All posts tagged AOVPN

Always On VPN Security Updates June 2024

The Microsoft security updates for June 2024 have now been published. Reviewing the list of bulletins shows three security updates of importance to Always On VPN administrators. Two affect the Windows Server Routing and Remote Access (RRAS) service, and one affects the Remote Access Connection Manager (RasMan) service. None of the updates are critical this month, which is good news.

RRAS

The following are the two security updates from this month’s cycle affecting Windows Server RRAS.

CVE-2024-30094 – Windows RRAS Remote Code Execution Vulnerability (Important)

CVE-2024-30095 – Windows RRAS Remote Code Execution Vulnerability (Important)

RasMan

The following security update affects the Remote Access Connection Manager (RasMan) service on Windows Server systems.

CVE-2024-30069 – Windows Remote Access Connection Manager Information Disclosure Vulnerability (Important)

Recommendations

None of the security vulnerabilities disclosed this month are critical and require local access to the system to take advantage of the exploit. However, administrators should update their systems as soon as possible.

Additional Information

Microsoft June 2024 Security Updates

Leave a comment
by Richard M. Hicks on June 11, 2024  •  Permalink
Posted in Always On VPN, AOVPN, enterprise mobility, Hotfix, Microsoft, Mobility, RasMan, Remote Access, routing and remote access service, RRAS, Security, Security Update, Update, VPN, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on June 11, 2024

https://directaccess.richardhicks.com/2024/06/11/always-on-vpn-security-updates-june-2024/

What’s New in Always On VPN DPC 4.3.1

The latest release of PowerON Platforms’ Always On VPN Dynamic Profile Configurator (DPC), version 4.3.1, is now available for download. This recent update includes fixes for previously known issues. In addition, it contains some critical new features administrators will find helpful in addressing the challenges they face with Always On VPN client configuration.

What Is DPC?

Always On VPN DPC is a solution to manage Always On VPN client configuration settings. It was originally designed to be used with on-premises Active Directory but can also be deployed with Microsoft Intune. DPC streamlines the configuration and management of client settings and includes many advanced features to fine-tune and optimize Always On VPN.

What’s New in 4.3.1

The following essential features are new in the 4.3.1 release of DPC.

Add Device Tunnel Routes to User Tunnel

Always On VPN administrators can now configure DPC to add device tunnel routes to the user tunnel automatically. This configuration option ensures that all traffic flows of the user tunnel when both user and device tunnels are established.

Note: This feature also requires administrators to define route metric options in DPC. Ensure the user tunnel route metrics are set to a lower value than the device tunnel metrics for proper operation.

Restart RasMan

Always On VPN connections occasionally fail with error 602 (ERROR_PORT_ALREADY_OPEN). The workaround for this is to restart the RasMan service on the endpoint. DPC now supports automatically restarting the RasMan service when this error occurs, ensuring reliable operation for Always On VPN connections.

Machine Certificate Filtering

DPC 4.3.1 now includes a feature to allow administrators to enable machine certificate filtering for Always On VPN device tunnels. This addresses a challenge when the endpoint has multiple machine certificates in its local computer certificate store when the VPN server is configured to accept a certificate with a specific custom application policy (EKU).

Additional Features

In addition, the updated DPC agent core service now run as x64 processes. Also, DPC now supports VPN server FQDNs longer than 63 characters (good news for those using DPC with Azure VPN gateway!).

Download DPC

For those customers currently licensed for Always On VPN DPC you can download the latest release here.

https://support.poweronplatforms.com/support/solutions/articles/8000066807

Not using DPC?

If you’re not using DPC, you are missing out! You can learn more about DPC and register for a free evaluation by visiting the link below.

https://aovpndpc.com

Optionally, you can fill out the form below and I’ll provide you with more information.

Additional Information

PowerON Platforms’ Always On VPN Dynamic Profile Configurator (DPC)

Always On VPN DPC Advanced Features

Always On VPN DPC with Microsoft Intune

Leave a comment
by Richard M. Hicks on June 3, 2024  •  Permalink
Posted in administration, Always On VPN, Always On VPN DPC, AOVPN, AovpnDPC, Azure VPN, Certificate Authentication, certificates, Deployment, Device Management, device tunnel, DPC, Dynamic Profile Configurator, Enterprise, enterprise mobility, Group Policy, InTune, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobility, Operational Support, ProfileXML, Remote Access, Security, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on June 3, 2024

https://directaccess.richardhicks.com/2024/06/03/whats-new-in-always-on-vpn-dpc-4-3-1/

Always On VPN Device Tunnel Issues with April 2024 Security Update

Always On VPN administrators may find that their device tunnel connections no longer connect automatically after applying the April 2024 security updates. The device tunnel connection is optional and only required under specific conditions, so end users may not be immediately impacted. However, administrators should be aware of this issue.

Note: The issues outlined in this post have been resolved with the May 14, 2024, security updates.

Error Messages

When manually establishing an Always On VPN device tunnel connection using rapshone.exe or rasdial.exe, you may receive one of the following error messages.

Rasphone.exe

Error 0x80070057: The parameter is incorrect.

Rasdial.exe

Connecting to <Name of Device Tunnel>…The parameter is incorrect.

Affected Devices

The issue affects all supported versions of Windows with an Always On VPN device tunnel connection configured to require a specific Enhanced Key Usage (EKU) OID. Administrators can run the following PowerShell command to identify this configuration.

Get-VpnConnection -AllUserConnection -Name <Name of Device Tunnel> | Select-Object MachineCertificateEkuFilter

If the output of this PowerShell command returns data, it is affected by this issue.

Workaround

To restore Always On VPN device tunnel functionality on devices with the April 2024 security updates installed, open an elevated PowerShell command window and run the following command.

Set-VpnConnection -AllUserConnection -Name ‘Always On VPN Device Tunnel’ -MachineCertificateEKUFilter $Null

After running this command, the output should now be blank.

Caveat

The problem with implementing the workaround described here is that you likely enabled this configuration to address an issue where the wrong certificate was selected for use with the device tunnel. In this case, the workaround may result in unexpected behavior and may not restore full functionality.

Known Issue Rollback

Currently, Microsoft is aware of the issue and is actively working to resolve it. If you are experiencing this issue, open a support case with Microsoft, and they will provide you with more information and possibly a private Known Issue Rollback (KIR). I will update this post as soon as Microsoft publishes a permanent fix.

Additional Information

Always On VPN Device Tunnel Operation and Best Practices

Always On VPN Device Tunnel Only Deployment Considerations

Considerations for Always On VPN with Azure VPN Gateway and Virtual WAN

Leave a comment
by Richard M. Hicks on April 23, 2024  •  Permalink
Posted in Always On VPN, AOVPN, Certificate Authentication, certificates, device tunnel, Enterprise, enterprise mobility, IKEv2, Microsoft, Mobility, Operational Support, PowerShell, Remote Access, Security, Security Update, troubleshooting, Update, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 23, 2024

https://directaccess.richardhicks.com/2024/04/23/always-on-vpn-device-tunnel-issues-with-april-2024-security-update/

« Older Posts