-hands-on-training-coming-to-chicago/

Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS)

Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS) Windows 10 Always On VPN is infrastructure independent and can be implemented using third-party VPN devices. It is not necessary to deploy any Windows servers at all to support an Always On VPN solution. However, in a recent blog post I outlined some compelling reasons to consider using Windows Server 2016’s Routing and Remote Access Service (RRAS) feature to terminate VPN connections. RRAS supports both modern and legacy VPN protocols, each with their own advantages and disadvantages. The choice of which protocols to support will be determined by many factors, but it is important to understand the capabilities of each to make an informed decision.

RRAS VPN Protocols

Windows RRAS supports the following VPN protocols.

Internet Key Exchange version 2 (IKEv2) – RFC7296
Secure Sockets Tunneling Protocol (SSTP) – Microsoft
Layer Two Tunneling Protocol over IPsec (L2TP/IPsec) – RFC2661
Point-to-Point Tunneling Protocol (PPTP) – RFC2637

There are pros and cons associated with each of these VPN protocols. Here’s a breakdown of each.

IKEv2

This IPsec-based VPN protocol is the preferred choice for most deployments. IKEv2 provides the best security and performance, with native features that enhance mobility. This latest version of IKE (v2) features streamlined messaging during connection establishment and enhanced session management that reduce protocol overhead and improve performance.

Advantages: Best security and performance.
Disadvantages: Firewalls may block required UDP ports.

SSTP

SSTP is an excellent alternative to IKEv2. It uses industry standard Transport Layer Security (TLS), making it widely accessible from most locations. It provides good security out of the box, but can be improved upon with additional configuration. SSTP lends itself well to load balancing, making it much easier to scale out than IKEv2. Optionally, TLS can be offloaded to an Application Delivery Controller (ADC) to reduce resource utilization on the RRAS server and further improve performance.

Advantages: Easy to configure with firewall friendly access.
Disadvantages: Not as secure IKEv2.

L2TP

While technically supported for Always On VPN, L2TP is a legacy VPN protocol that offers no real advantages over IKEv2. Its use is unnecessary and should be avoided.

Advantages: None.
Disadvantages: Firewalls may block required UDP ports.

PPTP

PPTP is considered an obsolete VPN protocol with many known security vulnerabilities. Its use should be avoided at all costs.

Advantages: None.
Disadvantages: Insecure.

Summary

Implementation best practices dictate that IKEv2 and SSTP be enabled to support Windows 10 Always On VPN connections when using Windows Server 2016 RRAS. The use of L2TP/IPsec and PPTP should be avoided. The combination of IKEv2 and SSTP will provide the best security and availability for remote workers. Clients that can establish IKEv2 VPN connections can take advantages of the security and performance benefits it provides. SSTP can be enabled as a fallback for clients that are unable to establish an IKEv2 connection due to restricted firewall access.

Always On VPN Hands-On Training

Interested in learning more about Windows 10 Always On VPN? Hands-on training classes are now forming. More details here.

Additional Resources

Frequently Asked Questions about Microsoft’s PPTP Implementation

Always On VPN and Windows Server Routing and Remote Access Services (RRAS)

Windows 10 Always On VPN and the Future of DirectAccess

5 Things DirectAccess Administrators Should Know about Always On VPN

3 Important Advantages of Windows 10 Always On VPN over DirectAccess

Windows 10 Always On VPN Hands-On Training Classes

2 Comments

by Richard M. Hicks on January 22, 2018 • Permalink

Posted in ADC, Always On VPN, AOVPN, application delivery controller, Encryption, Load Balancing, Remote Access, Security, SSL and TLS, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016

Tagged Always On VPN, AOVPN, IPsec, L2TP, L2TP/IPsec, Microsoft, performance, PPTP, Remote Access, routing and remote access service, RRAS, security, SSL, SSTP, TLS, transport layer security, UDP, VPN, Windows, Windows 10

Posted by Richard M. Hicks on January 22, 2018

https://directaccess.richardhicks.com/2018/01/22/always-on-vpn-protocol-recommendations-for-windows-server-routing-and-remote-access-service-rras/

NetMotion Mobility Device Tunnel Configuration

NetMotion Mobility Device Tunnel Configuration In its default configuration, NetMotion Mobility connections are established at the user level. In most cases this level of access is sufficient, but there are some common uses cases that require VPN connectivity before the user logs on. Examples include provisioning a new device to a user who has never logged on before, or to allow support engineers to connect to a remote device without requiring a user to log in first.

Infrastructure Requirements

To support NetMotion Mobility’s “unattended mode” (device tunnel) it will be necessary to deploy a Windows Server 2016 (or 2012R2) Network Policy Server (NPS). In addition, an internal private certification authority (CA) will be required to issue certificates to the NPS server and all NetMotion Mobility client computers.

Client Certificate Requirements

A certificate with the Client Authentication Enhanced Key Usage (EKU) must be provisioned to the local computer certificate store on all NetMotion Mobility clients that require a device tunnel (figure 1). The subject name on the certificate must match the fully qualified domain name of the client computer (figure 2). It is recommended that certificate auto enrollment be used to streamline the provisioning process.

NetMotion Mobility Device Tunnel Configuration

Figure 1. Computer certificate with Client Authentication EKU.

NetMotion Mobility Device Tunnel Configuration

Figure 2. Computer certificate with subject name matching the client computer’s hostname.

NPS Server Certificate Requirements

A certificate with the Server Authentication EKU must be provisioned to the local computer certificate store on the NPS server (figure 3). The subject name on the certificate must match the fully qualified domain name of the NPS server (figure 4).

NetMotion Mobility Device Tunnel Configuration

Figure 3. Computer certificate with Server Authentication EKU.

NetMotion Mobility Device Tunnel Configuration

Figure 4. Computer certificate with subject name matching the NPS server’s hostname.

NPS Server Configuration

Next install the NPS server role by running the following PowerShell command.

Install-WindowsFeature NPAS -IncludeMamagementTools

Once complete, open the NPS server management console and perform the following steps.

Note: Below is a highly simplified NPS configuration designed for a single use case. It is provided for demonstration purposes only. The NPS server may be used by more than one network access server (NAS) so the example policies included below may not work in every deployment.

Expand RADIUS Clients and Servers.
Right-click RADIUS clients and choose New.
Select the option to Enable this RADIUS client.
Enter a friendly name.
Enter the IP address or hostname of the NetMotion gateway server.
Click Verify to validate the hostname or IP address.
Select Manual to enter a shared secret, or select Generate to create one automatically.
Copy the shared secret as it will be required when configure the NetMotion Mobility gateway server later.
Click OK.
Expand Policies.
Right-click Network Policies and choose New.
Enter a descriptive name for the new policy.
Select Type of network access server and choose Unspecified.
Click Next.
Click Add.
Select Client IPv4 Address.
Click Add.
Enter the internal IPv4 address of the NetMotion Mobility gateway server.
Click OK.
Click Next.
Select Access granted.
Click Next.
Click Add.
Choose Microsoft: Protected EAP (PEAP).
Click OK.
Select Microsoft: Protected EAP (PEAP).
Click Edit.
Choose the appropriate certificate in the Certificate issued to drop down list.
Select Secure password (EAP-MSCHAP v2).
Click Remove.
Click Add.
Choose Smart Card or other certificate.
Click OK.
Select Smart Card or other certificate.
Click Edit.
Choose the appropriate certificate in the Certificate issued to drop down list.
Click OK.
Uncheck all options beneath Less secure authentication methods.
Click Next three times.
Click Finish.

Mobility Server Configuration

Open the NetMotion Mobility management console and perform the following steps.

In the drop-down menu click Configure.
Click Authentication Settings.
Click New.
Enter a descriptive name for the new authentication profile.
Click OK.
Expand Authentication.
Select Mode.
Select Unattended Mode Authentication Setting Override.
From the Authentication mode drop-down box choose Unattended.
Click Apply.
Expand RADIUS: Device Authentication.
Select Servers.
Select [Profile Name] Authentication Setting Override.
Click Add.
Enter the IP address of the NPS server.
Enter the port (default is 1812).
Enter the shared secret.
Click OK.
In the drop-down menu click Configure.
Click Client Settings.
Expand Device Settings.
Select the device group to enable unattended mode for.
Expand Authentication.
Select Settings Profile.
Select [Device Group Name] Group Settings Override.
In the Profile drop-down menu choose the authentication profile created previously.
Click Apply.

Validation Testing

If everything is configured correctly, the NetMotion Mobility client will now indicate that the user and the device have been authenticated.

NetMotion Mobility Device Tunnel Configuration

Summary

Enabling unattended mode with NetMotion Mobility provides feature parity with DirectAccess machine tunnel and Windows 10 Always On VPN device tunnel. It ensures that domain connectivity is available before the user logs on. This allows users to log on remotely without cached credentials. It also allows administrators to continue working seamlessly on a remote computer after a reboot without having a user present to log on.

Additional Resources

NetMotion Mobility as an Alternative to DirectAccess

4 Comments

by Richard M. Hicks on January 11, 2018 • Permalink

Posted in Manage Out, NetMotion, NetMotion Mobility, PowerShell, Remote Access, Security, SSL and TLS, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on January 11, 2018

https://directaccess.richardhicks.com/2018/01/11/netmotion-mobility-device-tunnel-configuration/

Always On VPN Hands-On Training Classes for 2018

I’m pleased to announce I will be delivering Windows 10 Always On VPN hands-on training classes in various locations around the U.S. this year. As Microsoft continues to move away from DirectAccess in favor of Windows 10 Always On VPN, many organizations now must come up to speed on this new technology. Spoiler alert…it’s not trivial to implement! There’s lots of moving parts, critical infrastructure dependencies, and many configuration options to choose from. Additionally, Windows 10 Always On VPN is managed in a completely different way than DirectAccess, which is sure to present its own unique challenges.

Comprehensive Education

My Windows 10 Always On VPN hands-on training classes will cover all aspects of designing, implementing, and supporting an Always On VPN solution in the enterprise. This three-day course will cover topics such as…

Windows 10 Always On VPN overview
Introduction to CSP
Infrastructure requirements
Planning and design considerations
Installation, configuration, and client provisioning

Advanced topics will include…

Redundancy and high availability
Cloud-based deployments
Third-party VPN infrastructure and client support
Multifactor authentication
Always On VPN migration strategies

Upcoming Training Classes

Reservations are being accepted immediately for classes held on March 27-29, 2018 in Southern California and April 10-12 in Chicago. The cost for this 3 day hands-on, in-depth training class is $4995.00 USD. Later this year I’ll be delivering classes in other parts of the country as well. Those locations will be chosen based on demand, so if you can’t make this first class, please register anyway and let me know your location preference. If there’s enough interest in a specific locale I will schedule a class for that region soon. Although I currently have no plans to deliver my training classes outside the U.S., I’m more than happy to consider it if there is enough demand, so let me know!

Windows 10 Always On VPN Hands-On Training Classes for 2018

Reservations Available Now

Reservations are being accepted now! The cost for this 3-day hands-on training class is $4995.00 USD. Space is limited, so don’t wait to register! Fill out the form below to save your seat now.

1 Comment

by Richard M. Hicks on January 8, 2018 • Permalink

Posted in Always On VPN, AOVPN, education, High Availability, learning, Load Balancing, MFA, Multifactor Authentiction, Remote Access, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on January 8, 2018

https://directaccess.richardhicks.com/2018/01/08/always-on-vpn-hands-on-training-classes-for-2018/

Search for:
DirectAccess Book

DirectAccess Book

Available Now!
Consulting

Consulting Services

Now Available!
NetMotion Mobility

DirectAccess-like Remote Access for Windows, Mac, iPhone, iPad, and Android

Learn More!
KEMP Technologies

Modern Application Delivery

Download a free trial!
PointSharp ID

Multifactor Authentication

For all Remote Access!
Recent Posts
DirectAccess Resources

MVP Profile

Connect

Mailing List

Buy This!

RSS Feed

Archives

Categories

Tag Cloud

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

DirectAccess Book

Consulting

NetMotion Mobility

KEMP Technologies

PointSharp ID

Recent Posts

DirectAccess Resources