All posts tagged AOVPN

Always On VPN and NPS AD Registration

Always On VPN Users Prompted for Certificate

Windows Server Network Policy and Access Services (NPAS, more commonly called NPS) is a popular solution used in Always On VPN deployments to support Active Directory authentication for user-based VPN connections. NPS is integrated with Active Directory to perform certificate-based authentication. With additional configuration, NPS can apply specific settings to an individual connection by reading the properties of the user’s AD account.

Dial-In Properties

Administrators can allow or deny network access, assign a static IP address, or assign a static route on a per-user basis. This information is defined on the Dial-In tab of the user account in Active Directory Users and Computers (dsa.msc).

Register in AD

Registering the NPS server in Active Directory is strictly optional. It is not required to perform user authentication. However, administrators must register the NPS server in Active Directory to assign connection properties per user. Active Directory registration for NPS allows the NPS server to read the properties of individual Active Directory user accounts. Active Directory registration for NPS is accomplished in one of several ways.

NPS Management Console

On each NPS server, open the NPS management console (nps.msc), right-click the server, and choose Register server in Active Directory.

Command Line

Administrators can register the NPS server in Active Directory by opening an elevated command window and running the following command.

netsh.exe nps add registeredserver <domain> <host>

Where <domain> is the Active Directory domain where you want to add the NPS server to the RAS and IAS Servers security group, and <host> is the hostname of the NPS server to register.

For example:

netsh.exe nps add registeredserver lab.richardhicks.net nps1

ADUC

Registering an NPS server in Active Directory does nothing more than add the NPS server to the RAS and IAS Servers domain security group. Administrators can open ADUC and add NPS servers to the group directly if required.

Note: Registering an NPS server in Active Directory using the NPS console or the command line adds the NPS server to the RAS and IAS Servers group in the domain to which the NPS server belongs. If user accounts are in a different domain, NPS servers must also be added to the RAS and IAS Servers group in those domains.

NPS Policy

In addition to registering the NPS server in Active Directory, administrators must ensure that the option to Ignore user account dial-in properties on the Network Policy used for Always On VPN is not checked.

Additional Information

Always On VPN and NPS Server Load Balancing

Always On VPN NPS Auditing and Logging

Always On VPN NPS RADIUS Configuration Missing

4 Comments
by Richard M. Hicks on February 6, 2024  •  Permalink
Posted in Active Directory, administration, Always On VPN, AOVPN, authentication, Enterprise, enterprise mobility, extensible authentication protocol, Microsoft, Mobility, network policy server, NPS, Operational Support, PEAP, Remote Access, Security, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 6, 2024

https://directaccess.richardhicks.com/2024/02/06/always-on-vpn-and-nps-ad-registration/

Always On VPN and IPv6

Internet Protocol version 6 (IPv6) has been with us for nearly 30 years. IPv6 adoption on the public Internet has steadily increased over the last decade, and today is approaching 50%. However, enterprise adoption of IPv6 has been surprisingly sluggish despite its numerous benefits. IPv6 includes an expanded address space that removes complex subnetting requirements and globally unique addressing that eliminates the need to perform Network Address Translation (NAT), among others. Organizations should consider deploying IPv6 internally to take advantage of these capabilities.

IPv6 and RRAS

I’ve deployed Microsoft Always On VPN for customers using IPv6 numerous times. The following describes configuration settings required to support IPv6 in a Microsoft environment using a Windows Server Routing and Remote Access (RRAS) server.

To begin, open the Routing and Remote Access management console (rrasmgmt.msc) on the RRAS VPN server, then follow the steps below to enable IPv6 support for Always On VPN connections.

Note: The configuration below assumes that IPv6 is already deployed on the internal network, either natively or dual-stacked with IPv4.

IPv6 Remote Access

Perform the following steps to enable IPv6 remote access on the RRAS VPN server.

  1. Right-click the RRAS VPN server in the navigation tree and choose Properties.
  2. Check the box next to the IPv6 Remote access server on the General tab.

Prefix Assignment

Next, an IPv6 prefix must be assigned to each RRAS VPN server. This IPv6 prefix must be unique for each server and not in use anywhere else on the internal network. Unlike IPv4, IPv6 addresses cannot be assigned from the same prefix (subnet) as the VPN server’s internal network interface. With that, ensure that internal network IPv6 routing returns traffic for the assigned IPv6 prefixes to the corresponding VPN server.

Perform the following steps to assign an IPv6 prefix for VPN client use.

  1. Right-click the RRAS VPN server in the navigation tree and choose Properties.
  2. Select the IPv6 tab.
  3. Check the box next to Enable IPv6 Forwarding.
  4. If force tunneling is required (not recommended), check the box next to Enable Default Route Advertisement.
  5. Enter an IPv6 prefix in the IPv6 prefix assignment field. Again, ensure the IPv6 prefix is globally unique, and that internal network routing is configured to return traffic to the VPN server that owns the prefix.
  6. If your RRAS server is multi-homed, select the internal network interface from the Adapter drop-down list.

DHCP

Organizations with IPv6 deployed internally may use Microsoft Windows DHCPv6 or a dedicated DNS/DHCP/IP Address Management (IPAM) (DDI) solution like Infoblox. However, Windows Server RRAS does not support DHCPv6 for VPN client IP address assignment. Administrators must manually assign an IPv6 prefix per server. However, administrators can use DHCP alongside IPv6 prefix assignment for VPN client IPv4 addressing.

Limitations

While IPv6 may solve some problems for Always On VPN administrators, it has some limitations. Here are some crucial considerations for IPv6 and Always On VPN at the time of this writing.

Traffic Filters

You cannot use IPv6 when configuring traffic filters for Always On VPN. Specifying IPv6 elements in a traffic filter rule will prevent Always On VPN from working at all. More details here.

Intune and Routing

When split tunneling is enabled, Microsoft Intune will not accept IPv6 routes using the standard IPv6 subnet prefix of /64. The UI complains that “the value must be between 1 and 32”.

You can use the custom XML deployment option to configure Always On VPN to support split tunneling correctly as a workaround.

Additional Information

Overview of IPv6

Everything You Never Knew about NAT

Disabling IPv6 Breaks Windows Server RRAS

Microsoft Always On VPN Traffic Filters and IPv6

Discussing Microsoft and IPv6 on the IPv6 Buzz Podcast (Packet Pushers)

2 Comments
by Richard M. Hicks on January 22, 2024  •  Permalink
Posted in administration, Always On VPN, AOVPN, Application Filter, Deployment, device tunnel, Enterprise, enterprise mobility, Infrastructure, IPv6, Microsoft, Microsoft Intune, Mobile Device Management, Mobility, Remote Access, routing, routing and remote access service, RRAS, split tunnel, split tunneling, Traffic Filter, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 22, 2024

https://directaccess.richardhicks.com/2024/01/22/always-on-vpn-and-ipv6/

When Always On VPN Isn’t

Microsoft Always On VPN is a beautiful thing. VPN profiles are assigned to the user (and, optionally, their device). When users power up their device and log on, they are automatically connected to the corporate network and can access all the applications and data they need on-premises. Until recently, though, end users could disconnect the VPN. Why they would do this is beyond comprehension, but sadly, it happens all too often. When it does, it presents a problem for Always On VPN administrators because they must now rely on the user to re-enable this feature. And until they do, they often suffer productivity loss, and their devices may fall out of compliance.

Connect Automatically

When an Always On VPN profile is provisioned to a user (or a device), the VPN profile has the option to ‘Connect automatically’ enabled by default. Unfortunately, this setting is cleared if a user terminates the VPN.

This setting will remain cleared until the user rechecks the box to enable it. Until then, the VPN will no longer connect automatically.

Workarounds

Instead of relying on the grace of the end user to restore Always On functionality, administrators have a few options to correct this problem programmatically.

Intune Remediation

Administrators can use Intune Remediations to deploy a set of detection and remediation scripts I’ve published to update this setting. Now, administrators can enforce ‘Always On’ VPN connections with the assurance that if the user turns off this feature, it will be quickly re-enabled.

Detect-AutoTriggerDisabledProfile.ps1

Remediate-AutoTriggerDisabledProfile.ps1

SCCM

You can find a standalone version of this script here if you use System Center Configuration Manager (SCCM) or another systems management solution to manage your endpoints.

Clear-AutoTriggerDisabledProfile.ps1

AovpnTools

In addition, you will find the Clear-AutoTriggerDisabledProfile function is included in my AOVPNTools PowerShell module, which can be installed from the PowerShell gallery.

Install-Module -Name AOVPNTools -Force

Disable Disconnect Button

To avoid this pain in the future, Always On VPN administrators can prevent users from disconnecting the VPN using the UI by leveraging the DisableDisconnectButton option in ProfileXML. This setting is supported for both user and device tunnels on Windows 11 and later devices.

Additional Information

AOVPNTools PowerShell Module

AOVPNTools PowerShell Module on GitHub

Always On VPN and Intune Remediations

6 Comments
by Richard M. Hicks on January 15, 2024  •  Permalink
Posted in administration, Always On VPN, AOVPN, Compliance, Deployment, Device Management, device tunnel, Endpoint Manager, Enterprise, enterprise mobility, GitHub, InTune, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Operational Support, PowerShell, ProfileXML, Remote Access, SCCM, Security, System Center Configuration Manager, systems management, troubleshooting, user tunnel, VPN, Windows 10, Windows 11, XML
Tagged , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 15, 2024

https://directaccess.richardhicks.com/2024/01/15/when-always-on-vpn-isnt/

« Older Posts
Newer Posts »