All posts tagged enterprise mobility

Always On VPN and IPv6

Internet Protocol version 6 (IPv6) has been with us for nearly 30 years. IPv6 adoption on the public Internet has steadily increased over the last decade, and today is approaching 50%. However, enterprise adoption of IPv6 has been surprisingly sluggish despite its numerous benefits. IPv6 includes an expanded address space that removes complex subnetting requirements and globally unique addressing that eliminates the need to perform Network Address Translation (NAT), among others. Organizations should consider deploying IPv6 internally to take advantage of these capabilities.

IPv6 and RRAS

I’ve deployed Microsoft Always On VPN for customers using IPv6 numerous times. The following describes configuration settings required to support IPv6 in a Microsoft environment using a Windows Server Routing and Remote Access (RRAS) server.

To begin, open the Routing and Remote Access management console (rrasmgmt.msc) on the RRAS VPN server, then follow the steps below to enable IPv6 support for Always On VPN connections.

Note: The configuration below assumes that IPv6 is already deployed on the internal network, either natively or dual-stacked with IPv4.

IPv6 Remote Access

Perform the following steps to enable IPv6 remote access on the RRAS VPN server.

  1. Right-click the RRAS VPN server in the navigation tree and choose Properties.
  2. Check the box next to the IPv6 Remote access server on the General tab.

Prefix Assignment

Next, an IPv6 prefix must be assigned to each RRAS VPN server. This IPv6 prefix must be unique for each server and not in use anywhere else on the internal network. Unlike IPv4, IPv6 addresses cannot be assigned from the same prefix (subnet) as the VPN server’s internal network interface. With that, ensure that internal network IPv6 routing returns traffic for the assigned IPv6 prefixes to the corresponding VPN server.

Perform the following steps to assign an IPv6 prefix for VPN client use.

  1. Right-click the RRAS VPN server in the navigation tree and choose Properties.
  2. Select the IPv6 tab.
  3. Check the box next to Enable IPv6 Forwarding.
  4. If force tunneling is required (not recommended), check the box next to Enable Default Route Advertisement.
  5. Enter an IPv6 prefix in the IPv6 prefix assignment field. Again, ensure the IPv6 prefix is globally unique, and that internal network routing is configured to return traffic to the VPN server that owns the prefix.
  6. If your RRAS server is multi-homed, select the internal network interface from the Adapter drop-down list.

DHCP

Organizations with IPv6 deployed internally may use Microsoft Windows DHCPv6 or a dedicated DNS/DHCP/IP Address Management (IPAM) (DDI) solution like Infoblox. However, Windows Server RRAS does not support DHCPv6 for VPN client IP address assignment. Administrators must manually assign an IPv6 prefix per server. However, administrators can use DHCP alongside IPv6 prefix assignment for VPN client IPv4 addressing.

Limitations

While IPv6 may solve some problems for Always On VPN administrators, it has some limitations. Here are some crucial considerations for IPv6 and Always On VPN at the time of this writing.

Traffic Filters

You cannot use IPv6 when configuring traffic filters for Always On VPN. Specifying IPv6 elements in a traffic filter rule will prevent Always On VPN from working at all. More details here.

Intune and Routing

When split tunneling is enabled, Microsoft Intune will not accept IPv6 routes using the standard IPv6 subnet prefix of /64. The UI complains that “the value must be between 1 and 32”.

You can use the custom XML deployment option to configure Always On VPN to support split tunneling correctly as a workaround.

Additional Information

Overview of IPv6

Everything You Never Knew about NAT

Disabling IPv6 Breaks Windows Server RRAS

Microsoft Always On VPN Traffic Filters and IPv6

Discussing Microsoft and IPv6 on the IPv6 Buzz Podcast (Packet Pushers)

2 Comments
by Richard M. Hicks on January 22, 2024  •  Permalink
Posted in administration, Always On VPN, AOVPN, Application Filter, Deployment, device tunnel, Enterprise, enterprise mobility, Infrastructure, IPv6, Microsoft, Microsoft Intune, Mobile Device Management, Mobility, Remote Access, routing, routing and remote access service, RRAS, split tunnel, split tunneling, Traffic Filter, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 22, 2024

https://directaccess.richardhicks.com/2024/01/22/always-on-vpn-and-ipv6/

Always On VPN RRAS Centralized Monitoring and Reporting

A while back, I wrote about the monitoring and reporting options for Windows Server Routing and Remote Access (RRAS) servers supporting Microsoft Always On VPN. In that article, I outlined how administrators can use the Routing and Remote Access Management console (rrasmgmt.msc) or the Remote Access Management console (ramgmtui.exe) to perform configuration tasks and review current user and device activity. However, neither solution is ideal in a distributed environment with multiple RRAS servers. Thankfully, there’s a new option available to address this crucial limitation today.

Centralized Reporting

I’m excited to announce the availability of a cloud-based, centralized reporting solution for Windows Server RRAS and Always On VPN from the folks at PowerON Platforms. Created by the folks that brought us the Dynamic Profile Configurator (DPC) solution for managing Always On VPN client configuration settings, PowerON Platforms’ new reporting solution allows administrators to aggregate configuration, performance, and user activity data from multiple individual RRAS servers across their organization.

Important! I’ll be joining the folks at PowerON Platforms for a webinar on Thursday, January 18 to introduce and demonstrate this new Always On VPN reporting solution. Register now!

Summary View

The Summary view page provides a consolidated high-level look at the environment’s health status and capacity of VPN servers. Administrators can quickly see if any servers are unhealthy and view current usage details to assess the capacity of the deployment.

Server Overview

The Server Overview page provides a more detailed look at individual server health status and configuration. Here, you’ll find information about the number of active and available connections and the TLS certificate status. In addition, you’ll find detailed information about provisioned CPU and RAM, disk space utilization, and system uptime. You will also see information about the size of the reporting database on disk and the number of IKEv2 and SSTP VPN ports provisioned.

VPN Server Configuration

The VPN Server Configuration page looks into the IP address pool configuration and current utilization. In addition, this page provides an in-depth look at the VPN server TLS certificate health status. Currently, configured authentication and accounting servers are also shown.

Server Performance

The Server Performance page shows granular details about resource utilization on RRAS servers. This includes CPU and memory utilization, disk space usage, and database size. Administrators can view aggregated data or select individual servers. The view can be further customized by filtering by date.

Connection History

The Connection History page details concurrent connections observed on all VPN servers. Data can be filtered by date, individual server, and user or device name.

Client Distribution

The Client Distribution page provides an intuitive graphical display of client activity by server and tunnel type. In addition, it includes details about usage by individual clients and the number of connections made by individual endpoints.

Connection Detail

The Connection Detail page allows administrators to view user activity across all servers in the organization. Once again, data can be filtered by date, individual server, and user or device name. This view provides granular details on user activity, enabling the administrator to drill down to view specific resources accessed over the VPN for individual sessions.

Data Flow

The Data Flow page displays information about data transfer through the VPN server.

Summary

The Always On VPN cloud-based centralized reporting solution for Microsoft Always On VPN by PowerON Platforms is sure to be helpful for organizations managing distributed RRAS server deployments. The reporting solution aggregates data from all RRAS servers in the enterprise, providing a holistic view of configuration, health status, and user activity in one management console. This consolidated visibility is crucial for capacity planning and configuration maintenance, making the identification of performance bottlenecks or misconfigured servers easy. Also, the ability to view certificate expiration status for all servers in the organization is sure to prevent outages. Security administrators will find the solution helpful for forensic reporting and to identify sources of data leakage and exfiltration.

You can contact PowerON Platforms and request additional information here.

More Information

Are you interested in learning more about PowerON Platforms Always On VPN reporting? Would you like an interactive solution demonstration or an evaluation license to trial the product in your environment? Fill out the form below, and I’ll contact you with more details.

Submit a form.
Leave a comment
by Richard M. Hicks on January 9, 2024  •  Permalink
Posted in administration, Always On VPN, AOVPN, AovpnDPC, Azure, DPC, Dynamic Profile Configurator, Enterprise, enterprise mobility, Infrastructure, Microsoft, Mobility, multisite, Operational Support, Remote Access, Remote Administration, reporting, routing and remote access service, RRAS, RSAT, Security, systems management, VPN, webinar, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 9, 2024

https://directaccess.richardhicks.com/2024/01/09/always-on-vpn-rras-centralized-monitoring-and-reporting/

Always On VPN October 2023 Security Updates

Once again, it’s time to patch! After several quiet months, there are a few crucial updates Always On VPN administrators will want to get deployed soon. Thankfully, the impact of the security updates related to Always On VPN is low this time, as there is only one Remote Code Execution (RCE) vulnerability, and it’s for a legacy protocol that should be in limited use today.

IKEv2

CVE-2023-36726 addresses a security vulnerability in Windows Internet Key Exchange (IKE) that can lead to privilege escalation. An attacker who successfully exploits this vulnerability can elevate privileges to that of the local SYSTEM.

L2TP

This month’s update discloses several Layer Two Tunneling Protocol (L2TP) vulnerabilities. The following CVEs all address a vulnerability where an attacker can send a specially crafted protocol message to a Windows Routing and Remote Access Service (RRAS) server, which could lead to remote code execution on the server.

Mitigation

The impact of the L2TP security vulnerabilities should be minimal in most organizations. L2TP is a legacy VPN protocol not commonly used for Always On VPN. However, misconfiguration can leave vulnerable RRAS servers exposed. Administrators must ensure that inbound UDP port 1723 is not open from the Internet. In addition, L2TP should be disabled on the RRAS server if not in use. See the article on the May 2023 security updates for details.

Additional Information

October 2023 Security Updates

Leave a comment
by Richard M. Hicks on October 10, 2023  •  Permalink
Posted in Always On VPN, AOVPN, Enterprise, enterprise mobility, Hotfix, IKEv2, Infrastructure, Microsoft, Mobility, Operational Support, Remote Access, routing and remote access service, RRAS, Security, Security Update, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 10, 2023

https://directaccess.richardhicks.com/2023/10/10/always-on-vpn-october-2023-security-updates/

« Older Posts
Newer Posts »