Always On VPN Hands On Training in 2020

The calendar of events for our Windows 10 Always On VPN hands-on training classes is now available!

2020 Training Calendar

This year we will be making the following stops.

  • March 3-5 – Denver, CO
  • April 14-16 – New York, NY
  • June 15-15 – Bern, Switzerland (hosted by RealStuff – register here!)
  • August 18-20 – Honolulu, HI
  • October 6-8 – Washington D.C.
  • December 1-3 – San Diego, CA

Always On VPN Hands-On Training

Comprehensive Training

My Windows 10 Always On VPN hands-on training classes will cover all aspects of designing, implementing, and supporting an Always On VPN solution in the enterprise. This three-day course will cover topics such as…

  • Windows 10 Always On VPN overview
  • Introduction to CSP
  • Infrastructure requirements
  • Planning and design considerations
  • Installation, configuration, and client provisioning

Advanced topics will include…

  • Redundancy and high availability
  • Cloud-based deployments
  • Third-party VPN infrastructure and client support
  • Multifactor authentication
  • Always On VPN migration strategies

Windows 10 Always On VPN Hands-On Training Classes for 2018

Register Today

Space is limited, so register now to reserve your spot in one of our Always On VPN hands-on training classes. Hope to see you there!

Always On VPN Hands-On Training

Always On VPN Training at TechMentor Redmond 2019

TechMentor Redmond 2019I’m pleased to announce that I’ll be delivering two technical training sessions at this year’s TechMentor Redmond event. This event takes place on the Microsoft campus in Redmond, WA August 5-9, 2019. I’ll be presenting two sessions on Thursday, August 8. They are:

TH16 – Wireshark Essentials: Your First Day with Wireshark

During this session you will learn essential techniques for optimizing packet analysis using Wireshark. Topics will include filter and display tips, workspace oganization, using shortcuts for common tools, and configuring Wireshark profiles. I’ll also touch upon some advanced techniques such as graphing and geography database integration.

TH20 – Always On VPN: The Good, the Bad, and the Ugly!

During this session you will gain a full understanding of Always On VPN including and how it compares with its predecessor, DirectAccess. I’ll share detailed information about this new technology, and how it best fits in to your organizations mobility strategy. Always On VPN has some important advantages over DirectAccess, and some challenging drawbacks. I’ll explain everything good, bad, and even the ugly.

TechMentor Redmond 2019

 

Don’t miss out on this fantastic event. Register now to take advantage of early bird savings, which end June 7. Hope to see you there!

Always On VPN Training in Switzerland June 2019

Always On VPN Training in Switzerland June 2019I’m pleased to announce that I’ll be bringing my popular Windows 10 Always On VPN hands-on training course to Europe in June this year! Many of you asked about training opportunities outside of the U.S., so I’ve added a class to be held in Bern, Switzerland from June 3-5, 2019.

Sponsored by RealStuff, this three-day hands-on training class will provide comprehensive education covering all aspects of an Always On VPN deployment, including the following.

  • Windows 10 Always On VPN overview
  • Introduction to CSP
  • Infrastructure requirements
  • Planning and design considerations
  • Installation, configuration, and client provisioning

Additional advanced topics will also be covered.

  • Redundancy and high availability
  • Cloud-based deployments
  • Third-party VPN infrastructure and client support
  • Multifactor authentication
  • Always On VPN migration strategies

Windows 10 Always On VPN Hands-On Training Classes for 2018

Don’t miss out on this valuable learning opportunity! Seating is limited, so register today!

Always On VPN Training in Switzerland June 2019

Comparing DirectAccess and NetMotion Mobility – Australia and New Zealand

Australia and New Zealand! Comparing DirectAccess and NetMotion Mobility free live webinar Thursday, November 29 at 10:00AM AEDT. Register here!

DirectAccess on Windows Server 2016 CoreFor many years, DirectAccess has been the gold standard for enterprise remote access. Its seamless and transparent operation improves productivity for mobile workers, and since it is always on, administrators enjoy improved visibility and management for their field-based assets.

As incredible as DirectAccess is, it is not without its limitations. For example, DirectAccess works only with Windows Enterprise edition clients that are joined to the domain. Professional Edition and non-domain joined machines are not supported. It also lacks many of the security features enterprise organizations require, such as device health checks and granular network access. In addition, DirectAccess communication is complex, with many different layers of encapsulation, authentication, and encryption. High protocol overhead can lead to poor performance over high latency or low bandwidth connections.

NetMotion Mobility as an Alternative to DirectAccessNetMotion Mobility is a secure remote access solution that is an excellent alternative to DirectAccess. It provides the same seamless, transparent, always on remote connectivity that DirectAccess provides, while at the same time offering much more in terms of features and capabilities. It supports a much broader range of clients, includes native Network Access Control (NAC) and application filtering, and offers enhanced performance.

To learn more about NetMotion Mobility, join me on Thursday, November 29 at 10:00AM AEDT (UTC +11) for a free live webinar with NetMotion. I’ll provide an overview of NetMotion Mobility and how it compares with DirectAccess. I’ll also demonstrate how it can help overcome some of the inherent limitations of DirectAccess too. Register today!

DirectAccess and NetMotion Mobility Webinar

Always On VPN at TechMentor Redmond 2018

Always On VPN at TechMentor Redmond 2018I’m pleased to announce I’ll be presenting at the upcoming TechMentor 2018 conference is Redmond, Washington. It will be held on the Microsoft campus August 6-10, 2018. I’ll be giving a talk on Windows 10 Always On VPN for DirectAccess administrators. During this session you’ll learn about the features and capabilities in Always On VPN, how to map existing DirectAccess functionality to Always On VPN, and how to provision clients using Microsoft Intune. I will also share implementation and security best practices, along with DirectAccess to Always On VPN migration guidance.

Always On VPN at TechMentor Redmond 2018

Register today with code RDSPK10 and save $500.00! I hope you’ll join me in Redmond this year for this exceptional learning opportunity. TechMentor provides in-depth, immediately useable education that will absolutely make your life easier!

Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShell

Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShellWindows 10 Always On VPN and DirectAccess both provide seamless, transparent, always on remote network access for Windows clients. However, Always On VPN is provisioned to the user, not the machine as it is with DirectAccess. This presents a challenge for deployment scenarios that require the VPN connection to be established before the user logs on. For example, pre-logon connectivity is required to support remote logon without cached credentials. To address this issue and to provide feature parity with DirectAccess, Microsoft introduced support for a device tunnel configuration option beginning with Windows 10 version 1709 (Fall creators update).

Learn Windows 10 Always On VPN today! Register for an upcoming Always On VPN Hands-On Training class. Locations remaining for 2019 include Dallas, Washington D.C., San Francisco, and San Diego. More details here!

Prerequisites

To support an Always On VPN device tunnel, the client computer must be running Windows 10 Enterprise or Education version 1709 (Fall creators update) or later. It must also be domain-joined and have a computer certificate with the Client Authentication Enhanced Key Usage (EKU) issued by the organization’s Public Key Infrastructure (PKI).

Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShell

In addition, only the built-in Windows VPN client is supported for Always On VPN device tunnel. Although Windows 10 Always On VPN user connections can be configured using various third-party VPN clients, they are not supported for use with the device tunnel.

VPN ProfileXML

The Always On VPN device tunnel is provisioned using an XML file. You can download a sample VPN ProfileXML file here. Make any changes required for your environment such as VPN server hostnames, routes, traffic filters, and remote address ranges. Optionally include the trusted network detection code, if required. Do not change the protocol type or authentication methods, as these are required.

Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShell

Reference: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config#configure-the-vpn-device-tunnel

Once the ProfileXML file is created, it can be deployed using Intune, System Center Configuration Manager (SCCM), or PowerShell. In this post I’ll cover how to configure Windows 10 Always On VPN device tunnel using PowerShell.

Client Configuration

Download the PowerShell script located here and then copy it to the target client computer. The Always On VPN device tunnel must be configured in the context of the local system account. To accomplish this, it will be necessary to use PsExec, one of the PsTools included in the Sysinternals suite of utilities. Download PsExec here, copy it to the target machine, and then run the following command in an elevated PowerShell command window.

PsExec.exe -i -s C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe

Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShell

Another elevated PowerShell window will open, this one now running in the context of the local system account. In this window, navigate to the folder where you copied the PowerShell script and XML file to. Run the PowerShell script and specify the name of the ProfileXML file, as shown below.

VPN_Profile_Device.ps1 -xmlFilePath .\profileXML_device.XML -ProfileName DeviceTunnel

Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShell

To verify creation of the VPN device tunnel, run the following PowerShell command.

Get-VpnConnection -AllUserConnection

Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShell

Note: In Windows 10 releases prior to 1903 the ConnectionStatus will always report Disconnected. This has been fixed in Windows 10 1903.

Server Configuration

If you are using Windows Server 2012 R2 or Windows Server 2016 Routing and Remote Access Service (RRAS) as your VPN server, you must enable machine certificate authentication for VPN connections and define a root certification authority for which incoming VPN connections will be authenticated with. To do this, open an elevated PowerShell command and run the following commands.

$VPNRootCertAuthority = “Common Name of trusted root certification authority”
$RootCACert = (Get-ChildItem -Path cert:LocalMachine\root | Where-Object {$_.Subject -Like “*$VPNRootCertAuthority*” })
Set-VpnAuthProtocol -UserAuthProtocolAccepted Certificate, EAP -RootCertificateNameToAccept $RootCACert -PassThru

Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShell

Limitations

Using PowerShell to provision an Always On VPN device tunnel is helpful for initial testing and small pilot deployments, but it does not scale very well. For production deployments it is recommended that Microsoft Intune be used to deploy Always On VPN device tunnel.

Deploy Device Tunnel with Intune

Guidance for deploying an Always On VPN device tunnel using Microsoft Intune can be found here. You can also view the following demonstration video that includes detailed guidance for provisioning the Always On VPN device tunnel using Microsoft Intune.

Summary

Once the Always On VPN device tunnel is configured, the client computer will automatically establish the connection as soon as an active Internet connection is detected. This will enable remote logins for users without cached credentials, and allow administrators to remotely manage Always On VPN clients without requiring a user to be logged on at the time.

Additional Information

Deploy Windows 10 Always On VPN Device Tunnel using Microsoft Intune

VIDEO: Deploying Windows 10 Always On VPN Device Tunnel using Microsoft Intune

Windows 10 Always On VPN Device Tunnel Does Not Connect Automatically

Windows 10 Always On VPN Device Tunnel Does Not Appear in the UI

Windows 10 Always On VPN Hands-On Training

 

 

 

PowerShell Recommended Reading for DirectAccess and Always On VPN Administrators

PowerShell Recommended Reading for DirectAccess and Always On VPN AdministratorsPowerShell is an important skill for administrators supporting Microsoft workloads including DirectAccess and Always On VPN. Using PowerShell to install required roles and features is much simpler and quicker than using the Graphical User Interface (GUI), with only a single command required to accomplish this task. Some settings aren’t exposed in the GUI and can only be configured using PowerShell. In addition, PowerShell makes the task of troubleshooting DirectAccess and Always On VPN much easier.

Learn PowerShell

One of the best resources for learning PowerShell is the book Learn PowerShell in a Month of Lunches authored by Microsoft MVPs and recognized PowerShell experts Don Jones and Jeff Hicks. This book, now in its third edition, should be considered essential reading for all Microsoft administrators. Click here for more details.

PowerShell Recommended Reading for DirectAccess and Always On VPN Administrators

Learn PowerShell Scripting

Recently Don and Jeff released a new book entitled Learn PowerShell Scripting in a Month of Lunches. This new book builds upon the skills learned in their first title by focusing on the development of PowerShell scripts to automate many common administrative tasks. PowerShell scripts can also be used to build custom, reusable tools to more effectively manage and monitor Microsoft workloads. Click here for more details.

PowerShell Recommended Reading for DirectAccess and Always On VPN Administrators

PowerShell for the Future

In my experience, far too many administrators today lack crucial PowerShell abilities. Don’t get left behind! PowerShell is rapidly becoming a required skill, so get these books and start learning PowerShell today!

Additional Resources

Top 5 DirectAccess Troubleshooting PowerShell Commands

Configure Windows Server Core to use PowerShell by Default

 

Managing and Supporting DirectAccess with Windows Server 2016 Video Training Course on Pluralsight

Planning and Implementing DirectAccess with Windows Server 2016I’m pleased to announce my newest video training course, Managing and Supporting DirectAccess with Windows Server 2016, is now available on Pluralsight! This new course is a follow-up to my previous course, Planning and Implementing DirectAccess with Windows Server 2016. This latest course builds upon the first one and covers advanced configuration such as enabling load balancing, configuring geographic redundancy, and enforcing strong user authentication using one-time passwords (OTP) and smart cards.

In addition, monitoring and reporting is covered, as well as implementing manage out for DirectAccess clients in supported scenarios. The course also includes a full hour of in-depth DirectAccess configuration and connectivity troubleshooting that will be valuable for all DirectAccess administrators.

The course includes the following training modules:

Configuring High Availability
Enabling Strong User Authentication
DirectAccess Monitoring and Reporting
Implementing Outbound Management for DirectAccess Clients
DirectAccess Troubleshooting

Throughout the course, I share valuable knowledge and insight gained from more than 5 years of experience deploying DirectAccess for some of the largest organizations in the world. Pluralsight offers a free trial subscription if you don’t already have one, so watch my latest DirectAccess video training course today!

Additional Resources

Planning and Implementing DirectAccess with Windows Server 2016 on Pluralsight
Managing and Supporting DirectAccess with Windows Server 2016 on Pluralsight
Implementing DirectAccess with Windows Server 2016 book

DirectAccess Troubleshooting and Configuration Training at TechMentor Redmond 2017

DirectAccess and Windows 10 in EducationI’m really excited to announce that I have once again been invited to speak at the upcoming TechMentor event in Redmond, WA August 7-11, 2017! This year I’ll be presenting two important deep-dive training sessions on DirectAccess. The first is a three-hour course on implementing DirectAccess using Windows Server 2016. This session will cover infrastructure prerequisites as well as tips, tricks, and best practices for implementing DirectAccess using Windows Server 2016. In addition I will also be delivering a three-hour deep dive on DirectAccess troubleshooting. In this session, I’ll share valuable insight, tools, and techniques for quickly identifying and resolving many common DirectAccess connectivity and performance issues. In addition I will also be giving a short talk on getting started with Azure site-to-site networking. If you want to take advantage of the power and flexibility that the Azure public cloud has to offer, extending your on-premises datacenter using site-to-site VPN is essential.

Register today using code TMSPK05 and save!

M01: Implementing DirectAccess with Windows Server 2016
T03: DirectAccess Troubleshooting Deep Dive
T07: Getting Started with Azure Site-to-Site Networking

TechMentor Redmond 2017

DirectAccess Training at TechMentor Conference Orlando 2016

Live! 360 Orlando 2016I am pleased to announce that I’ll be participating in the upcoming TechMentor conference in Orlando, FL in December. The TechMentor conference is part of the larger Live!360 event and offers a compelling agenda of training for IT professionals. I’ll be delivering the following sessions that are focused on providing secure remote access using Windows Server 2016.

TMT01 – Implementing DirectAccess in Windows Server 2016
TMT04 – DirectAccess Troubleshooting Deep Dive
TMT11 – Client-based VPN in Azure with Windows Server 2016

Don’t miss out on this outstanding conference. Register today and save $500.00!

%d bloggers like this: