All posts tagged management

What’s New in Always On VPN DPC 4.3.1

The latest release of PowerON Platforms’ Always On VPN Dynamic Profile Configurator (DPC), version 4.3.1, is now available for download. This recent update includes fixes for previously known issues. In addition, it contains some critical new features administrators will find helpful in addressing the challenges they face with Always On VPN client configuration.

What Is DPC?

Always On VPN DPC is a solution to manage Always On VPN client configuration settings. It was originally designed to be used with on-premises Active Directory but can also be deployed with Microsoft Intune. DPC streamlines the configuration and management of client settings and includes many advanced features to fine-tune and optimize Always On VPN.

What’s New in 4.3.1

The following essential features are new in the 4.3.1 release of DPC.

Add Device Tunnel Routes to User Tunnel

Always On VPN administrators can now configure DPC to add device tunnel routes to the user tunnel automatically. This configuration option ensures that all traffic flows of the user tunnel when both user and device tunnels are established.

Note: This feature also requires administrators to define route metric options in DPC. Ensure the user tunnel route metrics are set to a lower value than the device tunnel metrics for proper operation.

Restart RasMan

Always On VPN connections occasionally fail with error 602 (ERROR_PORT_ALREADY_OPEN). The workaround for this is to restart the RasMan service on the endpoint. DPC now supports automatically restarting the RasMan service when this error occurs, ensuring reliable operation for Always On VPN connections.

Machine Certificate Filtering

DPC 4.3.1 now includes a feature to allow administrators to enable machine certificate filtering for Always On VPN device tunnels. This addresses a challenge when the endpoint has multiple machine certificates in its local computer certificate store when the VPN server is configured to accept a certificate with a specific custom application policy (EKU).

Additional Features

In addition, the updated DPC agent core service now run as x64 processes. Also, DPC now supports VPN server FQDNs longer than 63 characters (good news for those using DPC with Azure VPN gateway!).

Download DPC

For those customers currently licensed for Always On VPN DPC you can download the latest release here.

https://support.poweronplatforms.com/support/solutions/articles/8000066807

Not using DPC?

If you’re not using DPC, you are missing out! You can learn more about DPC and register for a free evaluation by visiting the link below.

https://aovpndpc.com

Optionally, you can fill out the form below and I’ll provide you with more information.

Additional Information

PowerON Platforms’ Always On VPN Dynamic Profile Configurator (DPC)

Always On VPN DPC Advanced Features

Always On VPN DPC with Microsoft Intune

Leave a comment
by Richard M. Hicks on June 3, 2024  •  Permalink
Posted in administration, Always On VPN, Always On VPN DPC, AOVPN, AovpnDPC, Azure VPN, Certificate Authentication, certificates, Deployment, Device Management, device tunnel, DPC, Dynamic Profile Configurator, Enterprise, enterprise mobility, Group Policy, InTune, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobility, Operational Support, ProfileXML, Remote Access, Security, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on June 3, 2024

https://directaccess.richardhicks.com/2024/06/03/whats-new-in-always-on-vpn-dpc-4-3-1/

10 PowerShell Commands Always On VPN Administrators Should Know

Managing a secure and reliable VPN infrastructure is critical for supporting today’s highly mobile workforce. For Always On VPN administrators, PowerShell is an indispensable tool for achieving this goal. Not only can PowerShell be used to automate the installation and configuration of Windows Server Routing and Remote Access Service (RRAS) server, but it can also be used to audit configuration and monitor system health and user activity as well. In addition, it is highly recommended that the RRAS role be installed on Server Core for optimum security and performance. Administrators must be familiar with these PowerShell commands and more to support RRAS on Windows Server Core in their environment.

RemoteAccess Module

The RemoteAccess PowerShell module should be installed when the RRAS server is configured. There are 122 commands in this module, but only a subset of those pertain to the VPN server role. Here are ten popular commands for monitoring and managing an Always On VPN RRAS server.

Configuration Review

The following PowerShell commands are useful for reviewing the current RRAS server configuration.

Get-RemoteAccess – Displays the current configuration of the VPN server. Details include installation status, TLS certificate configuration, VPN client IP address assignment method, IPv4 and IPv6 addressing information (if using the static address assignment method), authentication type, and configured RADIUS servers.

Get-VpnAuthProtocol – Displays authentication configuration details such as accepted authentication types for both user and device connections, root certification authority (CA) certificate restrictions (if enabled), and certificate advertisement and EKU restrictions if enabled.

Get-VpnServerConfiguration – Displays additional VPN server configuration information, such as the IPsec configuration for IKEv2, the number of VPN ports configured, and more.

System Health

Get-RemoteAccessHealth – Displays the current health status of various VPN server services. The command’s default output is a little noisy. I recommend filtering it as follows:

Get-RemoteAccessHealth | Where-Object HealthState -NotMatch Disabled | Format-Table -AutoSize

User Activity

The following PowerShell commands can be used to view current and historical user activity details.

Get-RemoteAccessConnectionStatistics – Displays all active VPN connections on the server.

Get-RemoteAccessConnectionStatisticsSummary – Displays cumulative information about VPN connections on the server since the last service restart or reboot, such as the total number of connections, the number of unique users, the maximum number of concurrent connections, and the amount of data transferred.

Get-RemoteAccessUserActivity – Displays all active VPN connections for a specific user or device.

Management

The following PowerShell commands are helpful for reviewing authentication and logging settings.

Get-RemoteAccessRadius – Allows the administrator to view the currently configured RADIUS servers on the VPN server.

Get-RemoteAccessAccounting – Allows the administrator to view the current accounting repository (RADIUS or inbox) on the VPN server.

Clear-RemoteAccessInboxAccountingStore – Allows the administrator to remove log data from the Inbox Accounting database. Removing log data from the database can be helpful when transitioning a test server to production or to free up disk space by reducing the size of the logging database.

Additional Modules

In addition to the PowerShell commands above, Always On VPN administrators can leverage my custom PowerShell modules for advanced server and client configuration. These modules are published in the PowerShell Gallery.

AovpnTools – PowerShell module to configure and optimize Windows RRAS servers to support Always On VPN.

Install-Module -Name AovpnTools

InboxAccountingDatabaseManagement – PowerShell module to configure and manage the Inbox Accounting database for logging system information and user activity on the VPN server.

Install-Module -Name InboxAccountingDatabaseManagement

Additional Information

Always On VPN and RRAS on Windows Server Core

Inbox Accounting Database Management

AovpnTools PowerShell Module on GitHub

Inbox Accounting Database Module on GitHub

2 Comments
by Richard M. Hicks on November 2, 2023  •  Permalink
Posted in administration, Always On VPN, AOVPN, Deployment, Device Management, device tunnel, Enterprise, enterprise mobility, Mobility, Operational Support, PowerShell, Remote Access, routing and remote access service, RRAS, Security, Server Core, systems management, troubleshooting, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 2, 2023

https://directaccess.richardhicks.com/2023/11/02/10-powershell-commands-always-on-vpn-administrators-should-know/

Always On VPN Disconnects in Windows 11

Always On VPN administrators migrating their endpoints to Windows 11 may encounter a scenario where Always On VPN randomly disconnects when the VPN profile is deployed using Microsoft Intune. The same configuration deployed to Windows 10 devices works reliably, however. In addition, Always On VPN profiles deployed using PowerShell (natively or with SCCM) or PowerON DPC do not experience this problem.

Troubleshooting

Administrators troubleshooting this issue will find the root cause is associated with the Always On VPN profiles being removed and replaced each time the device syncs with Intune. This occurs even if there are no changes to the configuration. Removing and replacing the Always On VPN profiles on each device sync is unnecessary, of course, but is also highly disruptive to connected users.

Intune and XML

The Intune team identified the issue, and a fix was made available in the August update. However, many of you have reported the issue persists with some Windows 11 clients after installing the latest updates. Further investigation indicates that although the issue has been resolved when using Intune and the native VPN device configuration profile template, the problem still occurs when using the Custom device configuration template.

Workaround

Microsoft is aware of the issues with deploying Always On VPN client configuration settings using XML in Intune, but there’s no indication when or if they will fix it. Until then, administrators have two options to address this problem.

Native VPN Template

When deploying Always On VPN client configuration settings to Windows 11 endpoints, use the native VPN device configuration template, as shown here.

Using the native VPN template does have some limitations, however. The following settings are not exposed using the native VPN template and can only be configured using XML.

XML

If you must use XML, I’ve had some success by ensuring the order of XML settings is exactly as Intune expects. Follow the steps below to confirm the XML settings order in your XML configuration file.

  1. Deploy your XML file with Intune.
  2. Run Get-VpnClientProfileXML.ps1 to extract the deployed XML settings.
  3. Compare the order of settings to your existing XML.
  4. Make changes to ensure all settings in your XML are in the same order as the extracted XML.
  5. Publish a new XML configuration file using Intune and test.

I’ll caution you that this workaround doesn’t always work reliably. Some customers report that this solved their problems entirely, while others have indicated it does not. My testing shows the same results. Let us know in the comments below if this works for you!

Additional Information

Always On VPN Windows 11 Issues with Intune

Always On VPN PowerShell Script Issues in Windows 11

14 Comments
by Richard M. Hicks on October 9, 2023  •  Permalink
Posted in Always On VPN, AOVPN, AovpnDPC, Application Filter, Azure AD Join, Azure VPN, Deployment, Device Management, device tunnel, DPC, Dynamic Profile Configurator, Endpoint Manager, Enterprise, enterprise mobility, InTune, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobility, OMA-DM, OMA-URI, Operational Support, PowerShell, ProfileXML, Remote Access, SCCM, System Center Configuration Manager, systems management, Traffic Filter, Update, user tunnel, VPN, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 9, 2023

https://directaccess.richardhicks.com/2023/10/09/always-on-vpn-disconnects-in-windows-11/

« Older Posts