Recently I wrote about PowerON Platforms’ Always On VPN Dynamic Profile Configurator (DPC), a software solution that allows administrators to provision and manage Always On VPN client configuration settings using Active Directory and group policy. The article described the basic functionality Always On VPN DPC provides. In this post, I will describe some of its advanced capabilities that administrators will find helpful for solving common Always On VPN challenges.
Protocol Preference
The two most common VPN protocols used with Always On VPN are Internet Key Exchange version 2 (IKEv2) and Secure Socket Tunneling Protocol (SSTP). Each protocol has its advantages and disadvantages. For example, IKEv2 has better security options, but SSTP is more firewall-friendly and reliable.
IKEv2 with SSTP Fallback
Instead of selecting one protocol over the other, some administrators may choose to configure Always On VPN to prefer IKEv2, then fall back to SSTP if IKEv2 is unavailable. Unfortunately, there is no way to configure this using Intune, XML, or PowerShell. To change this setting, the administrator must update the VPN configuration file (rasphone.pbk) and change the value of VpnStrategy to 14. While editing a text file is easy, doing it at scale is more complicated. The setting can be changed using Intune proactive remediation or a PowerShell script. However, it’s even easier using Always On VPN DPC. Simply enable the VPN Protocol advanced setting in group policy and choose IKEv2 First, SSTP Fallback.
Interface Metric
Another common problem Always On VPN administrators encounter is name resolution, specifically when the endpoint uses a wired local connection. Here, name resolution queries may fail or return incorrect IP addresses. This happens because the wired connection has a lower network interface metric than the VPN tunnel adapter. Once again, there is no option for changing this setting using Intune or XML. Administrators can update the interface metrics using PowerShell, but it is not persistent. To fully resolve this, the administrator must edit the rasphone.pbk file. With Always On VPN DPC, enable the VPN Tunnel Metric group policy setting and enter a value lower than the wired connection to solve this problem.
IKE Mobility
The Windows VPN client includes support for IKE Mobility, which allows an IKEv2 VPN connection to reconnect automatically after a loss of network connectivity. IKE Mobility is enabled by default, and the network outage time is set to 30 minutes. However, this setting can have negative side effects, especially when VPN servers are behind a load balancer. Reducing the network outage time or disabling it completely can improve failover if a VPN server goes offline. Here again, this setting cannot be changed using Intune, XML, or PowerShell; it is only configurable in rasphone.pbk. With Always On VPN DPC, enable the Network Outage Time advanced setting in group policy and choose a value that meets your requirements.
Exclusion Routes for Office 365
Force tunneling ensures that all network traffic on the client is routed over the VPN tunnel, including Internet traffic. However, Always On VPN supports exclusion routes which allow administrators to exempt selected traffic from the VPN tunnel when force tunneling is enabled. Commonly this is configured for trusted cloud applications like Microsoft Office 365. Defining exclusion routes for cloud services is more complicated than it sounds. Many cloud services, including Microsoft Office 365, have multiple IP addresses that are constantly changing. This makes keeping Always On VPN clients updated with the correct list of IP address exclusions quite challenging. With Always On VPN DPC, administrators can enable the Exclude Office 365 from VPN group policy setting, allowing the endpoint to automatically configure the necessary exclusion routes for Office 365 IP addresses. Importantly, Always On VPN DPC periodically monitors this list of IP addresses and ensures that endpoints are continually updated with Office 365 exclusion routes as they change to ensure reliable connectivity.
IP Routing
Always On VPN administrators must define which IP addresses and networks are routed over the VPN tunnel when split tunneling is enabled. However, Intune has a known issue that may pose a challenge in some environments.
IPv6
Although IPv4 routes can be configured using the Intune UI, IPv6 routes cannot. This is because the Intune UI does not correctly validate the default IPv6 prefix length, insisting that the administrator use a value between 1 and 32. 🤦♂️
However, the Always On VPN DPC Allowed Routes group policy setting happily accepts the proper IPv6 prefix.
Route Metrics
In addition, there is no option to define the metric values for routes configured using Intune. Assigning non-default route metrics is required to resolve routing conflicts in some scenarios. Defining route metrics requires custom XML. The Always On VPN DPC Route Metric group policy settings allow administrators to define route metrics as required.
Video
I have published a demonstration video on my YouTube channel showing some of the advanced features PowerON Platforms Always On VPN Dynamic Profile Configurator (DPC) provides. Be sure to subscribe to stay up to date as I’ll be releasing more videos in the future.
Learn More
Are you interested in learning more about PowerON Platforms Always On VPN DPC? Fill out the form below, and I’ll contact you with more information. In addition, you can visit aovpndpc.com to register for an evaluation license.
Additional Information
Always On VPN with Active Directory and Group Policy
Always On VPN Video Demonstration
PowerON Platforms Always On VPN Dynamic Profile Configurator (DPC)
