Managing a secure and reliable VPN infrastructure is critical for supporting today’s highly mobile workforce. For Always On VPN administrators, PowerShell is an indispensable tool for achieving this goal. Not only can PowerShell be used to automate the installation and configuration of Windows Server Routing and Remote Access Service (RRAS) server, but it can also be used to audit configuration and monitor system health and user activity as well. In addition, it is highly recommended that the RRAS role be installed on Server Core for optimum security and performance. Administrators must be familiar with these PowerShell commands and more to support RRAS on Windows Server Core in their environment.
RemoteAccess Module
The RemoteAccess PowerShell module should be installed when the RRAS server is configured. There are 122 commands in this module, but only a subset of those pertain to the VPN server role. Here are ten popular commands for monitoring and managing an Always On VPN RRAS server.
Configuration Review
The following PowerShell commands are useful for reviewing the current RRAS server configuration.
Get-RemoteAccess – Displays the current configuration of the VPN server. Details include installation status, TLS certificate configuration, VPN client IP address assignment method, IPv4 and IPv6 addressing information (if using the static address assignment method), authentication type, and configured RADIUS servers.
Get-VpnAuthProtocol – Displays authentication configuration details such as accepted authentication types for both user and device connections, root certification authority (CA) certificate restrictions (if enabled), and certificate advertisement and EKU restrictions if enabled.
Get-VpnServerConfiguration – Displays additional VPN server configuration information, such as the IPsec configuration for IKEv2, the number of VPN ports configured, and more.
System Health
Get-RemoteAccessHealth – Displays the current health status of various VPN server services. The command’s default output is a little noisy. I recommend filtering it as follows:
Get-RemoteAccessHealth | Where-Object HealthState -NotMatch Disabled | Format-Table -AutoSize
User Activity
The following PowerShell commands can be used to view current and historical user activity details.
Get-RemoteAccessConnectionStatistics – Displays all active VPN connections on the server.
Get-RemoteAccessConnectionStatisticsSummary – Displays cumulative information about VPN connections on the server since the last service restart or reboot, such as the total number of connections, the number of unique users, the maximum number of concurrent connections, and the amount of data transferred.
Get-RemoteAccessUserActivity – Displays all active VPN connections for a specific user or device.
Management
The following PowerShell commands are helpful for reviewing authentication and logging settings.
Get-RemoteAccessRadius – Allows the administrator to view the currently configured RADIUS servers on the VPN server.
Get-RemoteAccessAccounting – Allows the administrator to view the current accounting repository (RADIUS or inbox) on the VPN server.
Clear-RemoteAccessInboxAccountingStore – Allows the administrator to remove log data from the Inbox Accounting database. Removing log data from the database can be helpful when transitioning a test server to production or to free up disk space by reducing the size of the logging database.
Additional Modules
In addition to the PowerShell commands above, Always On VPN administrators can leverage my custom PowerShell modules for advanced server and client configuration. These modules are published in the PowerShell Gallery.
AovpnTools – PowerShell module to configure and optimize Windows RRAS servers to support Always On VPN.
Install-Module -Name AovpnTools
InboxAccountingDatabaseManagement – PowerShell module to configure and manage the Inbox Accounting database for logging system information and user activity on the VPN server.
Install-Module -Name InboxAccountingDatabaseManagement
Additional Information
Always On VPN and RRAS on Windows Server Core
Inbox Accounting Database Management
Deploying DirectAccess on Windows Server 2016 core is recommended to ensure the highest level of security and availability for the remote access solution. Server core is a stripped-down, command-line only version of Windows that removes many features unnecessary to support common server workloads. It’s reduced attack surface improves security, and this leaner version of the Windows OS requires less maintenance (patching), resulting in fewer reboots which increases overall availability. It has a smaller disk and memory footprint too which results in quicker system restarts, when required.
