All posts tagged DirectAccess

Always On VPN Connection Issues After Sleep or Hibernate

Likely the single most common complaint about Windows 10 Always On VPN is that device tunnel or user tunnel VPN connections fail to reconnect automatically after a laptop computer wakes from sleep or hibernate. You will find many complaining about this issue and discussing various attempts at resolution on the Microsoft forums. And while Microsoft has released many fixes the last few years to improve connection reliability for Always On VPN, this one seems to continue to plague them. This issue is also prevalent with DirectAccess deployments.

Fix or Workaround?

Unfortunately, I do not have a specific fix or workaround to share that will magically resolve this ongoing issue. However, there are a few group policy settings that may prove effective in some cases.

Connected Standby Settings

To help address issues with Always On VPN connections failing after sleep or hibernate, open the group policy management console and navigate to Computer Configuration > Administrative Templates > System > Power Management > Sleep Settings and enable the following settings.

Allow network connectivity during connected-standby (plugged in)
Allow network connectivity during connected-standby (on battery)

Additional Information

Are you experiencing issues with Always On VPN reconnecting automatically after sleep or hibernate? Have you found an effective workaround? Share your experience in the comments below!

16 Comments

by Richard M. Hicks on August 10, 2020 • Permalink

Posted in Always On VPN, AOVPN, device tunnel, DirectAccess, Enterprise, enterprise mobility, Mobility, Remote Access, user tunnel, VPN, Windows 10

Tagged Always On VPN, connected standby, device tunnel, DirectAccess, enterprise mobility, GPMC, group policy, hibernate, Microsoft, Mobility, sleep, standby, user tunnel, VPN, wake from hibernate, wake from sleep, Windows, Windows 10

Posted by Richard M. Hicks on August 10, 2020

https://directaccess.richardhicks.com/2020/08/10/always-on-vpn-connection-issues-after-sleep-or-hibernate/

Enterprise Networking Magazine Top 10 VPN Consulting Services 2020

It is with great pleasure that I announce Richard M. Hicks Consulting, Inc. has been included in Enterprise Networking Magazine’s Top 10 VPN consulting services for 2020! Enterprise Networking Magazine is a leading magazine and web site dedicated to the enterprise networking industry and its professionals.

You can read the full write-up on Richard M. Hicks Consulting, Inc. at Enterprise Networking’s web site here.

8 Comments

by Richard M. Hicks on May 18, 2020 • Permalink

Posted in Always On VPN, AOVPN, Consulting Services, Enterprise, enterprise mobility, Mobility, Professional Services, Security, VPN, Windows 10

Tagged Always On VPN, AOVPN, award, consulting, consulting services, DirectAccess, enterprise mobility, Enterprise Networking, Enterprise Networking Magazine, Microsoft, Mobility, Remote Access, virtual private networking, VPN, Windows

Posted by Richard M. Hicks on May 18, 2020

https://directaccess.richardhicks.com/2020/05/18/enterprise-networking-magazine-top-10-vpn-consulting-services-2020/

NetMotion Mobility with Microsoft Endpoint Manager and Intune

NetMotion Software and Microsoft have now partnered to integrate NetMotion Mobility with Microsoft Endpoint Manager and Intune. NetMotion Mobility is a purpose-built enterprise VPN solution that has many advantages over competing remote access technologies. Using Microsoft Endpoint Manager or Intune, organizations can now quickly and easily provision NetMotion client software to their managed devices.

NetMotion Mobility

NetMotion Mobility is a popular remote access solution designed to meet the needs of enterprise organization with diverse mobility requirements. NetMotion Mobility uses a proprietary transport protocol that, unlike any other solution, is designed for mobility from inception. It includes many advanced features not found anywhere else. You can learn more about NetMotion Mobility here.

Endpoint Manager and Intune

More information about the NetMotion Software and Microsoft Endpoint Manager and Intune partnership here.

Additional Information

5 Things NetMotion Mobility Can Do that Microsoft DirectAccess Can’t
5 Things NetMotion Mobility Can Do that Microsoft Windows 10 Always On VPN Can’t
Comparing NetMotion Mobility and Microsoft DirectAccess

Evaluate NetMotion Mobility

Interested in learning more about NetMotion Mobility? Complete the form below and I’ll provide you with more information.

2 Comments

by Richard M. Hicks on March 11, 2020 • Permalink

Posted in Always On VPN, AOVPN, DirectAccess, Enterprise, enterprise mobility, MEMCM, Microsoft Endpoint Manager, Microsoft Intune, Mobility, NetMotion, NetMotion Mobility, NetMotion Software, Operational Support, Security, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019

Posted by Richard M. Hicks on March 11, 2020

https://directaccess.richardhicks.com/2020/03/11/netmotion-mobility-with-microsoft-endpoint-manager-and-intune/

Renew DirectAccess Self-Signed Certificates

Important! Updated April 29, 2020 to resolve an issue where the DirectAccess RADIUS encryption certificate was not published to the DirectAccess Server Settings GPO in Active Directory.

When DirectAccess is deployed using the Getting Started Wizard (GSW), sometimes referred to as the “simplified deployment” method, self-signed certificates are created during the installation and used for the IP-HTTPS IPv6 transition technology, the Network Location Server (NLS), and for RADIUS secret encryption. Administrators may also selectively choose to use self-signed certificates for IP-HTTPS, or when collocating the NLS on the DirectAccess server. The RADIUS encryption certificate is always self-signed.

Certificate Expiration

These self-signed certificates expire 5 years after they are created, which means many DirectAccess administrators who have used this deployment option will need to renew these certificates at some point in the future. Unfortunately, there’s no published guidance from Microsoft on how to accomplish this. However, the process is simple enough using PowerShell and the New-SelfSignedCertificate cmdlet.

PowerShell Script on GitHub

The PowerShell script to renew DirectAccess self-signed certificates has been published on GitHub. You can download Renew-DaSelfSignedCertificates.ps1 here.

Important Considerations

When the IP-HTTPS certificate is renewed using this script, DirectAccess clients outside will be immediately disconnected and will be unable to reconnect until they update group policy. This will require connecting to the internal network locally or remotely using another VPN solution. The NLS and RADIUS encryption certificates can be updated without impacting remote users.

In addition, internal clients that are not online when this change is made will be unable to access internal resources by name until they update group policy. If this happens, delete the Name Resolution Policy Table (NRPT) on the client using the following PowerShell command and reboot to restore connectivity.

Get-Item -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig” | Remove-Item -Confirm:$false

Additional Information

PowerShell Recommended Reading for DirectAccess Administrators

Top 5 DirectAccess Troubleshooting PowerShell Commands

70 Comments

by Richard M. Hicks on May 2, 2019 • Permalink

Posted by Richard M. Hicks on May 2, 2019

https://directaccess.richardhicks.com/2019/05/02/renew-directaccess-self-signed-certificates/

Always On VPN and DirectAccess Scripts and Sample Files on GitHub

If you’re looking for specialized configuration scripts for Windows 10 Always On VPN, Windows Server Routing and Remote Access Service (RRAS), or DirectAccess then have a look at my GitHub page! There I’ve uploaded a few tools I’ve created (with the help of my good friend Jeff Hicks!) along with some sample ProfileXML files. Here’s a sample of what you’ll find there today.

Always On VPN

This repository includes PowerShell scripts and sample ProfileXML files used for configuring Windows 10 Always On VPN. These scripts have been adopted from those provided by Microsoft and modified to work with a separate XML file. These scripts can be used for local testing and for deploying Always On VPN connections using System Center Configuration Manager (SCCM). The ProfileXML files can be helpful for those administrators looking for real world configuration examples.

https://github.com/richardhicks/aovpn

SstpOffload

This repository includes a PowerShell script to enable TLS offload for Windows Server RRAS Secure Socket Tunneling Protocol (SSTP) VPN connections when the public SSL certificate can’t be installed on the RRAS server. TLS offload for SSTP can be enabled in scenarios where better security, performance, and scalability are desired.

https://github.com/richardhicks/sstpoffload

DirectAccess

This repository includes the PowerShell script Move-DaInboxAccountingDatabase which can be used to move the DirectAccess inbox accounting database files. The default location of the database files is on the C: drive, and many administrators have encountered disk space issues, especially in large scale deployments. This script will relocate the database files to the location of your choice.

https://github.com/richardhicks/directaccess

More to Come!

Be sure to check my GitHub site for more PowerShell script and sample files on a regular basis. Or better yet, give me a follow! I’ll be sure to post more as time goes on. In addition, I’ll be going through my older articles where I’ve provided PowerShell code samples and will include them in the repository too.

Standard Disclaimer

All the sample files and PowerShell scripts I’ve shared on GitHub are provided as-is. Although they’ve been thoroughly tested, I can’t be certain I’ve accommodated every deployment scenario. Please use caution when running these scripts on production machines.

Additional Information

Always On VPN Hands-On Training Classes 2019

Jeff Hicks’ Blog

6 Comments

by Richard M. Hicks on January 15, 2019 • Permalink

Posted in Always On VPN, AOVPN, DirectAccess, General, GitHub, learning, PowerShell, Remote Access, routing and remote access service, RRAS, SSL, SSL and TLS, SSTP, TLS, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019

Tagged Always On VPN, AOVPN, DirectAccess, GitHub, Microsoft, Mobility, PowerShell, ProfileXML, Remote Access, scripting, SSTP, VPN, Windows, Windows 10, XML

Posted by Richard M. Hicks on January 15, 2019

https://directaccess.richardhicks.com/2019/01/15/always-on-vpn-and-directaccess-scripts-and-sample-files-on-github/

DirectAccess IP-HTTPS Not Working Properly in Windows Server 2019

After installing and configuring DirectAccess in Windows Server 2019 you may encounter an error message indicating that IP-HTTPS is not working properly. Looking at the Operations Status overview in the Dashboard of the Remote Access Management console shows that the IP-HTTPS interface is in error.

IP-HTTPS Route Error

Viewing the detailed Operations Status shows the following error message.

Error: The IP-HTTPS route does not have published property enabled.

Missing Route

Looking at the routing table on the DirectAccess server reveals that a route to the client IPv6 prefix is indeed missing.

Resolution

To resolve this error message, add the client IPv6 route to the DirectAccess server’s routing table and publish it. This is accomplished by running the following PowerShell commands on the DirectAccess server.

$IPv6prefix = (Get-RemoteAccess).ClientIPv6Prefix
New-NetRoute -AddressFamily IPv6 -DestinationPrefix $IPv6prefix -InterfaceAlias “Microsoft IP-HTTPS Platform Interface” -Publish Yes

Next, restart the Remote Access Management service (RaMgmtSvc) using the following PowerShell command.

Restart-Service RaMgmtSvc -PassThru

Once complete, refresh the management console and the IP-HTTPS error message should be resolved and the operations status should state that it is now working properly.

Additional Information

SSL Certificate Conisderations for DirectAccess IP-HTTPS

DirectAccess Expire IP-HTTPS Certificate and Error 0x800b0101

23 Comments

by Richard M. Hicks on November 26, 2018 • Permalink

Posted in DirectAccess, IP-HTTPS, IPv6, IPv6 Transition, PowerShell, Remote Access, transition technology, troubleshooting, Windows Server 2019

Tagged bug, DirectAccess, enterprise mobility, error, IP-HTTPS, IPv6, IPv6 transition technology, Mobility, PowerShell, publish route, Remote Access, routing, routing table, transition technology, troubleshooting, Windows, Windows Server, Windows Server 2019

Posted by Richard M. Hicks on November 26, 2018

https://directaccess.richardhicks.com/2018/11/26/directaccess-ip-https-not-working-properly-in-windows-server-2019/

Comparing DirectAccess and NetMotion Mobility – Australia and New Zealand

Australia and New Zealand! Comparing DirectAccess and NetMotion Mobility free live webinar Thursday, November 29 at 10:00AM AEDT. Register here!

For many years, DirectAccess has been the gold standard for enterprise remote access. Its seamless and transparent operation improves productivity for mobile workers, and since it is always on, administrators enjoy improved visibility and management for their field-based assets.

As incredible as DirectAccess is, it is not without its limitations. For example, DirectAccess works only with Windows Enterprise edition clients that are joined to the domain. Professional Edition and non-domain joined machines are not supported. It also lacks many of the security features enterprise organizations require, such as device health checks and granular network access. In addition, DirectAccess communication is complex, with many different layers of encapsulation, authentication, and encryption. High protocol overhead can lead to poor performance over high latency or low bandwidth connections.

NetMotion Mobility is a secure remote access solution that is an excellent alternative to DirectAccess. It provides the same seamless, transparent, always on remote connectivity that DirectAccess provides, while at the same time offering much more in terms of features and capabilities. It supports a much broader range of clients, includes native Network Access Control (NAC) and application filtering, and offers enhanced performance.

To learn more about NetMotion Mobility, join me on Thursday, November 29 at 10:00AM AEDT (UTC +11) for a free live webinar with NetMotion. I’ll provide an overview of NetMotion Mobility and how it compares with DirectAccess. I’ll also demonstrate how it can help overcome some of the inherent limitations of DirectAccess too. Register today!

DirectAccess Get-NetIPHttpsState Fails on Windows 10 1803

PowerShell is an essential tool for Windows administrators for configuration, task automation, monitoring, reporting, and problem resolution. When troubleshooting DirectAccess connectivity using the IP-HTTPS IPv6 transition technology, the Get-NetIPHttpsConfiguration and Get-NetIPHttpsState PowerShell commands are important for assessing the configuration and current state of the IP-HTTPS connection. When DirectAccess connectivity fails, these are some of the first commands an administrator will use to identify and resolve the issue.

Get-NetIPHttpsState

Get-NetIPHttpsState is especially helpful when IP-HTTPS connectivity fails because it returns an error code and interface status information that can provide clues as to why the connection was not completed successfully.

No Output in 1803

Beginning with Windows 10 1803, the DirectAccess administrator will notice that Get-NetIPHttpsState returns no data. The output of Get-NetIPHttpsState is blank.

Changes in 1803

As it turns out, this is a bug first introduced in Windows 10 1803 that is the result of a fundamental change in the way in which the IP-HTTPS interface is implemented in Windows. As of this writing, the bug has not been addressed in Windows 10 1803 or 1809.

Workaround

The good news is that there’s an easy workaround for this. Instead of using Get-NetIPHttpsState, the administrator can retrieve essential information about the IP-HTTPS interface using the following netsh command.

netsh interface httpstunnel show interface

Additional Information

SSL Certificate Considerations for DirectAccess IP-HTTPS

Troubleshooting DirectAccess IP-HTTPS Error Code 0x800b0109

Troubleshooting DirectAccess IP-HTTPS Error Code 0x80090326

Troubleshooting DirectAccess IP-HTTPS Error Code 0x90320

Troubleshooting DirectAccess IP-HTTPS Error Code 0x2af9

Troubleshooting DirectAccess IP-HTTPS Error Code 0x800b0101

4 Comments

by Richard M. Hicks on November 19, 2018 • Permalink

Posted in DirectAccess, enterprise mobility, IP-HTTPS, IPv6, IPv6 Transition, Mobility, PowerShell, Remote Access, transition technology, troubleshooting, Windows 10, Windows Server 2016

Tagged bug, DirectAccess, enterprise mobility, IP-HTTPS, IPv6, IPv6 transition technology, Mobility, netsh, PowerShell, Remote Access, security, troubleshooting, Windows, Windows 10, Windows 10 1803, Windows 10 1809, workaround

Posted by Richard M. Hicks on November 19, 2018

https://directaccess.richardhicks.com/2018/11/19/directaccess-get-netiphttpsstate-fails-on-windows-10-1803/

Always On VPN Device Tunnel Missing in Windows 10 UI

Unlike DirectAccess, Always On VPN connections are provisioned to the user, not the machine. Beginning with Windows 10 release 1709 Microsoft introduced the device tunnel option to provide feature parity with DirectAccess. The device tunnel provides pre-logon network connectivity to support important deployment scenarios such as logging on without cached credentials and unattended remote systems management.

Device Tunnel Configuration

Guidance for creating and deploying a device tunnel connection can be found here. It’s important to note that the device tunnel is always on by default. Also, there can only be a single device tunnel configured per device. You must remove an existing device tunnel before configuring a new one.

Known Issues

After configuring a Windows 10 Always On VPN device tunnel the administrator may notice two anomalies. First, the device tunnel is missing in the Windows UI after it is created. Second, viewing the status of the device tunnel connection using PowerShell indicates the connection is “disconnected” even though it is connected.

Device Tunnel Missing

As you can see below, event though both a device and user tunnel have been provisioned, the Windows UI reports only a single Always On VPN connection, that being the user connection.

However, the device tunnel does appear in the Network Connections control panel applet (ncpa.cpl), as shown here.

This is expected and by design. The device tunnel is not displayed to the user in the Windows UI as it is provisioned to the machine, not the user. It appears on the Control Panel because the applet is capable of enumerating both user and system connections.

Device Tunnel Disconnected

The status of the Windows 10 Always On VPN device tunnel connection can be viewed by running the Get-VpnConnection -AllUserConnection PowerShell command. However, at the time of this writing, PowerShell always reports the connection status as “Disconnected”. This appears to be a bug; one which Microsoft is hopefully working to address.

Summary

The Windows 10 Always On VPN device tunnel option allows administrators to enable scenarios previously supported with DirectAccess, including logging on without cached credentials and unattended remote support. Not all deployments require a device tunnel, but it is an important option available to administrators to address specific use cases.

Additional Information

Windows 10 Always On VPN Device Tunnel Configuration using PowerShell

Windows 10 Always On VPN RasMan Device Tunnel Failure

Deleting a Windows 10 Always On VPN Device Tunnel

34 Comments

by Richard M. Hicks on October 31, 2018 • Permalink

Posted in Always On VPN, AOVPN, DirectAccess, Enterprise, enterprise mobility, PowerShell, Remote Access, RRAS, Security, VPN, Windows 10

Tagged Always On VPN, AOVPN, bug, device tunnel, DirectAccess, feature, hotfix, Microsoft, Mobility, network, Networking, PowerShell, Remote Access, UI, update, user tunnel, VPN, Windows, Windows 10

Posted by Richard M. Hicks on October 31, 2018

https://directaccess.richardhicks.com/2018/10/31/always-on-vpn-device-tunnel-missing-in-windows-10-ui/

Comparing DirectAccess and NetMotion Mobility Webinar – October 2018

CORRECTION: This webinar will take place 14:00 BST on Thursday, 25 October.

To learn more about NetMotion Mobility, join me on Thursday, 25 October at 14:00 BST for a free live webinar with NetMotion. I’ll provide an overview of NetMotion Mobility and how it compares with DirectAccess. I’ll also demonstrate how it can help overcome some of the inherent limitations of DirectAccess too. Register today!

Awards

Consulting

Connect

Mailing List

RSS Feed

Archives

Categories

Tag Cloud

All posts tagged DirectAccess

Fix or Workaround?

Connected Standby Settings

Additional Information

Share this:

Like this:

Share this:

Like this:

NetMotion Mobility

Endpoint Manager and Intune

Additional Information

Evaluate NetMotion Mobility

Share this:

Like this:

Certificate Expiration

PowerShell Script on GitHub

Important Considerations

Additional Information

Share this:

Like this:

Always On VPN

SstpOffload

DirectAccess

More to Come!

Standard Disclaimer

Additional Information

Share this:

Like this:

IP-HTTPS Route Error

Missing Route

Resolution

Additional Information

Share this:

Like this:

Share this:

Like this:

Get-NetIPHttpsState

No Output in 1803

Changes in 1803

Workaround

Additional Information

Share this:

Like this:

Device Tunnel Configuration

Known Issues

Device Tunnel Missing

Device Tunnel Disconnected

Summary

Additional Information

Share this:

Like this:

Share this:

Like this:

DirectAccess Book

NetMotion Mobility

Recent Posts

Always On VPN Resources

DirectAccess Resources