Always On VPN Static IP Address Assignment

A question that occasionally arises when I’m conducting an Always On VPN planning and design workshop for a customer is static IP address assignment options for VPN connections. Typically, the use case is a specific user that requires special access to a sensitive system internally. Assigning a static IP address to the user allows administrators to create firewall rules restricting access to this connection.

Static IP Assignment

Assigning a static IP address to a user is accomplished by editing the properties of their user account in Active Directory. Open the Active Directory Users and Computers console (dsa.msc), navigate to the Dial-in tab on the target individual’s Active Directory user account, and check the box next to Assign Static IP Addresses.

Next, click the Static IP Addresses button, check the box next to Assign a Static IPv4 address, and enter an IP address. Optionally, check the box next to Assign a static IPv6 address and enter a prefix and Interface ID, if required.

NPS Configuration

Once the user account in Active Directory is configured with a static IP address assignment, each NPS server in the organization must be registered in Active Directory. More details on Active Directory registration for NPS servers can be found here.

Caveats

Assigning static IP addresses to VPN users has many drawbacks and limitations. Consider the following.

Device IP

Assigning a static IP address to a device is not supported. You can only assign a static IP address to a user in Active Directory.

Address Assignment

The IP address you assign to the user must be from the same subnet as the VPN server’s internal network interface. If there is more than one VPN server, all VPN servers must be on the same subnet.

Multisite

Assigning static IP addresses to users is not supported when VPN servers are deployed in multiple locations.

Concurrent Sessions

Users with a static IP address assignment must only log on to one device at a time. If a user attempts to log in to multiple devices simultaneously, subsequent connections will fail due to the duplicate IP address assignment.

NPS

Always On VPN administrators may have discovered the option to assign a static IP address using NPS policy. Unfortunately, this option is severely limited. A separate NPS policy is needed for each user that requires a static IP address. However, NPS does not support assigning NPS policies to users, only groups. Technically speaking, you could create a separate group for each user needing a static IP address, but that’s not scalable. Also, it offers no real advantage over using the Active Directory method described above.

Summary

Although it’s possible to assign a static IP address to a user, there is currently no option to assign a static IP address to a device. In addition, static IP address assignment imposes other limitations that make the option challenging. Also, the inability to connect to geographically dispersed VPN servers is severely limiting.

Additional Information

Always On VPN and NPS Active Directory Registration

Always On VPN Client IP Address Assignment Methods

Always On VPN and IPv6

Always On VPN November 2023 Security Updates

Microsoft has released its security updates for November 2023. For Always On VPN administrators, it’s a light month, with just a single CVE affecting Always On VPN infrastructure.

PEAP

CVE-2023-36028 addresses a remote code execution (RCE) vulnerability in the Microsoft Protected Extensible Authentication Protocol (PEAP). An attacker could exploit this vulnerability by sending a specially crafted PEAP packet to a Windows Network Policy Server (NPS). This attack does not require authentication or user interaction.

Affected Systems

This PEAP vulnerability affects only NPS servers configured to support PEAP authentication explicitly. PEAP authentication is a best practice configuration for Always On VPN deployments and is widely deployed. NPS servers deployed to support other services, such as Wi-Fi or router and switch access that are configured to allow PEAP authentication, are also affected.

Exposure

NPS servers are not (or should not be!) exposed directly to the public Internet. This limits the attack surface to adversaries already on the internal network.

Mitigation

Microsoft suggests disabling PEAP authentication support on NPS servers until the update is applied. However, this would break the majority of Always On VPN deployments today. Since disabling PEAP isn’t a viable option, administrators can reduce their attack surface by updating the NPS firewall rules to restrict access only to authorized VPN servers or other network devices until their systems are fully updated.

Additional Information

November 2023 Security Updates

CVE-2023-36028 PEAP Remote Code Execution Vulnerability

Always On VPN Trusted Network Detection and Native Azure AD Join

Administrators deploying Microsoft Always On VPN are quickly learning that the native Azure Active Directory join (AADJ) model has significant advantages over the more traditional Hybrid Azure AD join (HAADJ) scenario. Native AADJ is much simpler to deploy and manage than HAADJ while still allowing full single sign-on (SSO) to on-premises resources for remote users. Intune even allows for the import of custom ADMX and ADML administrative templates, further reducing the dependency on on-premises Active Directory for device management.

Remote Management

Although devices aren’t joined to the domain, administrators may still wish to access those clients connected to their network for device discovery or to perform administrative tasks. However, when native AADJ clients connect via Always On VPN, the Public Windows firewall profile is assigned to the VPN tunnel adapter. The Public profile is, of course, more restrictive and blocks most management protocols by default.

Firewall Rules

While adding firewall rules to the Public profile to allow management protocols is possible, this isn’t recommended for security reasons. The Public profile is typically loaded when the device is on an untrusted network. Exposing management protocols on an insecure network is asking for trouble.

Domain Profile

Domain-joined or Hybrid AADJ endpoints will use the Domain Windows firewall profile. This profile is more permissive, allowing many standard management protocols by default. Also, administrators can add rules to allow additional access as required without increasing the risk for devices on untrusted networks.

Trusted Network Detection

So, the trick is to get a native AADJ endpoint to load the Domain profile for the VPN tunnel adapter when connected via Always On VPN. Trusted Network Detection is accomplished by using settings configured on the endpoint using the NetworkListManager Configuration Service Provider (CSP).

Intune and XML

There are two settings administrators can enable AADJ devices to detect a trusted network and load the Domain Windows firewall profile. Unfortunately, these settings can only be applied using Intune and the Custom XML template. Administrators will use the following OMA-URI settings.

AllowedTlsAuthenticationEndpoints

The AllowedTlsAuthenticationEndpoints policy setting defines the URL the device uses to validate a trusted network. The target must be an on-premises web server with a valid TLS certificate using HTTPS. The target must be a highly available internal resource inaccessible from the Internet. DirectAccess administrators will be quite familiar with this concept; it’s the Network Location Server (NLS)!

Use the following OMA-URI to configure the TLS authentication endpoint.

URI: ./Device/Vendor/MSFT/Policy/Config/
NetworkListManager/AllowedTlsAuthenticationEndpoints

String: <![CDATA[https://nls.corp.example.net]]>

ConfiguredTlsAuthenticationNetworkName

The ConfiguredTlsAuthenticationNetworkName policy setting is optional. Administrators can use this setting to provide a friendly name for the authenticated trusted network. The FQDN of the target resource (NLS) is used by default. However, using this setting overrides the default with something more meaningful.

Use the following OMA-URI to configure the TLS authentication network name.

URI: ./Device/Vendor/MSFT/Policy/Config/
NetworkListManager/ConfiguredTlsAuthenticationNetworkName

String: <Friendly network name>

Results

Once configured, you’ll find the Always On VPN tunnel adapter uses the Domain Windows firewall profile and an optional friendly network name.

Additional Information

Deploying Always On VPN with Intune using Custom XML and CSP

Always On VPN CSP Updates

Always On VPN and VpnStrategy with CSP