MVP Profile
Connect
Mailing List

Sign Up Now!
Richard M. Hicks Consulting Newsletter
Learning
TechMentor Redmond 2018
Buy This!
Learn PowerShell!
@richardhicks
- #Windows10 Always On #VPN redundancy and failover with @kemptech LoadMaster GEO. #Microsoft #Windows #Win10 #aovpn rmhci.co/2nuFBVA:: 16 minutes ago
- #SSL certificate considerations for #DirectAccess IP-HTTPS. #security rmhci.co/2ho00JG:: 14 hours ago
- RT @RunAsRadio: More great stories from Build! @tara_msft and @VirtualScooley talk on RunAsRadio at ow.ly/gxn730kzxbC about the Windo…:: 14 hours ago
- #DirectAccess and Always On #VPN with Trusted Platform Module (TPM) certificates. #security #Microsoft #Windows… twitter.com/i/web/status/1…:: 16 hours ago
- RT @jandreacola: Privileged Access Workstations are really important to protecting high level credentials like Domain Admin from bad guys.…:: 19 hours ago
Follow @richardhicks
Facebook

Facebook
RSS Feed
- RSS - Posts
- RSS - Comments
Archives
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- November 2014
- October 2014
- September 2014
- August 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- July 2012
- June 2012
- May 2012
- April 2012
Categories
Tag Cloud
6to4 Active Directory ADC Always On VPN application delivery controller authentication Azure book certificate certificates conference configuration DirectAccess DirectAccess 2012 DNS education encryption enterprise mobility error F5 firewall Forefront Forefront UAG Forefront UAG 2010 group policy high availability hotfix Important Links IP-HTTPS IPsec IPv6 IPv6 transition protocol IPv6 transition technology ISATAP Kemp load balancer load balancing management Manage Out Microsoft Mobility multisite Networking network load balancing network location server NLB NLS NRPT OTP performance PKI PowerShell redundancy Remote Access scalability security Server 2012 SSL SSTP Teredo TLS training troubleshooting UAG UAG 2010 update VPN Windows Windows 7 Windows 8 Windows 10 Windows Server Windows Server 2012 Windows Server 2012 R2 Windows Server 2016

NetMotion Mobility for DirectAccess Administrators – Trusted Network Detection

DirectAccess clients use the Network Location Server (NLS) for trusted network detection. If the NLS can be reached, the client will assume it is on the internal network and the DirectAccess connection will not be made. If the NLS cannot be reached, the client will assume it is outside the network and it will then attempt to establish a connection to the DirectAccess server.

Critical Infrastructure

DirectAccess NLS availability and reachability is crucial to ensuring uninterrupted operation for DirectAccess clients on the internal network. If the NLS is offline or unreachable for any reason, DirectAccess clients on the internal network will be unable to access internal resources by name until the NLS is once again available. To ensure reliable NLS operation and to avoid potential disruption, the NLS should be highly available and geographically redundant. Close attention must be paid to NLS SSL certificate expiration dates too.

NetMotion Mobility

NetMotion Mobility does not require additional infrastructure for inside/outside detection as DirectAccess does. Instead, Mobility clients determine their network location by the IP address of the Mobility server they are connected to.

Unlike DirectAccess, NetMotion Mobility clients will connect to the Mobility server whenever it is reachable, even if they are on the internal network. There are some advantages to this, but if this behavior isn’t desired, a policy can be created that effectively replicates DirectAccess client behavior by bypassing the Mobility client when the client is on the internal network.

Configuring Trusted Network Detection

Follow the steps below to create a policy to enable trusted network detection for NetMotion Mobility clients.

Create a Rule Set

From the drop-down menu in the NetMotion Mobility management console click Policy and then Policy Management.
Click New.
Enter a descriptive name for the new rule set.
Click Ok.

NetMotion Mobility for DirectAccess Administrators – Trusted Network Detection

Create a Rule

Click New.
Enter a descriptive name for the new rule.
Click Ok.

NetMotion Mobility for DirectAccess Administrators – Trusted Network Detection

Define a Condition

Click on the Conditions tab.
In the Addresses section check the box next to When the Mobility server address is address.
In the Policy rule definition section click the equal to address(es) (v9.0) link.
Click Add.
Select Mobility server address.
Select the IP address assigned to the Mobility server’s internal network interface.
Click Ok.
Click Ok.

NetMotion Mobility for DirectAccess Administrators – Trusted Network Detection

Define an Action

Click on the Actions tab.
In the Passthrough Mode section check the box next to Enable/disable passthrough mode.
Click Save.
Click Save.

Assign the Policy

Click on the Subscribers tab.
Choose a group to assign the policy to. This can be users, groups, devices, etc.
Click Subscribe.
Select the Trusted Network Detection policy.
Click Ok.

NetMotion Mobility for DirectAccess Administrators – Trusted Network Detection

Validation Testing

The NetMotion Mobility client will connect normally when the client is outside of the network. However, if the Mobility client detects that it is connected to the internal interface of the Mobility server, all network traffic will bypass the Mobility client.

NetMotion Mobility for DirectAccess Administrators – Trusted Network Detection

Summary

Trusted network detection can be used to control client behavior based on their network location. Many administrators prefer that connections only be made when clients are outside the network. DirectAccess clients use the NLS to determine network location and will not establish a DirectAccess connection if the NLS is reachable.

NetMotion Mobility trusted network detection relies on detecting the IP address of the Mobility server to which the connection was made. This is more elegant and effective than the DirectAccess NLS, and more reliable too.

Additional Information

Enabling Secure Remote Administrator for the NetMotion Mobility Management Console

NetMotion Mobility Device Tunnel Configuration

Deploying NetMotion Mobility in Azure

1 Comment

by Richard M. Hicks on March 26, 2018 • Permalink

Posted in DirectAccess, enterprise mobility, Mobility, NetMotion, NetMotion Mobility, Remote Access, VPN, Windows 10, Windows Server 2016

Tagged DirectAccess, enterprise mobility, Mobility, NetMotion, NetMotion Mobility, network location server, NLS, Remote Access, trusted network detection, VPN

Posted by Richard M. Hicks on March 26, 2018

https://directaccess.richardhicks.com/2018/03/26/netmotion-mobility-directaccess-trusted-network-detection/

Unable to Generate DirectAccess Diagnostic Log in Windows 10 v1709

There are numerous reports that generating the DirectAccess troubleshooting log fails on Windows 10 v1709. DirectAccess administrators have been reporting that the process seems to fail during the creation of the log file, leaving it truncated and incomplete. To resolve this issue, open an elevated PowerShell window and enter the following command.

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\NcaSvc\” -Name SvcHostSplitDisable -PropertyType DWORD -Value 1 -Force

The computer must be restarted for this change to take effect. If initial testing of this workaround is successful, the registry setting can be pushed out to all DirectAccess clients using Active Directory Group Policy Preferences.

4 Comments

by Richard M. Hicks on March 15, 2018 • Permalink

Posted in DirectAccess, PowerShell, Remote Access, troubleshooting, Windows 10

Tagged diagnostic log, DirectAccess, NCA, PowerShell, Remote Access, troubleshooting, Windows, Windows 10, workaround

Posted by Richard M. Hicks on March 15, 2018

https://directaccess.richardhicks.com/2018/03/15/unable-to-generate-directaccess-diagnostic-log-in-windows-10-v1709/

DirectAccess Troubleshooting and the Windows 10 Network Connectivity Assistant

DirectAccess Troubleshooting and the Windows 10 Network Connectivity Assistant One of the first places administrators look for information about the DirectAccess client connection is the Network Connectivity Assistant (NCA). The NCA is used to view current connection status and to gather detailed information that is helpful for troubleshooting failed DirectAccess connections. The NCA was first integrated with the client operating system beginning with Windows 8. Similar functionality can be extended to Windows 7 clients by installing and configuring the Windows 7 DirectAccess Connectivity Assistant (DCA).

NCA

The DirectAccess NCA can be accessed by pressing the Windows Key + I and then clicking on Network & Internet and DirectAccess. Here you’ll find a helpful visual indicator of current connectivity status, and for multisite deployments you’ll also find details about the current entry point.

DirectAccess Troubleshooting and the Windows 10 Network Connectivity Assistant

DirectAccess Missing?

If DirectAccess does not appear in the list, open an elevated PowerShell window and restart the Network Connectivity Assistant service (NcaSvc) using the following command.

Restart-Service NcaSvc

If you receive the error “Failed to start service ‘Network Connectivity Assistant (NcaSvc)‘”, ensure that the client operating system is Enterprise or Education edition. The NCA service will always fail to start on Professional edition as it is not a supported DirectAccess client.

Log Collection

The DirectAccess NCA also provides access to crucial troubleshooting information. Clicking on the Collect button creates a detailed diagnostic log file that is often helpful for troubleshooting DirectAccess connectivity issues.

DirectAccess Troubleshooting and the Windows 10 Network Connectivity Assistant

Troubleshooting Info Missing?

The option to collect a log, and email it to your IT admin will only be displayed if a support email address is defined in the DirectAccess configuration. To define a support email address, open the Remote Access Management console and perform the following steps.

1. Click Edit on Step 1.
2. Click Network Connectivity Assistant.
3. Enter an email address in the Helpdesk email address field.
4. Click Finish to complete Step 1.
5. Click Finish to apply the changes.

Email Program

Microsoft assumes that an end user will be generating the DirectAccess client troubleshooting log and will be emailing them to their administrator. If an email program is not installed on the client, the following information is displayed.

There is no email program associated to perform the requested action. Please install an email program or, if one is already installed, create an associate in the Default Programs control panel.

DirectAccess Troubleshooting and the Windows 10 Network Connectivity Assistant

If you wish to simply view the log file on the client and not email them, you can find the generated DirectAccess troubleshooting log file in HTML format in the following location.

%SystemDrive%\Users\%Username%\AppData\Local\Temp

DirectAccess Troubleshooting and the Windows 10 Network Connectivity Assistant

Unable to Generate Log Files

There are numerous reports that generating the DirectAccess troubleshooting log fails on Windows 10 v1709. DirectAccess administrators have been reporting that the process seems to fail during the creation of the log file, leaving it truncated and incomplete. To resolve this issue, open an elevated PowerShell window and enter the following command.

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\NcaSvc\” -Name SvcHostSplitDisable -PropertyType DWORD -Value 1 -Force

The computer must be restarted for this change to take effect. If initial testing of this workaround is successful, the registry setting can be pushed out to all DirectAccess clients using Active Directory Group Policy Preferences.

Additional Information

Installing and Configuring DirectAccess Connectivity Assistant 2.0 on Windows 7 Clients

Planning and Implementing DirectAccess with Windows Server 2016 Video Training Course on Pluralsight

Managing and Supporting DirectAccess with Windows Server 2016 Video Training Course on Pluralsight

Implementing DirectAccess with Windows Server 2016 Book

3 Comments

by Richard M. Hicks on March 15, 2018 • Permalink

Posted in DirectAccess, enterprise mobility, multisite, NCA, network connectivity assistant, PowerShell, Remote Access, troubleshooting, Windows 10, Windows 8.1

Tagged DirectAccess, enterprise mobility, log, log collection, log file, NCA, ncasvc, network connectivity assistant, PowerShell, Remote Access, troubleshooting, Windows 10, Windows 7, Windows 8.x

Posted by Richard M. Hicks on March 15, 2018

https://directaccess.richardhicks.com/2018/03/15/directaccess-troubleshooting-windows-10-network-connectivity-assistant/

Deleting an Always On VPN Device Tunnel

Windows 10 Always On VPN supports both a user tunnel for corporate network access, and a device tunnel typically used to provide pre-logon network connectivity and to support manage out scenarios. The process of testing Always On VPN is often an iterative one involving trial and error testing to fine tune the configuration parameters to achieve the best experience. As a part of this process it will often be necessary to delete a connection at some point. For the user tunnel the process is simple and straightforward. Simply disconnect the session and delete the connection in the UI.

Deleting an Always On VPN Device Tunnel

Deleting a device tunnel connection presents a unique challenge though. Specifically, there is no VPN connection in the UI to disconnect and remove. To delete an Always On VPN device tunnel, open an elevated PowerShell window and enter the following command.

Get-VpnConnection -AllUserConnection | Remove-VpnConnection -Force

If the device tunnel is connected when you try to remove it, you will receive the following error message.

The VPN connection [connection_name] cannot be removed from the global user connections. Cannot
delete a connection while it is connected.

The device tunnel must first be disconnected to resolve this issue. Enter the following command to disconnect the device tunnel.

rasdial.exe [connection_name] /disconnect

Remove the device tunnel connection using PowerShell once complete.

Additional Resources

Windows 10 Always On VPN Device Tunnel Step-by-Step Configuration using PowerShell

What’s The Difference Between DirectAccess and Always On VPN?

Windows 10 Always On VPN Recommendations for Windows Server 2016 Routing and Remote Access Service (RRAS)

Windows 10 Always On VPN Hands-On Training

5 Comments

by Richard M. Hicks on March 12, 2018 • Permalink

Posted in Always On VPN, AOVPN, Enterprise, enterprise mobility, Manage Out, Mobility, PowerShell, Remote Access, Security, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on March 12, 2018

https://directaccess.richardhicks.com/2018/03/12/deleting-an-always-on-vpn-device-tunnel/

DirectAccess IP-HTTPS and Symantec SSL Certificates

DirectAccess IP-HTTPS and Symantec SSL Certificates An SSL certificate is required to support the IP-HTTPS IPv6 transition technology when configuring DirectAccess. Implementation best practices dictate using a public SSL certificate signed by a trusted third-party vendor such as Entrust, Verisign, DigiCert, and others. SSL certificates issued by a private PKI are acceptable if the client trusts the issuing CA. Self-signed certificates are supported in some deployment scenarios, but their use is generally discouraged. For more detailed information regarding SSL certificate considerations for DirectAccess IP-HTTPS click here.

Symantec Issued Certificates

Symantec is a popular commercial SSL certificate provider that has been commonly used for many years. However, due to integrity issues associated with their PKI management practices, Google and Mozilla announced they will soon be deprecating these certificates. This means users who browse to an HTTPS web site protected with a Symantec SSL certificate will receive a warning in their browser indicating the certificate is not trusted.

DirectAccess IP-HTTPS

It is important to note that there is no impact at all for DirectAccess when the server is configured to use an SSL certificate issued by Symantec. There is nothing you need to do to address this issue in this scenario. However, if a wildcard certificate is installed on the DirectAccess server and it is also used on other public-facing web servers in the organization, it is likely that the certificate will replaced, perhaps by another certificate provider. In this case, DirectAccess IP-HTTPS must be configured to use the new or updated SSL certificate.

Updating IP-HTTPS SSL Certificate

To update the DirectAccess IP-HTTPS SSL certificate, import the SSL certificate along with the private key in to the local computer certificate store on each DirectAccess server. Next identify the thumbprint of the new SSL certificate. Finally, open an elevated PowerShell command window and enter the following command.

$thumbprint = “ssl_cert_thumbprint”
$cert = Get-ChildItem -Path cert:\localmachine\my | where {$_.thumbprint -eq $thumbprint}
Set-RemoteAccess -SslCertificate $cert -PassThru

Be sure to replace “ssl_cert_thumbprint” with the actual thumbprint of your SSL certificate. 😉 In addition, for load-balanced and/or multisite deployments, run these PowerShell commands on each server in the enterprise.

Additional Information

SSL Certificate Considerations for DirectAccess IP-HTTPS

DirectAccess IP-HTTPS Null Cipher Suites Not Available

DirectAccess IP-HTTPS Performance Issues

Troubleshooting Always On VPN Errors 691 and 812

When configuring Windows 10 Always On VPN using the Routing and Remote Access Service (RRAS) on Windows Server 2012 R2 and Extensible Authentication Protocol (EAP) authentication using client certificates, clients attempting to establish a VPN connection using Internet Key Exchange version 2 (IKEv2) may receive the following error.

“The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile.”

Troubleshooting Always On VPN Errors 691 and 812

The event log on the client also records RasClient event ID 20227 stating “the error code returned on failure is 812”.

Troubleshooting Always On VPN Errors 691 and 812

Always On VPN clients using the Secure Socket Tunneling Protocol (SSTP) may receive the following error.

“The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.”

Troubleshooting Always On VPN Errors 691 and 812

The event log on the client also records RasClient event ID 20227 stating “the error code returned on failure is 691”.

Troubleshooting Always On VPN Errors 691 and 812

Resolution

These errors can occur when Transport Layer Security (TLS) 1.0 has been disabled on the RRAS server. To restore functionality, enable TLS 1.0 protocol support on the RRAS server. If disabling TLS 1.0 is required for compliance reasons, consider deploying RRAS on Windows Server 2016. TLS 1.0 can be safely disabled on Windows Server 2016 without breaking EAP client certificate authentication for Windows 10 Always On VPN clients.

Additional Information

Windows 10 Always On VPN Hands-On Training

What’s the Difference Between DirectAccess and Windows 10 Always On VPN?

5 Important Things DirectAccess Administrators Should Know About Windows 10 Always On VPN

3 Important Advantages of Windows 10 Always On VPN over DirectAccess

Windows 10 Always On VPN and the Future of DirectAccess

3 Comments

by Richard M. Hicks on February 26, 2018 • Permalink

Posted in Always On VPN, AOVPN, certificates, Compliance, enterprise mobility, Mobility, Remote Access, Security, SSL and TLS, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on February 26, 2018

https://directaccess.richardhicks.com/2018/02/26/troubleshooting-always-on-vpn-errors-691-and-812/

Always On VPN Hands-On Training Classes Coming to Denver and New York

I’m pleased to announce that I will be bringing my popular three-day Windows 10 Always On VPN Hands-On Training classes to Denver and New York in May and June! Join me May 15-17, 2018 in Denver or June 5-7, 2018 in New York. These training classes will cover all aspects of designing, implement, and supporting an Always On VPN solution in the enterprise. These three-day courses will cover topics including…

Windows 10 Always On VPN overview
Introduction to CSP
Infrastructure requirements
Planning and design considerations
Installation, configuration, and client provisioning

Advanced topics will include…

Redundancy and high availability+
Cloud-based deployments
Third-party VPN infrastructure and client support
Multifactor authentication
Always On VPN migration strategies

Windows 10 Always On VPN Hands-On Training Classes for 2018

Reservations are being accepted now! The cost for this 3-day hands-on training class is $4995.00 USD. Space is limited, so don’t wait to register! Fill out the form below to save your seat now.

DirectAccess IP-HTTPS Performance Issues

DirectAccess IP-HTTPS Performance Issues Performance issues with DirectAccess are not uncommon. In fact, there are numerous threads on Microsoft and third-party forums where administrators frequently complain about slow download speeds, especially when using the IP-HTTPS IPv6 transition technology. Based on my experience the problem does not appear to be widespread but occurs with enough regularity that it is worthy of further investigation.

DirectAccess Design

The inherent design of DirectAccess is a major limiting factor for performance. DirectAccess uses a complex and heavy communication channel, with multiple layers of encapsulation, encryption, and translation. Fundamentally it is IPsec encrypted IPv6 traffic, encapsulated in HTTP, and then encrypted with Transport Layer Security (TLS) and routed over IPv4. It is then decrypted, decapsulated, decrypted again, then converted back to IPv4. The high protocol overhead incurred with multiple layers of encapsulation, encryption, and translation result in increased packet fragmentation, which further reduces performance.

DirectAccess Performance

Even under the best circumstances, DirectAccess performance is limited by many other factors, most notably the quality of the network connection between the client and the server. DirectAccess performs reasonably well over high bandwidth, low latency connections. However, network performance drops precipitously as latency increases and packet loss is encountered. This is to be expected given the design of the solution.

Intermediary Devices

It is not uncommon to find intermediary devices like firewalls, intrusion detection systems, malware scanners, and other security inspection devices limit the performance of DirectAccess clients. In addition, many security appliances have bandwidth caps enforced in software for licensing restrictions. Further, incorrect configuration of inline edge devices can contribute to increased fragmentation, which leads to poor performance as well.

Slow Downloads over IP-HTTPS

Many people report that download speeds seem to be artificially capped at 355Kbps. While this seems to be a display bug in the UI, there is plenty of evidence to indicate that, in some scenarios, DirectAccess is incapable of high throughput even over high-quality connections. Some who have deployed DirectAccess and VPN on the same server have reported that download speeds are only limited when using DirectAccess over IP-HTTPS and not with VPN using Secure Socket Tunneling Protocol (SSTP), which also uses TLS. This has led many to speculate that the issue is either a bug or a design flaw in the IP-HTTPS tunnel interface itself.

TCP Window Scaling Issues

In some of the network traces I’ve analyzed I’ve seen evidence that seems to support this theory. For example, a network trace taken when downloading a file over DirectAccess with IP-HTTPS showed the TCP window never scaled beyond 64K, which would seriously impede performance. Interestingly this doesn’t seem to happy when the client uploads files over IP-HTTPS. Clearly something unusual is happening.

Microsoft KB Article

Microsoft recently released a vaguely-worded KB article that appears to lend credence to some of these findings. The article seems to acknowledge the fact there are known issues with DirectAccess performance, but it lacks any specific details as to what the root cause is. Instead, it simply advises migrating to Windows 10 Always On VPN.

Summary

DirectAccess IP-HTTPS performance issues don’t appear to affect everyone, and the problem only seems to apply to file downloads and not to other types of traffic. However, there is mounting evidence of a systemic issue with DirectAccess performance especially over IP-HTTPS. Customers are advised to closely evaluate their uses cases for DirectAccess and if remote clients are frequently required to download large files over a DirectAccess connection, an alternative method of file transfer might be required. Optionally customers can consider evaluating alternative remote access solutions that offer better performance such as Windows 10 Always On VPN or third-party solutions such as NetMotion Mobility.

Additional Resources

Always On VPN and the Future of DirectAccess

What’s the Difference Between DirectAccess and Always On VPN?

NetMotion Mobility as an Alternative to Microsoft DirectAccess

3 Comments

by Richard M. Hicks on February 19, 2018 • Permalink

Posted in DirectAccess, encapsulation, Encryption, IP-HTTPS, IPv6, IPv6 Transition, Remote Access, SSL and TLS, transition technology, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012 R2, Windows Server 2016

Tagged DirectAccess, encapsulation, encryption, firewall, HTTP, IP-HTTPS, IPv6, performance, Remote Access, SSL, TLS, transition technology, transition tunnel, Windows Server 2016

Posted by Richard M. Hicks on February 19, 2018

https://directaccess.richardhicks.com/2018/02/19/directaccess-ip-https-performance-issues/

DirectAccess and Always On VPN with Trusted Platform Module (TPM) Certificates

To enhance security when provisioning certificates for DirectAccess (computer) or Windows 10 Always On VPN (user) it is recommended that private keys be stored on a Trusted Platform Module (TPM) on the client device. A TPM is a dedicated security processor included in nearly all modern computers. It provides essential hardware protection to ensure the highest levels of integrity for digital certificates and is used to generate, store, and restrict the use of cryptographic keys. It also includes advanced security and protection features such as key isolation, non-exportability, and anti-hammering to prevent brute-force attacks.

To ensure that private keys are created and stored on a TPM, the certificate template must be configured to use the Microsoft Platform Crypto Provider. Follow the steps below to configure a certificate template required to use a TPM.

Open the Certificate Templates management console (certtmpl.msc) and duplicate an existing certificate template. For example, if creating a certificate for DirectAccess, duplicate the Workstation Authentication certificate template. For Always On VPN, duplicate the User certificate template.
On the Compatibility tab, ensure the Certification Authority and Certificate recipient compatibility settings are set to a minimum of Windows Server 2008 and Windows Vista/Server 2008, respectively.
Select the Cryptography tab.
Choose Key Storage Provider from the Provider Category drop down list.
Choose the option Requests must use one of the following providers and select Microsoft Platform Crypto Provider.

Note: If Microsoft Platform Crypto Provider does not appear in the list above, got to the Request Handling tab and uncheck the option Allow private key to be exported.

Complete the remaining certificate configuration tasks (template display name, subject name, security settings, etc.) and publish the certificate template. Client machines configured to use this template will now have a certificate with private key fully protected by the TPM.

Additional Resources

Trusted Platform Module (TPM) Fundamentals

DirectAccess and Always On VPN Certificate Auto Enrollment

9 Comments

by Richard M. Hicks on February 12, 2018 • Permalink

Posted in Always On VPN, AOVPN, certificates, DirectAccess, Encryption, PKI, public key infrastructure, Remote Access, Security, TPM, Trusted Platform Module, Windows 10, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on February 12, 2018

https://directaccess.richardhicks.com/2018/02/12/directaccess-and-always-on-vpn-with-trusted-platform-module-tpm-certificates/

Deploying NetMotion Mobility in Azure

One of the many advantages NetMotion Mobility offers is that it requires no proprietary hardware to deliver its advanced capabilities and performance. It is a software solution that can be installed on any physical or virtual Windows server. This provides great deployment flexibility by allowing administrators to deploy this remote access solution on their existing virtual infrastructure, which is much less costly than investing in dedicated hardware or virtual appliances.

Cloud Deployment

As customers begin moving their traditional on-premises infrastructure to the cloud, it’s good to know that NetMotion Mobility is fully supported in popular public cloud platforms such as Microsoft Azure. Installing and configuring Mobility on a server in Azure requires a few important changes to a standard Azure VM deployment however. Below is detailed guidance for installing and configuring NetMotion Mobility on a Windows Server 2016 virtual machine hosted in the Microsoft Azure public cloud.

Azure Networking Configuration

Before installing the NetMotion Mobility software, follow the steps below to configure the Azure VM with a static public IP address and enable IP forwarding on the internal network interface.

In the Azure management portal, select the NetMotion Mobility virtual machine and click Networking.
Click on the public-facing network interface.
In the Settings section click IP configurations.
In the IP configurations section click on the IP configuration for the network interface.
In the Public IP address setting section click Enabled for the Public IP address.
Click Configure required settings for the IP address.
Click Create New.
Enter a descriptive name and select Static as the assignment method.
Click OK
Click Save.Note: The process of saving the network interface configuration takes a few minutes. Be patient!
Note the public IP address, as this will be used later during the Mobility configuration.
Close the IP address configuration blade.
In the IP forwarding settings section click Enabled for IP forwarding.
Click Save.

NetMotion Mobility Installation

Proceed with the installation of NetMotion Mobility. When prompted for the external address, enter the public IP address created previously.

Deploying NetMotion Mobility in Azure

Next choose the option to Use pool of virtual IP addresses. Click Add and enter the starting and ending IP addresses, subnet prefix length, and default gateway and click OK.

Deploying NetMotion Mobility in Azure

Complete the remaining NetMotion Mobility configuration as required.

Azure Routing Table

A user defined routing table must be configured to ensure that NetMotion Mobility client traffic is routed correctly in Azure. Follow the steps below to complete the configuration.

In the Azure management portal click New.
In the Search the Marketplace field enter route table.
In the results section click Route table.
Click Create.
Enter a descriptive name and select a subscription, resource group, and location.
Click Create.

Deploying NetMotion Mobility in Azure

Once the deployment has completed successfully, click Go to resource in the notifications list.

Deploying NetMotion Mobility in Azure

Follow the steps below to add a route to the route table.

In the Settings sections click Routes.
Click Add.
Enter a descriptive name.
In the Address prefix field enter the subnet used by mobility clients defined earlier.
Select Virtual appliance as the Next hop type.
Enter the IP address of the NetMotion Mobility server’s internal network interface.
Click OK.
Click Subnets.
Click Associate.
Click Choose a virtual network and select the network where the NetMotion Mobility gateway resides.
Click Choose a subnet and select the subnet where the NetMotion Mobility gateway’s internal network interface resides.
Click OK.

Note: If clients connecting to the NetMotion Mobility server need to access resources on-premises via a site-to-site gateway, be sure to associate the route table with the Azure gateway subnet.

Azure Network Security Group

A network security group must be configured to allow inbound UDP port 5008 to allow external clients to reach the NetMotion Mobility gateway server. Follow the steps below to create and assign a network security group.

In the Azure management portal click New.
In the Search the Marketplace field enter network security group.
In the results section click Network security group.
Click Create.
Enter a descriptive name and select a subscription, resource group, and location.
Click Create.

Deploying NetMotion Mobility in Azure

Once the deployment has completed successfully, click Go to resource in the notifications list.

Deploying NetMotion Mobility in Azure

Follow the steps below to configure the network security group.

In the Settings section click Inbound security rules.
Click Add.
Enter 5008 in the Destination port ranges field.
Select UDP for the protocol.
Select Allow for the action.
Enter a descriptive name.
Click OK.
Click Network Interfaces.
Click Associate.
Select the external network interface of the NetMotion Mobility gateway server.

Summary

After completing the steps above, install the client software and configure it to use the static public IP address created previously. Alternatively, configure a DNS record to point to the public IP address and specify the Fully Qualified Domain Name (FQDN) instead of the IP address itself.

Additional Resources

Enabling Secure Remote Administration for the NetMotion Mobility Console

NetMotion Mobility Device Tunnel Configuration

NetMotion Mobility as an Alternative to Microsoft DirectAccess

NetMotion Mobility and Microsoft DirectAccess Comparison Whitepaper

NetMotion and Microsoft DirectAccess On-Demand Webinar

2 Comments

by Richard M. Hicks on February 8, 2018 • Permalink

Posted in Azure, cloud, NetMotion, NetMotion Mobility, Remote Access, Security, VPN, Windows 10, Windows Server 2016

Posted by Richard M. Hicks on February 8, 2018

https://directaccess.richardhicks.com/2018/02/08/deploying-netmotion-mobility-in-azure/

Search for:
DirectAccess Book

DirectAccess Book

Available Now!
Consulting

Consulting Services

Now Available!
NetMotion Mobility

DirectAccess-like Remote Access for Windows, Mac, iPhone, iPad, and Android

Learn More!
KEMP Technologies

Modern Application Delivery

Download a free trial!
PointSharp ID

Multifactor Authentication

For all Remote Access!
Recent Posts
DirectAccess Resources

MVP Profile

Connect

Mailing List

Learning

Buy This!

RSS Feed

Archives

Categories

Tag Cloud

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

DirectAccess Book

Consulting

NetMotion Mobility

KEMP Technologies

PointSharp ID

Recent Posts

DirectAccess Resources