All posts tagged configuration

Always On VPN Discord Channel

I’m excited to announce the launch of a brand-new Discord channel dedicated to administrators working with Always On VPN! Whether you’re a seasoned pro or just getting started, this community is designed to be your go-to hub for collaboration, troubleshooting, and staying up to date on all things Always On VPN. The channel was established by my good friend Leo D’Arcy, the creator of the popular Always On VPN Dynamic Profile Generator (DPC) software.

Why Discord?

Always On VPN is a powerful solution for secure, seamless remote connectivity, but managing it comes with its own set of challenges. From configuration quirks to deployment strategies, administrators often need a space to share insights, ask questions, and learn from one another in real time. That’s where our new Discord channel comes in.

Community Forum

Discord offers a dynamic, user-friendly platform for instant communication and community building. Unlike forums or email threads, it’s a place where you can start a conversation, jump into live discussions, share resources, ask questions, share important insights or experiences, and much more.

Channels

Today, the Always On VPN Discord channel is part of the Microsoft Remote Access User Group Discord Server. It consists of multiple channels divided into the following topics.

General – This is a great place to introduce yourself and say hello to everyone!

DPC-Development – Here, you can ask questions about DPC, provide feedback, and suggest new features and functionality.

DPC-Chat – This channel is for administrators to discuss all things DPC, including deployment strategies, operation, support, and more.

Aovpn-Chat – If you’ve deployed Always On VPN but aren’t using DPC, this is your channel! Although DPC is fantastic, not everyone is using it. In this channel, you can submit questions and share general information about Always On VPN.

Gsa-Chat – We’ve also included a Microsoft Entra Global Secure Access channel for the new Microsoft Security Service Edge (SSE) solution, which includes Entra Private Access. This channel is pretty quiet right now. Hopefully, it will grow in the future!

DirectAccess-Chat – Yes, we realize some of you are still running DirectAccess, so there’s also a channel for you! Feel free to drop in and ask questions here, hopefully about migrating soon. 😉

Who Is This For?

This channel is open to anyone managing Microsoft secure remote access products. Whether you’re an IT administrator in a small business, an enterprise network engineer, or a consultant helping clients stay connected. If you’re working with Microsoft remote access technologies, this is the place to be!

Why Not Reddit?

Funny story: I tried to create an Always On VPN subreddit a few years ago. It lasted one day before it was banned! No reason was given, and I couldn’t get anyone from Reddit to respond. I answer questions ad hoc on Reddit all the time, but there’s no dedicated space for Always On VPN or Microsoft remote access in general.

How To Join

Joining our Discord channel is easy.

  1. Click this link.
  2. Set up your Discord account if you don’t already have one. It’s free and only takes a minute!
  3. Optionally, you can download the Discord app here.
  4. Say hello and introduce yourself in the #general channel.
  5. Explore the other channels, ask questions, give feedback, and share your expertise!

See You There!

Leo and I, along with many other experienced Always On VPN administrators, are on the forums daily. We encourage you to share your expertise, ask questions, and help others along the way. The more we contribute, the stronger this resource becomes for everyone. Join us today!

Additional Information

Always On VPN Discord Channel

Always On VPN Dynamic Profile Configurator (DPC)

DPC on GitHub

Leave a comment
by Richard M. Hicks on March 10, 2025  •  Permalink
Posted in administration, Always On VPN, Always On VPN DPC, AOVPN, AovpnDPC, Community, Deployment, Device Management, DirectAccess, Discord, DPC, Dynamic Profile Configurator, Enterprise, enterprise mobility, Entra, Entra Global Secure Access, Entra Private Access, Forum, GitHub, Global Secure Access, GSA, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra Private Access, Mobility, Operational Support, Remote Access, Secure Access Service Edge, Secure Service Edge, Security, Security Service Edge, SSE, systems management, troubleshooting, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 10, 2025

https://directaccess.richardhicks.com/2025/03/10/always-on-vpn-discord-channel/

Always On VPN Windows Server 2025 Binding Handle is Invalid Error

Microsoft released Windows Server 2025 late last year. I’ve been doing extensive testing with the Routing and Remote Access (RRAS) role, commonly deployed to support Always On VPN client connections. I heavily use automation to deploy VPN servers in my lab and for large customer deployments, and after deploying some new Windows Server 2025 machines, I encountered the “binding handle is invalid” error message when running specific commands.

VPN Ports

By default, Windows Server RRAS enables IKEv2 for Remote Access (RAS) and SSTP for RAS and Routing. Each is provisioned with 128 ports. Often, these settings are updated because there are not enough ports to support expected concurrent connections. Also, SSTP should not be enabled for Routing as it is not required, and PPPoE is enabled for Routing, which is also not required. The best practice is to disable any protocols and services that are not being used.

Although updating these settings can be updated in the GUI (rrasmgmt.msc), automating these changes requires command line configuration.

Netsh

Here’s the command to configure additional SSTP ports and disable Routing using netsh.exe.

netsh.exe ras set wanports device = “WAN Miniport (SSTP)” rasinonly = enabled ddinout = disabled ddoutonly = disabled maxports = 500

However, running this command returns the following error message.

“The binding handle is invalid.”

PowerShell

You might be wondering why we don’t use PowerShell for these tasks. Sadly, not all these settings are exposed via PowerShell. For example, with the native Set-VpnServerConfiguration PowerShell command, you can set the number of ports for IKEv2, SSTP, L2TP, and GRE. However, you cannot turn these protocols on or off entirely as you can with netsh.exe commands.

Here’s an example of setting up VPN server port configuration using PowerShell.

Set-VpnServerConfiguration -SstpPorts 500 -Ikev2Ports 500 -PassThru

Note: You must restart the server (not just the RemoteAccess service) when increasing the number of ports beyond the default setting of 128.

Set-VpnServerConfiguration does not support configuration for PPTP. However, PPTP is disabled by default on Windows Server 2025.

Backup and Restore

This issue will also impede the ability to back and restore the RRAS configuration using netsh.exe. You can back up the RRAS configuration by running the following command.

netsh.exe ras dump | Out-File rasconfig.txt -Encoding ascii

You can restore the configuration by running the following command.

netsh.exe exec .\rasconfig.txt

However, you will receive “binding handle is invalid” error when running this command.

AovpnTools

Be advised that the following functions in my AovpnTools PowerShell module use netsh.exe commands that will return the “binding handle is invalid” error message when configuring Windows Server 2025 servers.

Workaround

Until Microsoft resolves this issue, administrators must use a combination of the native PowerShell commands and manual configuration using the Routing and Remote Access management console (rrasmgmt.msc) to implement these settings changes. When backing up and restoring the RRAS configuration, additional configuration will be required after configuration import to ensure the VPN server port configuration is configured correctly.

Additional Information

Always On VPN PowerShell Module on GitHub

Leave a comment
by Richard M. Hicks on January 13, 2025  •  Permalink
Posted in administration, Always On VPN, AOVPN, Enterprise, enterprise mobility, Infrastructure, L2TP, Microsoft, Mobility, PowerShell, PPTP, Remote Access, routing, routing and remote access service, RRAS, Security, troubleshooting, VPN, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 13, 2025

https://directaccess.richardhicks.com/2025/01/13/always-on-vpn-windows-server-2025-binding-handle-is-invalid-error/

When Always On VPN Isn’t

Microsoft Always On VPN is a beautiful thing. VPN profiles are assigned to the user (and, optionally, their device). When users power up their device and log on, they are automatically connected to the corporate network and can access all the applications and data they need on-premises. Until recently, though, end users could disconnect the VPN. Why they would do this is beyond comprehension, but sadly, it happens all too often. When it does, it presents a problem for Always On VPN administrators because they must now rely on the user to re-enable this feature. And until they do, they often suffer productivity loss, and their devices may fall out of compliance.

Connect Automatically

When an Always On VPN profile is provisioned to a user (or a device), the VPN profile has the option to ‘Connect automatically’ enabled by default. Unfortunately, this setting is cleared if a user terminates the VPN.

This setting will remain cleared until the user rechecks the box to enable it. Until then, the VPN will no longer connect automatically.

Workarounds

Instead of relying on the grace of the end user to restore Always On functionality, administrators have a few options to correct this problem programmatically.

Intune Remediation

Administrators can use Intune Remediations to deploy a set of detection and remediation scripts I’ve published to update this setting. Now, administrators can enforce ‘Always On’ VPN connections with the assurance that if the user turns off this feature, it will be quickly re-enabled.

Detect-AutoTriggerDisabledProfile.ps1

Remediate-AutoTriggerDisabledProfile.ps1

SCCM

You can find a standalone version of this script here if you use System Center Configuration Manager (SCCM) or another systems management solution to manage your endpoints.

Clear-AutoTriggerDisabledProfile.ps1

AovpnTools

In addition, you will find the Clear-AutoTriggerDisabledProfile function is included in my AOVPNTools PowerShell module, which can be installed from the PowerShell gallery.

Install-Module -Name AOVPNTools -Force

Disable Disconnect Button

To avoid this pain in the future, Always On VPN administrators can prevent users from disconnecting the VPN using the UI by leveraging the DisableDisconnectButton option in ProfileXML. This setting is supported for both user and device tunnels on Windows 11 and later devices.

Additional Information

AOVPNTools PowerShell Module

AOVPNTools PowerShell Module on GitHub

Always On VPN and Intune Remediations

6 Comments
by Richard M. Hicks on January 15, 2024  •  Permalink
Posted in administration, Always On VPN, AOVPN, Compliance, Deployment, Device Management, device tunnel, Endpoint Manager, Enterprise, enterprise mobility, GitHub, InTune, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Operational Support, PowerShell, ProfileXML, Remote Access, SCCM, Security, System Center Configuration Manager, systems management, troubleshooting, user tunnel, VPN, Windows 10, Windows 11, XML
Tagged , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 15, 2024

https://directaccess.richardhicks.com/2024/01/15/when-always-on-vpn-isnt/

« Older Posts