It is with great pleasure that I announce Richard M. Hicks Consulting, Inc. has been included in Enterprise Networking Magazine’s Top 10 VPN consulting services for 2020! Enterprise Networking Magazine is a leading magazine and web site dedicated to the enterprise networking industry and its professionals.
You can read the full write-up on Richard M. Hicks Consulting, Inc. at Enterprise Networking’s web site here.
Posted by Richard M. Hicks on May 18, 2020
https://directaccess.richardhicks.com/2020/05/18/enterprise-networking-magazine-top-10-vpn-consulting-services-2020/
NetMotion Software and Microsoft have now partnered to integrate NetMotion Mobility with Microsoft Endpoint Manager and Intune. NetMotion Mobility is a purpose-built enterprise VPN solution that has many advantages over competing remote access technologies. Using Microsoft Endpoint Manager or Intune, organizations can now quickly and easily provision NetMotion client software to their managed devices.
NetMotion Mobility is a popular remote access solution designed to meet the needs of enterprise organization with diverse mobility requirements. NetMotion Mobility uses a proprietary transport protocol that, unlike any other solution, is designed for mobility from inception. It includes many advanced features not found anywhere else. You can learn more about NetMotion Mobility here.
More information about the NetMotion Software and Microsoft Endpoint Manager and Intune partnership here.
5 Things NetMotion Mobility Can Do that Microsoft DirectAccess Can’t
5 Things NetMotion Mobility Can Do that Microsoft Windows 10 Always On VPN Can’t
Comparing NetMotion Mobility and Microsoft DirectAccess
Interested in learning more about NetMotion Mobility? Complete the form below and I’ll provide you with more information.
Posted by Richard M. Hicks on March 11, 2020
https://directaccess.richardhicks.com/2020/03/11/netmotion-mobility-with-microsoft-endpoint-manager-and-intune/
Important! Updated April 29, 2020 to resolve an issue where the DirectAccess RADIUS encryption certificate was not published to the DirectAccess Server Settings GPO in Active Directory.
When DirectAccess is deployed using the Getting Started Wizard (GSW), sometimes referred to as the “simplified deployment” method, self-signed certificates are created during the installation and used for the IP-HTTPS IPv6 transition technology, the Network Location Server (NLS), and for RADIUS secret encryption. Administrators may also selectively choose to use self-signed certificates for IP-HTTPS, or when collocating the NLS on the DirectAccess server. The RADIUS encryption certificate is always self-signed.
These self-signed certificates expire 5 years after they are created, which means many DirectAccess administrators who have used this deployment option will need to renew these certificates at some point in the future. Unfortunately, there’s no published guidance from Microsoft on how to accomplish this. However, the process is simple enough using PowerShell and the New-SelfSignedCertificate cmdlet.
The PowerShell script to renew DirectAccess self-signed certificates has been published on GitHub. You can download Renew-DaSelfSignedCertificates.ps1 here.
When the IP-HTTPS certificate is renewed using this script, DirectAccess clients outside will be immediately disconnected and will be unable to reconnect until they update group policy. This will require connecting to the internal network locally or remotely using another VPN solution. The NLS and RADIUS encryption certificates can be updated without impacting remote users.
In addition, internal clients that are not online when this change is made will be unable to access internal resources by name until they update group policy. If this happens, delete the Name Resolution Policy Table (NRPT) on the client using the following PowerShell command and reboot to restore connectivity.
Get-Item -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig” | Remove-Item -Confirm:$false
PowerShell Recommended Reading for DirectAccess Administrators
Top 5 DirectAccess Troubleshooting PowerShell Commands
Posted by Richard M. Hicks on May 2, 2019
https://directaccess.richardhicks.com/2019/05/02/renew-directaccess-self-signed-certificates/
If you’re looking for specialized configuration scripts for Windows 10 Always On VPN, Windows Server Routing and Remote Access Service (RRAS), or DirectAccess then have a look at my GitHub page! There I’ve uploaded a few tools I’ve created (with the help of my good friend Jeff Hicks!) along with some sample ProfileXML files. Here’s a sample of what you’ll find there today.
This repository includes PowerShell scripts and sample ProfileXML files used for configuring Windows 10 Always On VPN. These scripts have been adopted from those provided by Microsoft and modified to work with a separate XML file. These scripts can be used for local testing and for deploying Always On VPN connections using System Center Configuration Manager (SCCM). The ProfileXML files can be helpful for those administrators looking for real world configuration examples.
https://github.com/richardhicks/aovpn
This repository includes a PowerShell script to enable TLS offload for Windows Server RRAS Secure Socket Tunneling Protocol (SSTP) VPN connections when the public SSL certificate can’t be installed on the RRAS server. TLS offload for SSTP can be enabled in scenarios where better security, performance, and scalability are desired.
https://github.com/richardhicks/sstpoffload
This repository includes the PowerShell script Move-DaInboxAccountingDatabase which can be used to move the DirectAccess inbox accounting database files. The default location of the database files is on the C: drive, and many administrators have encountered disk space issues, especially in large scale deployments. This script will relocate the database files to the location of your choice.
https://github.com/richardhicks/directaccess
Be sure to check my GitHub site for more PowerShell script and sample files on a regular basis. Or better yet, give me a follow! I’ll be sure to post more as time goes on. In addition, I’ll be going through my older articles where I’ve provided PowerShell code samples and will include them in the repository too.
All the sample files and PowerShell scripts I’ve shared on GitHub are provided as-is. Although they’ve been thoroughly tested, I can’t be certain I’ve accommodated every deployment scenario. Please use caution when running these scripts on production machines.
Posted by Richard M. Hicks on January 15, 2019
https://directaccess.richardhicks.com/2019/01/15/always-on-vpn-and-directaccess-scripts-and-sample-files-on-github/
After installing and configuring DirectAccess in Windows Server 2019 you may encounter an error message indicating that IP-HTTPS is not working properly. Looking at the Operations Status overview in the Dashboard of the Remote Access Management console shows that the IP-HTTPS interface is in error.
Viewing the detailed Operations Status shows the following error message.
Error: The IP-HTTPS route does not have published property enabled.
Looking at the routing table on the DirectAccess server reveals that a route to the client IPv6 prefix is indeed missing.
To resolve this error message, add the client IPv6 route to the DirectAccess server’s routing table and publish it. This is accomplished by running the following PowerShell commands on the DirectAccess server.
$IPv6prefix = (Get-RemoteAccess).ClientIPv6Prefix
New-NetRoute -AddressFamily IPv6 -DestinationPrefix $IPv6prefix -InterfaceAlias “Microsoft IP-HTTPS Platform Interface” -Publish Yes
Next, restart the Remote Access Management service (RaMgmtSvc) using the following PowerShell command.
Restart-Service RaMgmtSvc -PassThru
Once complete, refresh the management console and the IP-HTTPS error message should be resolved and the operations status should state that it is now working properly.
SSL Certificate Conisderations for DirectAccess IP-HTTPS
DirectAccess Expire IP-HTTPS Certificate and Error 0x800b0101
Posted by Richard M. Hicks on November 26, 2018
https://directaccess.richardhicks.com/2018/11/26/directaccess-ip-https-not-working-properly-in-windows-server-2019/
Australia and New Zealand! Comparing DirectAccess and NetMotion Mobility free live webinar Thursday, November 29 at 10:00AM AEDT. Register here!
For many years, DirectAccess has been the gold standard for enterprise remote access. Its seamless and transparent operation improves productivity for mobile workers, and since it is always on, administrators enjoy improved visibility and management for their field-based assets.
As incredible as DirectAccess is, it is not without its limitations. For example, DirectAccess works only with Windows Enterprise edition clients that are joined to the domain. Professional Edition and non-domain joined machines are not supported. It also lacks many of the security features enterprise organizations require, such as device health checks and granular network access. In addition, DirectAccess communication is complex, with many different layers of encapsulation, authentication, and encryption. High protocol overhead can lead to poor performance over high latency or low bandwidth connections.
NetMotion Mobility is a secure remote access solution that is an excellent alternative to DirectAccess. It provides the same seamless, transparent, always on remote connectivity that DirectAccess provides, while at the same time offering much more in terms of features and capabilities. It supports a much broader range of clients, includes native Network Access Control (NAC) and application filtering, and offers enhanced performance.
To learn more about NetMotion Mobility, join me on Thursday, November 29 at 10:00AM AEDT (UTC +11) for a free live webinar with NetMotion. I’ll provide an overview of NetMotion Mobility and how it compares with DirectAccess. I’ll also demonstrate how it can help overcome some of the inherent limitations of DirectAccess too. Register today!
Posted by Richard M. Hicks on November 20, 2018
https://directaccess.richardhicks.com/2018/11/20/comparing-directaccess-and-netmotion-mobility-australia-and-new-zealand/
PowerShell is an essential tool for Windows administrators for configuration, task automation, monitoring, reporting, and problem resolution. When troubleshooting DirectAccess connectivity using the IP-HTTPS IPv6 transition technology, the Get-NetIPHttpsConfiguration and Get-NetIPHttpsState PowerShell commands are important for assessing the configuration and current state of the IP-HTTPS connection. When DirectAccess connectivity fails, these are some of the first commands an administrator will use to identify and resolve the issue.
Get-NetIPHttpsState is especially helpful when IP-HTTPS connectivity fails because it returns an error code and interface status information that can provide clues as to why the connection was not completed successfully.
Beginning with Windows 10 1803, the DirectAccess administrator will notice that Get-NetIPHttpsState returns no data. The output of Get-NetIPHttpsState is blank.
As it turns out, this is a bug first introduced in Windows 10 1803 that is the result of a fundamental change in the way in which the IP-HTTPS interface is implemented in Windows. As of this writing, the bug has not been addressed in Windows 10 1803 or 1809.
The good news is that there’s an easy workaround for this. Instead of using Get-NetIPHttpsState, the administrator can retrieve essential information about the IP-HTTPS interface using the following netsh command.
netsh interface httpstunnel show interface
SSL Certificate Considerations for DirectAccess IP-HTTPS
Troubleshooting DirectAccess IP-HTTPS Error Code 0x800b0109
Troubleshooting DirectAccess IP-HTTPS Error Code 0x80090326
Troubleshooting DirectAccess IP-HTTPS Error Code 0x90320
Posted by Richard M. Hicks on November 19, 2018
https://directaccess.richardhicks.com/2018/11/19/directaccess-get-netiphttpsstate-fails-on-windows-10-1803/
Unlike DirectAccess, Always On VPN connections are provisioned to the user, not the machine. Beginning with Windows 10 release 1709 Microsoft introduced the device tunnel option to provide feature parity with DirectAccess. The device tunnel provides pre-logon network connectivity to support important deployment scenarios such as logging on without cached credentials and unattended remote systems management.
Guidance for creating and deploying a device tunnel connection can be found here. It’s important to note that the device tunnel is always on by default. Also, there can only be a single device tunnel configured per device. You must remove an existing device tunnel before configuring a new one.
After configuring a Windows 10 Always On VPN device tunnel the administrator may notice two anomalies. First, the device tunnel is missing in the Windows UI after it is created. Second, viewing the status of the device tunnel connection using PowerShell indicates the connection is “disconnected” even though it is connected.
As you can see below, event though both a device and user tunnel have been provisioned, the Windows UI reports only a single Always On VPN connection, that being the user connection.
However, the device tunnel does appear in the Network Connections control panel applet (ncpa.cpl), as shown here.
This is expected and by design. The device tunnel is not displayed to the user in the Windows UI as it is provisioned to the machine, not the user. It appears on the Control Panel because the applet is capable of enumerating both user and system connections.
The status of the Windows 10 Always On VPN device tunnel connection can be viewed by running the Get-VpnConnection -AllUserConnection PowerShell command. However, at the time of this writing, PowerShell always reports the connection status as “Disconnected”. This appears to be a bug; one which Microsoft is hopefully working to address.
The Windows 10 Always On VPN device tunnel option allows administrators to enable scenarios previously supported with DirectAccess, including logging on without cached credentials and unattended remote support. Not all deployments require a device tunnel, but it is an important option available to administrators to address specific use cases.
Windows 10 Always On VPN Device Tunnel Configuration using PowerShell
Windows 10 Always On VPN RasMan Device Tunnel Failure
Deleting a Windows 10 Always On VPN Device Tunnel
Posted by Richard M. Hicks on October 31, 2018
https://directaccess.richardhicks.com/2018/10/31/always-on-vpn-device-tunnel-missing-in-windows-10-ui/
CORRECTION: This webinar will take place 14:00 BST on Thursday, 25 October.
For many years, DirectAccess has been the gold standard for enterprise remote access. Its seamless and transparent operation improves productivity for mobile workers, and since it is always on, administrators enjoy improved visibility and management for their field-based assets.
As incredible as DirectAccess is, it is not without its limitations. For example, DirectAccess works only with Windows Enterprise edition clients that are joined to the domain. Professional Edition and non-domain joined machines are not supported. It also lacks many of the security features enterprise organizations require, such as device health checks and granular network access. In addition, DirectAccess communication is complex, with many different layers of encapsulation, authentication, and encryption. High protocol overhead can lead to poor performance over high latency or low bandwidth connections.
NetMotion Mobility is a secure remote access solution that is an excellent alternative to DirectAccess. It provides the same seamless, transparent, always on remote connectivity that DirectAccess provides, while at the same time offering much more in terms of features and capabilities. It supports a much broader range of clients, includes native Network Access Control (NAC) and application filtering, and offers enhanced performance.
To learn more about NetMotion Mobility, join me on Thursday, 25 October at 14:00 BST for a free live webinar with NetMotion. I’ll provide an overview of NetMotion Mobility and how it compares with DirectAccess. I’ll also demonstrate how it can help overcome some of the inherent limitations of DirectAccess too. Register today!
Posted by Richard M. Hicks on October 22, 2018
https://directaccess.richardhicks.com/2018/10/22/comparing-directaccess-and-netmotion-mobility-webinar-october-2018/
With DirectAccess approaching the end of its useful lifetime, many organizations are considering alternative solutions to provide seamless, transparent, always on remote connectivity for their field-based workers. Microsoft is positioning Windows 10 Always On VPN as the replacement for DirectAccess. While it provides many new features that were missing from DirectAccess, it has its own unique limitations and shortcomings.
NetMotion Mobility Purpose-Built Enterprise VPN
NetMotion Mobility Purpose-Built Enterprise VPN Advanced Features
NetMotion Mobility is an excellent alternative to DirectAccess and Always On VPN, and it has many advantages over both native Microsoft offerings. NetMotion Mobility offers better security and performance. It provides deep visibility with broad client support, and the solution is easier to support than DirectAccess.
If you’d like to learn more about how NetMotion Mobility compares with DirectAccess, you will find detailed comparison information in my Comparing NetMotion Mobility and DirectAccess article series on the NetMotion blog.
Comparing NetMotion Mobility and DirectAccess – Security
Comparing NetMotion Mobility and DirectAccess – Performance
Comparing NetMotion Mobility and DirectAccess – Visibility
Comparing NetMotion Mobility and DirectAccess – Supported Clients
Comparing NetMotion Mobility and DirectAccess – Support
Watch the following videos to see NetMotion Mobility in action.
NetMotion Mobility Demonstration Video
NetMotion Mobility and Skype for Business Demonstration Video
NetMotion Mobility is a premium remote access solution with many of the same characteristics as DirectAccess; seamless, transparent, and always on. It is feature rich with numerous compelling benefits over native Microsoft remote access technologies. Organizations seeking a solution to replace Microsoft DirectAccess would benefit greatly from NetMotion Mobility.
If you’d like to learn more about NetMotion Mobility, or if you’d like to evaluate their solution, fill out the form below and I’ll respond with more information.
Posted by Richard M. Hicks on June 4, 2018
https://directaccess.richardhicks.com/2018/06/04/comparing-directaccess-and-netmotion-mobility/
